HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.712 (B) (Emsisoft), Gen:Variant.Barys.712 (AdAware), VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Virus, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0de3af072033d2a8b0159d9be8b087a8
SHA1: 3fce5ec8ebc79cb4ec1c446d1a57075aea161aeb
SHA256: 3d73805c6bfe4c90fccb764d0c33548cb3460e156f094457456c018d13b7d354
SSDeep: 12288:e 1mdD0z8j1Pk20Mt2LW xV33hX Rkq5gh1iWJS/GPuIQkD1LrnxX3SMgAKeyWKy:e2IafzRI4JT39fZx1rR6W7POdkSqSVx
Size: 1452544 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Windows
Created at: 2014-05-07 19:50:55
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Virus creates the following process(es):
%original file name%.exe:668
k400.exe:1932
The Virus injects its code into the following process(es):
Hs.exe:3544
user32.exe:2116
Explorer.EXE:1948
File activity
The process %original file name%.exe:668 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\k400.exe (1780 bytes)
%Documents and Settings%\%current user%\Application Data\Hs.exe (42 bytes)
The process user32.exe:2116 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\b_8d5afc09[1].png (3924 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\F7E34C2974A5D01D347705C76E2FF5D7 (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\nav_logo80[1].png (16371 bytes)
C:\msxpsdrv.inf (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\sem_96e64197394b4841f958af5c62b4f5cc[1].js (28041 bytes)
%Documents and Settings%\%current user%\Cookies\BR3B0SP0.txt (542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\mgyhp_sm[1].png (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\logo9w[1].png (3526 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6SYQ5KI\www.google[1].xml (496 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ap1bgyhp_smbiokl8ai2XcO-7k1sizdmcYi3z2k[1].png (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\nav_logo176[1].png (5921 bytes)
%Documents and Settings%\%current user%\Cookies\CY32C8S7.txt (523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\chrome-48[1].png (56 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0270780F846F08BEFE0DD8112D932FEF (543 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D4F348B882DF3F205ECCB6243795CB3A (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\google_ca[1].txt (14331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (200 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\F7E34C2974A5D01D347705C76E2FF5D7 (29 bytes)
%Documents and Settings%\%current user%\Cookies\TLQGHX20.txt (135 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D4F348B882DF3F205ECCB6243795CB3A (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\rs=AItRSTPqPxPQq9apHYeYn61I89z9NOuesQ[1] (77397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0270780F846F08BEFE0DD8112D932FEF (268 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014051320140514\index.dat (16 bytes)
The Virus deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415 (0 bytes)
C:\msxpsdrv.inf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416 (0 bytes)
%Documents and Settings%\%current user%\Cookies\TLQGHX20.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\3QE1QHRN.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\CY32C8S7.txt (0 bytes)
%System%\drivers\migx25a.obe (0 bytes)
The process k400.exe:1932 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\system.ini (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000D04B3_Rar\k400.exe (3073 bytes)
%System%\drivers\migx25a.$$A (4956 bytes)
%System%\user32.$$A (6356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000D064A_Rar\k400.exe (3073 bytes)
%System%\mui\0414\media.$$A (5991 bytes)
Registry activity
The process Hs.exe:3544 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF D8 86 88 4E CD E9 DB 58 D5 D3 09 B7 68 21 C0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\Hs.exe"
The process %original file name%.exe:668 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 11 82 3E B1 DC D1 8C E6 DE 1D 8E 3C 65 EB E3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"hs.exe" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"k400.exe" = "k400"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process user32.exe:2116 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"
[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\google.ca]
"(Default)" = "52"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"DSGuid" = "{00000000-0000-0000-0000-000000000000}"
[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"FriendlyName" = "Default DirectSound Device"
[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "52"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CacheLimit" = "8192"
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014051320140514"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"CLSID" = "{07B65360-C445-11CE-AFDE-00AA006C14F4}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"MidiOutId" = "4294967295"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "user32.exe"
[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"
"fdwSupport" = "1"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"FilterData" = "02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1378682664"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 AB 78 81 28 F8 8C 73 9A D2 4C 2E 17 AC 72 07"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CachePrefix" = ":2014051320140514:"
[HKCU\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache]
"0" = "E0 5A 00 00 65 68 63 66 00 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"FilterData" = "02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"FriendlyName" = "Default MidiOut Device"
[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"CLSID" = "{79376820-07D0-11CF-A24D-0020AFD79767}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Virus deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041520130416]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013040820130415]
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache]
"1"
The process k400.exe:1932 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Aas]
"a4_440" = "3154413240"
"a2_348" = "2494853037"
"a2_349" = "2502020874"
"a2_346" = "2480518813"
"a2_347" = "2487687196"
"a2_344" = "2466182582"
"a2_345" = "2473349271"
"a2_342" = "2451836471"
"a2_343" = "2459003037"
"a2_340" = "2437499011"
"a2_341" = "2444668338"
"a2_180" = "1290438737"
"a2_181" = "1297602818"
"a2_182" = "1304774657"
"a2_183" = "1311955525"
"a2_184" = "1319123734"
"a2_185" = "1326290599"
"a2_186" = "1333457113"
"a2_187" = "1340623517"
"a2_188" = "1347792343"
"a2_189" = "1354958391"
"a4_444" = "3183089724"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a3_78" = "542637991"
"a3_79" = "549622726"
"a3_72" = "533156193"
"a3_73" = "506656128"
"a3_70" = "485103791"
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a3_259" = "1873798154"
"a3_258" = "1866220523"
"a1_435" = "572582334"
"a1_434" = "2037801535"
"a1_433" = "565557661"
"a1_432" = "3721440971"
"a1_431" = "2047726358"
"a1_430" = "4072006072"
"a3_251" = "1782710578"
"a3_250" = "1809280147"
"a3_253" = "1830771188"
"a3_252" = "1789764949"
"a3_255" = "1844811446"
"a3_254" = "1837822487"
"a3_257" = "1825746760"
"a3_256" = "1818692393"
"a3_321" = "2284435336"
"a3_320" = "2310935401"
"a3_323" = "2332478538"
"a3_322" = "2291869739"
"a3_325" = "2346910988"
"a3_324" = "2339397869"
"a3_327" = "2327338446"
"a3_326" = "2320415151"
"a3_329" = "2375379584"
"a3_328" = "2368468577"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Aas]
"a3_439" = "3130280062"
"a3_438" = "3123369951"
"a3_435" = "3101883130"
"a3_434" = "3094824539"
"a3_437" = "3149870012"
"a3_436" = "3142426397"
"a3_431" = "3106444646"
"a3_430" = "3065901255"
"a3_433" = "3087376952"
"a3_432" = "3113879961"
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"
"a3_98" = "685967115"
"a3_99" = "726580138"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a4_151" = "1082537271"
"a4_150" = "1075368150"
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a4_157" = "1125551997"
"a4_156" = "1118382876"
"a4_159" = "1139890239"
"a4_158" = "1132721118"
"a1_185" = "3760670375"
"a1_184" = "3881935876"
"a1_183" = "3078440965"
"a1_182" = "1921734633"
"a1_181" = "1396783598"
"a1_180" = "3840548715"
"a4_393" = "2817464553"
"a4_392" = "2810295432"
"a4_391" = "2803126311"
"a4_390" = "2795957190"
"a4_397" = "2846141037"
"a4_396" = "2838971916"
"a4_395" = "2831802795"
"a4_394" = "2824633674"
"a4_399" = "2860479279"
"a4_398" = "2853310158"
"a2_405" = "2903495724"
"a2_404" = "2896317662"
"a2_407" = "2917829600"
"a2_406" = "2910659772"
"a2_401" = "2874810987"
"a2_400" = "2867645073"
"a2_403" = "2889161772"
"a2_402" = "2881978703"
"a2_409" = "2932163654"
"a2_408" = "2924992684"
"a1_222" = "597679436"
"a1_223" = "225882063"
"a1_220" = "315725063"
"a1_221" = "838832363"
"a1_226" = "2242853330"
"a1_227" = "4181774200"
"a1_224" = "3010219581"
"a1_225" = "3979777277"
"a1_228" = "1510553043"
"a1_229" = "1175185564"
"a2_351" = "2516353666"
"a2_350" = "2509188081"
"a2_353" = "2530705335"
"a2_352" = "2523536911"
"a2_355" = "2545035787"
"a2_354" = "2537870493"
"a2_357" = "2559372304"
"a2_356" = "2552214985"
"a2_359" = "2573722136"
"a2_358" = "2566539625"
"a2_193" = "1383642299"
"a2_192" = "1376473263"
"a2_191" = "1369305678"
"a2_190" = "1362126243"
"a2_197" = "1412311164"
"a2_196" = "1405142581"
"a2_195" = "1397973563"
"a2_194" = "1390808031"
"a2_199" = "1426657963"
"a2_198" = "1419491419"
"a1_89" = "4119017126"
"a1_88" = "2981224726"
"a1_85" = "3880251783"
"a1_84" = "1899143302"
"a1_87" = "4153257386"
"a1_86" = "3335011534"
"a1_81" = "669696652"
"a1_80" = "1769008654"
"a1_83" = "141052780"
"a1_82" = "2814532959"
"a1_67" = "2250642478"
"a1_66" = "3323052891"
"a1_65" = "2527229727"
"a3_133" = "970345548"
"a1_63" = "3732109198"
"a3_135" = "950830350"
"a3_136" = "991836577"
"a1_60" = "3680589173"
"a3_138" = "1006335587"
"a3_139" = "979823234"
"a1_438" = "3649819830"
"a1_69" = "375698544"
"a1_68" = "4015294957"
"a3_228" = "1617824845"
"a3_229" = "1624875244"
"a3_224" = "1588903625"
"a3_225" = "1629901672"
"a3_226" = "1636956043"
"a3_227" = "1610836010"
"a3_220" = "1593911669"
"a3_221" = "1600966036"
"a3_222" = "1608410679"
"a3_223" = "1581849174"
"a1_408" = "1457165527"
"a1_409" = "2966186917"
"a1_402" = "2977758726"
"a1_403" = "4097778410"
"a1_400" = "1551717932"
"a1_401" = "2553629356"
"a1_406" = "2813323114"
"a1_407" = "3440859017"
"a1_404" = "2173737817"
"a1_405" = "872395808"
"a3_354" = "2521277451"
"a3_355" = "2528204970"
"a3_356" = "2568813773"
"a3_357" = "2576322924"
"a3_350" = "2492225207"
"a3_351" = "2499791574"
"a3_352" = "2540269385"
"a3_353" = "2547254248"
"a3_358" = "2583246223"
"a3_359" = "2556735022"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_144" = "1032353424"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a3_142" = "1034864615"
[HKCU\Software\Aas\695404737]
"28676484" = "35"
[HKCU\Software\Aas]
"a3_448" = "3194799081"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_124" = "888971004"
"a4_125" = "896140125"
"a4_126" = "903309246"
"a4_127" = "910478367"
"a4_120" = "860294520"
"a4_121" = "867463641"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a4_128" = "917647488"
"a4_129" = "924816609"
"a3_444" = "3166269973"
"a3_445" = "3206813364"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Aas]
"a4_238" = "1706250798"
"a4_239" = "1713419919"
"a4_230" = "1648897830"
"a4_231" = "1656066951"
"a4_232" = "1663236072"
"a4_233" = "1670405193"
"a4_234" = "1677574314"
"a4_235" = "1684743435"
"a4_236" = "1691912556"
"a4_237" = "1699081677"
"a1_158" = "1287035777"
"a1_159" = "287762529"
"a1_150" = "1197407887"
"a1_151" = "1624926349"
"a1_152" = "681098790"
"a1_153" = "1424480585"
"a1_154" = "1503702756"
"a1_155" = "2378885858"
"a1_156" = "3467427406"
"a1_157" = "3035214784"
"a1_235" = "478662329"
"a1_234" = "3243674099"
"a1_237" = "1743165105"
"a1_236" = "3792762929"
"a1_231" = "2053817692"
"a1_230" = "3439548283"
"a1_233" = "4222106887"
"a1_232" = "3509529900"
"a1_239" = "4169513104"
"a1_238" = "3923485586"
"a2_210" = "1505522879"
"a2_211" = "1512677778"
"a2_212" = "1519859418"
"a2_213" = "1527031283"
"a2_214" = "1534194065"
"a2_215" = "1541363665"
"a2_216" = "1548527952"
"a2_217" = "1555696548"
"a2_218" = "1562864909"
"a2_219" = "1570041390"
"a2_324" = "2322798446"
"a2_325" = "2329965829"
"a2_326" = "2337131831"
"a2_327" = "2344296916"
"a2_320" = "2294113881"
"a2_321" = "2301263286"
"a2_322" = "2308463095"
"a2_323" = "2315618288"
"a2_328" = "2351466329"
"a2_329" = "2358648256"
"a1_98" = "364129661"
"a1_99" = "1703298522"
"a1_92" = "4070993760"
"a1_93" = "741281128"
"a1_90" = "735762852"
"a1_91" = "1171683413"
"a1_96" = "2331054910"
"a1_97" = "2205245342"
"a1_94" = "2182723565"
"a1_95" = "268791719"
"a1_74" = "1855472817"
"a1_75" = "2645362725"
"a1_76" = "38338018"
"a1_77" = "3493114524"
"a1_70" = "4023645492"
"a1_71" = "3158540728"
"a1_72" = "2961658006"
"a1_73" = "3575720696"
"a3_129" = "907869896"
"a3_128" = "934369961"
"a1_78" = "3066414275"
"a1_79" = "3340157642"
"a3_239" = "1730403494"
"a3_238" = "1689270279"
"a3_237" = "1682343908"
"a3_236" = "1708909381"
"a3_235" = "1701334818"
"a3_234" = "1660856963"
"a3_233" = "1653814880"
"a3_232" = "1646370241"
"a3_231" = "1672935854"
"a3_230" = "1665877263"
"a1_419" = "2069758110"
"a1_418" = "742164012"
"a1_415" = "916966242"
"a1_414" = "4251210004"
"a1_417" = "1233334979"
"a1_416" = "3102595579"
"a1_411" = "2586794880"
"a1_410" = "851042563"
"a1_413" = "2345332268"
"a1_412" = "1540188117"
"a3_347" = "2504287570"
"a3_346" = "2463809843"
"a3_345" = "2456759440"
"a3_344" = "2482866289"
"a3_343" = "2475825118"
"a3_342" = "2468836287"
"a3_341" = "2427838236"
"a3_340" = "2420783869"
"a3_349" = "2485301780"
"a3_348" = "2511804917"
"a2_360" = "2580886287"
"a2_361" = "2588054549"
"a2_362" = "2595219749"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a2_364" = "2609552422"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_365" = "2616723790"
"a2_366" = "2623903101"
"a2_367" = "2631072320"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Aas]
"a2_168" = "1204406001"
"a2_169" = "1211587478"
"a2_160" = "1147050346"
"a2_161" = "1154236172"
"a4_137" = "982169577"
"a4_136" = "975000456"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_133" = "953493093"
"a4_132" = "946323972"
"a4_131" = "939154851"
"a4_130" = "931985730"
"a4_139" = "996507819"
"a4_138" = "989338698"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a4_229" = "1641728709"
"a4_228" = "1634559588"
"a4_223" = "1598713983"
"a4_222" = "1591544862"
"a4_221" = "1584375741"
"a4_220" = "1577206620"
"a4_227" = "1627390467"
"a4_226" = "1620221346"
"a4_225" = "1613052225"
"a4_224" = "1605883104"
"a1_149" = "894312907"
"a1_148" = "1142188122"
"a1_143" = "3609557369"
"a1_142" = "590992795"
"a1_141" = "602786616"
"a1_140" = "734314306"
"a1_147" = "1332353758"
"a1_146" = "2189446415"
"a1_145" = "4048987724"
"a1_144" = "3628799974"
"a2_203" = "1455328641"
"a2_202" = "1448160685"
"a2_201" = "1440991578"
"a2_200" = "1433826590"
"a2_207" = "1484010319"
"a2_206" = "1476845409"
"a2_205" = "1469676770"
"a2_204" = "1462490464"
"a2_209" = "1498343510"
"a2_208" = "1491184374"
"a2_337" = "2415999322"
"a2_336" = "2408818105"
"a2_335" = "2401649816"
"a2_334" = "2394481653"
"a2_333" = "2387315509"
"a2_332" = "2380149324"
"a2_331" = "2372981512"
"a2_330" = "2365815990"
"a3_242" = "1718323611"
"a2_339" = "2430334292"
"a2_338" = "2423168889"
"a3_243" = "1725243962"
"a1_398" = "1914459027"
"a1_399" = "249275510"
"a1_392" = "3104884437"
"a1_393" = "3969583955"
"a1_390" = "1387206516"
"a1_391" = "2606424810"
"a1_396" = "1910926165"
"a1_397" = "640096535"
"a1_394" = "576662037"
"a1_395" = "1021399285"
"a3_116" = "814879197"
"a3_117" = "821922428"
"a3_114" = "834001179"
"a3_115" = "807894458"
"a3_112" = "785940569"
"a3_113" = "826942712"
"a3_110" = "771902343"
"a3_111" = "778955814"
"a1_49" = "2683147043"
"a1_48" = "3853391467"
"a3_118" = "862924447"
"a3_119" = "869974846"
"a3_202" = "1465015971"
"a3_203" = "1472066242"
"a3_200" = "1416954337"
"a3_201" = "1424013824"
"a3_206" = "1493543975"
"a3_207" = "1500987462"
"a3_204" = "1445500773"
"a3_205" = "1452936068"
"a1_197" = "3523803605"
"a3_208" = "1508041977"
"a3_209" = "1481480472"
"a1_191" = "660386055"
"a2_17" = "121866588"
"a2_16" = "114711986"
"a2_15" = "107542711"
"a2_14" = "100359642"
"a2_13" = "93193258"
"a2_12" = "86027157"
"a2_11" = "78859814"
"a2_10" = "71693137"
"a2_19" = "136204532"
"a2_18" = "129045613"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_378" = "2693094675"
"a3_379" = "2700145074"
"a3_372" = "2683746013"
"a3_373" = "2657102716"
"a3_370" = "2669182491"
"a3_371" = "2676691642"
"a3_376" = "2712142929"
"a3_377" = "2686171376"
"a3_374" = "2664681375"
"a3_375" = "2705154110"
"a3_127" = "927442486"
"a1_189" = "1039298279"
"a1_188" = "1454231121"
"a1_187" = "556400020"
"a1_186" = "1074993604"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Aas]
"a4_218" = "1562868378"
"a4_219" = "1570037499"
"a4_216" = "1548530136"
"a4_217" = "1555699257"
"a4_214" = "1534191894"
"a4_215" = "1541361015"
"a4_212" = "1519853652"
"a4_213" = "1527022773"
"a4_210" = "1505515410"
"a4_211" = "1512684531"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a1_178" = "1200944428"
"a1_179" = "2807601808"
"a1_176" = "675163660"
"a1_177" = "794369351"
"a1_174" = "855826359"
"a1_175" = "423118618"
"a1_172" = "3109272693"
"a1_173" = "328445402"
"a1_170" = "1118051110"
"a1_171" = "3494914933"
"a2_236" = "1691915021"
"a2_237" = "1699084294"
"a2_234" = "1677580100"
"a2_235" = "1684750044"
"a2_232" = "1663230011"
"a2_233" = "1670398199"
"a2_230" = "1648899155"
"a2_231" = "1656063536"
"a2_238" = "1706249738"
"a2_239" = "1713417524"
"a2_308" = "2208096152"
"a2_309" = "2215260554"
"a2_302" = "2165077993"
"a2_303" = "2172245685"
"a2_300" = "2150742527"
"a2_301" = "2157912105"
"a2_306" = "2193739813"
"a2_307" = "2200926356"
"a2_304" = "2179411639"
"a2_305" = "2186579656"
"a1_389" = "1600211477"
"a1_388" = "583800408"
"a1_385" = "2119609947"
"a1_384" = "304363474"
"a1_387" = "1289486185"
"a1_386" = "670399771"
"a1_381" = "2944667908"
"a1_380" = "565269056"
"a1_383" = "2304228145"
"a1_382" = "2011884007"
"a1_58" = "176215461"
"a1_59" = "1350510916"
"a1_56" = "3000447584"
"a1_57" = "166685349"
"a1_54" = "1916140335"
"a1_55" = "26979977"
"a1_52" = "835917289"
"a1_53" = "2741943368"
"a1_50" = "1223874733"
"a1_51" = "1339865118"
"a3_215" = "1524377438"
"a3_214" = "1517454143"
"a3_217" = "1572437008"
"a3_216" = "1565514737"
"a3_211" = "1529532890"
"a3_210" = "1488928187"
"a3_213" = "1510469276"
"a3_212" = "1536445053"
"a3_219" = "1553446098"
"a3_218" = "1545867443"
"a3_109" = "798021476"
"a3_108" = "790966981"
"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a3_369" = "2628699640"
"a3_368" = "2621645145"
"a3_365" = "2600170596"
"a3_364" = "2592723909"
"a3_367" = "2647756070"
"a3_366" = "2640767111"
"a3_361" = "2604787424"
"a3_360" = "2564178497"
"a3_363" = "2585673634"
"a3_362" = "2611780355"
"a2_62" = "444486293"
"a2_63" = "451646180"
"a2_60" = "430149808"
"a2_61" = "437307440"
"a2_66" = "473167963"
"a2_67" = "480339485"
"a2_64" = "458831895"
"a2_65" = "465983851"
"a1_41" = "1578251570"
"a1_40" = "401528190"
"a1_43" = "544764407"
"a1_42" = "625406262"
"a1_45" = "3736345136"
"a1_44" = "637757429"
"a1_47" = "1464606611"
"a1_46" = "915241249"
"a4_201" = "1440993321"
"a4_200" = "1433824200"
"a4_203" = "1455331563"
"a4_202" = "1448162442"
"a4_205" = "1469669805"
"a4_204" = "1462500684"
"a4_207" = "1484008047"
"a4_206" = "1476838926"
"a4_209" = "1498346289"
"a4_208" = "1491177168"
"a4_448" = "3211766208"
"a4_119" = "853125399"
"a4_118" = "845956278"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a4_117" = "838787157"
"a4_116" = "831618036"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a1_161" = "1915890097"
"a1_160" = "843438734"
"a1_163" = "1938984824"
"a1_162" = "133629096"
"a1_165" = "2976090139"
"a1_164" = "3816548948"
"a1_167" = "3272798750"
"a1_166" = "2007819055"
"a1_169" = "656958023"
"a1_168" = "3902534129"
"a4_447" = "3204597087"
"a2_319" = "2286946597"
"a2_318" = "2279779097"
"a2_315" = "2258279218"
"a2_314" = "2251098402"
"a2_317" = "2272614370"
"a2_316" = "2265447140"
"a2_311" = "2229594614"
"a2_310" = "2222430641"
"a2_313" = "2243929852"
"a2_312" = "2236763144"
"a2_229" = "1641730490"
"a2_228" = "1634551221"
"a2_221" = "1584381282"
"a2_220" = "1577212545"
"a2_223" = "1598711061"
"a2_222" = "1591553375"
"a2_225" = "1613046582"
"a2_224" = "1605881631"
"a2_227" = "1627396764"
"a2_226" = "1620215120"
"a1_370" = "1438637452"
"a1_371" = "59113668"
"a1_372" = "1169798306"
"a1_373" = "4290510604"
"a1_374" = "2224975597"
"a1_375" = "4208417184"
"a1_376" = "2260799286"
"a1_377" = "3575438534"
"a1_378" = "3081278200"
"a1_379" = "3824438567"
"a3_36" = "241268621"
"a3_37" = "248309804"
"a3_183" = "1328655230"
"a1_29" = "2388005199"
"a1_28" = "1918134990"
"a1_23" = "3926885359"
"a1_22" = "3930369539"
"a1_21" = "1313846188"
"a1_20" = "2185560506"
"a1_27" = "4264319051"
"a1_26" = "1207797943"
"a1_25" = "698223974"
"a1_24" = "86513316"
"a1_284" = "432936643"
"a1_285" = "3579243845"
"a1_286" = "405777415"
"a1_287" = "3962302696"
"a1_280" = "3755086273"
"a1_281" = "75892930"
"a1_282" = "3323670604"
"a1_283" = "3194722678"
"a3_31" = "205278614"
"a1_288" = "78404990"
"a1_289" = "1175272151"
"a3_32" = "212854281"
"a3_178" = "1292673371"
"a3_179" = "1300121082"
"a3_174" = "1264145351"
"a3_175" = "1271198822"
"a3_176" = "1245079705"
"a3_177" = "1252068664"
"a3_170" = "1235731011"
"a3_171" = "1209100002"
"a3_172" = "1216092933"
"a3_173" = "1223671716"
"a2_31" = "222248808"
"a2_30" = "215079083"
"a2_33" = "236573522"
"a2_32" = "229414125"
"a2_35" = "250911148"
"a2_34" = "243747506"
"a2_37" = "265264088"
"a2_36" = "258082168"
"a2_39" = "279597480"
"a2_38" = "272418364"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a3_390" = "2812641775"
"a3_391" = "2786540046"
"a3_392" = "2793594529"
"a3_393" = "2800513728"
"a3_394" = "2841581411"
"a3_395" = "2848623490"
"a3_396" = "2821991461"
"a3_397" = "2829566020"
"a3_398" = "2870043879"
"a3_399" = "2877036806"
[HKCU\Software\Aas\695404737]
"7169121" = "212"
[HKCU\Software\Aas]
"a4_199" = "1426655079"
"a2_363" = "2602386008"
"a4_274" = "1964339154"
"a4_275" = "1971508275"
"a4_276" = "1978677396"
"a4_277" = "1985846517"
"a4_270" = "1935662670"
"a4_271" = "1942831791"
"a4_272" = "1950000912"
"a4_273" = "1957170033"
"a4_278" = "1993015638"
"a4_279" = "2000184759"
"a4_308" = "2208089268"
"a4_309" = "2215258389"
"a4_300" = "2150736300"
"a4_301" = "2157905421"
"a4_302" = "2165074542"
"a4_303" = "2172243663"
"a4_304" = "2179412784"
"a4_305" = "2186581905"
"a4_306" = "2193751026"
"a4_307" = "2200920147"
"a1_114" = "3985886055"
"a1_115" = "1219837130"
"a1_116" = "3842708137"
"a1_117" = "3024706587"
"a1_110" = "1910162115"
"a1_111" = "3626186321"
"a1_112" = "2477734094"
"a1_113" = "1450167816"
"a1_118" = "961907142"
"a1_119" = "2641297018"
"a2_258" = "1849635713"
"a2_259" = "1856805816"
"a2_254" = "1820954184"
"a2_255" = "1828119876"
"a2_256" = "1835286791"
"a2_257" = "1842470009"
"a2_250" = "1792283105"
"a2_251" = "1799452468"
"a2_252" = "1806619027"
"a2_253" = "1813779022"
"a1_363" = "1006490679"
"a1_362" = "2467592308"
"a1_361" = "2405457664"
"a1_360" = "1097095733"
"a1_367" = "311087697"
"a1_366" = "2431645458"
"a1_365" = "1211066353"
"a1_364" = "212302977"
"a1_369" = "354823789"
"a1_368" = "2218332459"
"a1_38" = "437754075"
"a1_39" = "4038607479"
"a1_30" = "1125694984"
"a1_31" = "2662093296"
"a1_32" = "967768690"
"a1_33" = "2486385979"
"a1_34" = "899369308"
"a1_35" = "3910510731"
"a1_36" = "1745498877"
"a1_37" = "3942030667"
"a1_297" = "1973571792"
"a1_296" = "4147290486"
"a1_295" = "3083719291"
"a1_294" = "694191389"
"a1_293" = "3691760220"
"a1_292" = "1198421489"
"a1_291" = "475682301"
"a1_290" = "1419574620"
"a1_299" = "514739986"
"a1_298" = "1730111632"
"a4_286" = "2050368606"
"a2_108" = "774259755"
"a2_109" = "781426758"
"a2_100" = "716908835"
"a2_101" = "724076208"
"a2_102" = "731242793"
"a2_103" = "738424041"
"a2_104" = "745593757"
"a2_105" = "752760718"
"a2_106" = "759924619"
"a2_107" = "767094695"
"a3_169" = "1228156448"
"a3_168" = "1187689857"
"a3_167" = "1180635502"
"a3_166" = "1206680783"
"a3_165" = "1199757484"
"a3_164" = "1192698893"
"a3_163" = "1151697898"
"a3_162" = "1144713035"
"a3_161" = "1171213096"
"a3_160" = "1163777673"
"a2_28" = "200728406"
"a2_29" = "207898491"
"a2_26" = "186394333"
"a2_27" = "193564605"
"a2_24" = "172061447"
"a2_25" = "179230518"
"a2_22" = "157728387"
"a2_23" = "164896656"
"a2_20" = "143379955"
"a2_21" = "150548127"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a2_7" = "50176537"
"a2_6" = "43009985"
"a2_5" = "35843325"
"a2_4" = "28674078"
"a2_3" = "21510355"
"a2_2" = "14343653"
"a2_1" = "7173082"
"a2_0" = "5994"
"a3_389" = "2805656908"
"a3_388" = "2765048109"
"a2_9" = "64527438"
"a2_8" = "57358699"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_9" = "64522089"
"a4_8" = "57352968"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 C1 2B 73 13 F2 D8 75 E2 40 FC 87 5F 7B 09 0C"
[HKCU\Software\Aas]
"a4_267" = "1914155307"
"a4_266" = "1906986186"
"a4_265" = "1899817065"
"a4_264" = "1892647944"
"a4_263" = "1885478823"
"a4_262" = "1878309702"
"a4_261" = "1871140581"
"a4_260" = "1863971460"
[HKCU\Software\Aas\695404737]
"43014726" = "0B00687474703A2F2F6F73746572616B65726C61636B6572696E672E73652F696D616765732F6C6F676F2E67696600687474703A2F2F706D6573622E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F70726F65636F73797374656D732E636F6D2F696D616765732F627574746F6E2E67696600687474703A2F2F70726174696B7365727665722E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F6C6F6C69746B61612E7A612E706C2F6C6F676F2E67696600687474703A2F2F61796B6F6D2E6E65742F696D672F627574746F6E2E67696600687474703A2F2F7777772E6D6F6C6F7A6174696D2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7068656E2E6364642E676F2E74682F6C6F676F2E67696600687474703A2F2F636172626F6E737465656C737570706C69657273696E6469612E636F2E696E2F696D616765732F6C6F676F2E67696600687474703A2F2F706168617265762E6D796A696E6F2E72752F6C6F676F2E67696600687474703A2F2F6C69666574696D656C697465732E636F6D2F696D616765732F6C6F676F2E676966"
[HKCU\Software\Aas]
"a4_269" = "1928493549"
"a4_268" = "1921324428"
"a4_319" = "2286949599"
"a4_318" = "2279780478"
"a4_313" = "2243934873"
"a4_312" = "2236765752"
"a4_311" = "2229596631"
"a4_310" = "2222427510"
"a4_317" = "2272611357"
"a4_316" = "2265442236"
"a4_315" = "2258273115"
"a4_314" = "2251103994"
"a3_130" = "915379051"
"a3_131" = "922302346"
"a3_132" = "962897965"
"a1_107" = "873035063"
"a1_106" = "1985361529"
"a1_105" = "2654625172"
"a1_104" = "3436623399"
"a1_103" = "2806310168"
"a1_102" = "2319394803"
"a1_101" = "242185480"
"a1_100" = "1540757949"
"a3_134" = "943841519"
"a1_109" = "4232895747"
"a1_62" = "1873806373"
"a1_61" = "1518353575"
"a3_137" = "998890944"
"a3_145" = "1022800088"
"a3_144" = "1015749817"
"a3_147" = "1070844314"
"a3_146" = "1063277947"
"a3_141" = "1027810116"
"a3_140" = "986812197"
"a3_143" = "1008236550"
"a2_249" = "1785116087"
"a2_248" = "1777936959"
"a2_247" = "1770770224"
"a2_246" = "1763601477"
"a2_245" = "1756434278"
"a2_244" = "1749267282"
"a2_243" = "1742101881"
"a2_242" = "1734931541"
"a2_241" = "1727752858"
"a2_240" = "1720583758"
"a1_356" = "317418142"
"a1_357" = "2168955147"
"a1_354" = "1136247153"
"a1_355" = "103238200"
"a1_352" = "172981557"
"a1_353" = "3414574488"
"a1_350" = "3183629512"
"a1_351" = "687049894"
"a1_358" = "323959029"
"a1_359" = "421304938"
"a2_119" = "853130819"
"a2_118" = "845962125"
"a2_113" = "810111350"
"a2_112" = "802943183"
"a2_111" = "795778067"
"a2_110" = "788609042"
"a2_117" = "838793549"
"a2_116" = "831611219"
"a2_115" = "824446414"
"a2_114" = "817277679"
"a3_152" = "1106310065"
"a3_153" = "1080268752"
"a3_150" = "1092336383"
"a3_151" = "1099259678"
"a3_156" = "1135231285"
"a3_157" = "1108731220"
"a3_154" = "1087178867"
"a3_155" = "1127787666"
"a3_158" = "1115724279"
"a3_159" = "1123168790"
"a2_59" = "422985713"
"a2_58" = "415802957"
"a2_53" = "379966635"
"a2_52" = "372800185"
"a2_51" = "365618883"
"a2_50" = "358452508"
"a2_57" = "408635022"
"a2_56" = "401468387"
"a2_55" = "394300594"
"a2_54" = "387134545"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"
"a3_440" = "3171413137"
"a3_441" = "3178398000"
"a3_442" = "3185321299"
"a3_443" = "3159349746"
"a4_59" = "422978139"
"a4_58" = "415809018"
"a3_446" = "3214379735"
"a3_447" = "3187748726"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
[HKCU\Software\Aas]
"a4_414" = "2968016094"
"a4_415" = "2975185215"
"a4_416" = "2982354336"
"a4_417" = "2989523457"
"a4_410" = "2939339610"
"a4_411" = "2946508731"
"a4_412" = "2953677852"
"a4_413" = "2960846973"
"a4_418" = "2996692578"
"a4_419" = "3003861699"
"a1_138" = "1561997843"
"a1_139" = "922022646"
"a1_132" = "3280835655"
"a1_133" = "524678455"
"a1_130" = "1479067135"
"a1_131" = "1333602077"
"a1_136" = "3384745429"
"a1_137" = "2157671826"
"a1_134" = "3742793626"
"a1_135" = "2460979049"
"a4_328" = "2351471688"
"a4_329" = "2358640809"
"a4_326" = "2337133446"
"a4_327" = "2344302567"
"a4_324" = "2322795204"
"a4_325" = "2329964325"
"a4_322" = "2308456962"
"a4_323" = "2315626083"
"a4_320" = "2294118720"
"a4_321" = "2301287841"
"a4_258" = "1849633218"
"a4_259" = "1856802339"
"a4_252" = "1806618492"
"a4_253" = "1813787613"
"a4_250" = "1792280250"
"a4_251" = "1799449371"
"a4_256" = "1835294976"
"a4_257" = "1842464097"
"a4_254" = "1820956734"
"a4_255" = "1828125855"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Aas]
"a1_349" = "3279481955"
"a1_348" = "3828032657"
"a1_341" = "3046937452"
"a1_340" = "3634630686"
"a1_343" = "281694937"
"a1_342" = "1786168013"
"a1_345" = "945729774"
"a1_344" = "1187269261"
"a1_347" = "3755774757"
"a1_346" = "2807081422"
"a2_272" = "1950006292"
"a2_273" = "1957172073"
"a2_270" = "1935655908"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a2_276" = "1978671251"
"a2_277" = "1985839533"
"a2_274" = "1964341978"
"a2_275" = "1971515897"
"a2_278" = "1993021518"
"a2_279" = "2000175229"
"a2_298" = "2136406443"
"a2_299" = "2143560787"
"a2_290" = "2079042810"
"a2_291" = "2086207518"
"a2_292" = "2093376574"
"a2_293" = "2100559056"
"a2_294" = "2107727005"
"a2_295" = "2114892623"
"a2_296" = "2122059189"
"a2_297" = "2129221385"
"a2_128" = "917645931"
"a2_129" = "924813670"
"a2_126" = "903300513"
"a2_127" = "910479842"
"a2_124" = "888965011"
"a2_125" = "896144393"
"a2_122" = "874629937"
"a2_123" = "881796788"
"a2_120" = "860298135"
"a2_121" = "867461371"
"a3_35" = "267899754"
"a1_12" = "1526168060"
"a1_13" = "1628344756"
"a1_10" = "2365646836"
"a1_11" = "365963622"
"a1_16" = "432161859"
"a1_17" = "2062570447"
"a1_14" = "2802932000"
"a1_15" = "136886650"
"a1_18" = "1518309144"
"a1_19" = "118102892"
"a3_149" = "1051199068"
"a3_148" = "1044210237"
"a2_48" = "344126326"
"a2_49" = "351283830"
"a2_40" = "286765901"
"a2_41" = "293930436"
"a2_42" = "301100963"
"a2_43" = "308266258"
"a2_44" = "315447270"
"a2_45" = "322615605"
"a2_46" = "329784324"
"a2_47" = "336950684"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a3_240" = "1737322713"
"a3_248" = "1761236945"
"a2_172" = "1233087323"
"a4_407" = "2917832247"
"a4_406" = "2910663126"
"a4_405" = "2903494005"
"a4_404" = "2896324884"
"a4_403" = "2889155763"
"a4_402" = "2881986642"
"a4_401" = "2874817521"
"a4_400" = "2867648400"
"a4_409" = "2932170489"
"a4_408" = "2925001368"
"a1_129" = "2063859124"
"a1_128" = "2263162073"
"a1_125" = "574786184"
"a1_124" = "1656684210"
"a1_127" = "3767663433"
"a1_126" = "1102188777"
"a1_121" = "246084492"
"a1_120" = "2260336068"
"a1_123" = "4272738085"
"a1_122" = "3664999304"
"a4_331" = "2372979051"
"a4_330" = "2365809930"
"a4_333" = "2387317293"
"a4_332" = "2380148172"
"a4_335" = "2401655535"
"a4_334" = "2394486414"
"a4_337" = "2415993777"
"a4_336" = "2408824656"
"a4_339" = "2430332019"
"a4_338" = "2423162898"
"a4_249" = "1785111129"
"a4_248" = "1777942008"
"a4_245" = "1756434645"
"a4_244" = "1749265524"
"a4_247" = "1770772887"
"a4_246" = "1763603766"
"a4_241" = "1727758161"
"a4_240" = "1720589040"
"a4_243" = "1742096403"
"a4_242" = "1734927282"
"a1_338" = "215487311"
"a1_339" = "1940991945"
"a1_334" = "1432139998"
"a1_335" = "1690909624"
"a1_336" = "2311689481"
"a1_337" = "1154881519"
"a1_330" = "2880440799"
"a1_331" = "3236995389"
"a1_332" = "645746050"
"a1_333" = "1448016752"
"a3_30" = "231909751"
"a1_64" = "1504700924"
"a2_265" = "1899822563"
"a2_264" = "1892656903"
"a2_267" = "1914153802"
"a2_266" = "1906995175"
"a2_261" = "1871134770"
"a2_260" = "1863969379"
"a2_263" = "1885470971"
"a2_262" = "1878304610"
"a2_269" = "1928485568"
"a2_268" = "1921322550"
"a2_289" = "2071874698"
"a2_288" = "2064709343"
"a2_283" = "2028859220"
"a2_282" = "2021691004"
"a2_281" = "2014525687"
"a2_280" = "2007361849"
"a2_287" = "2057540070"
"a2_286" = "2050374957"
"a2_285" = "2043189815"
"a2_284" = "2036024341"
"a4_446" = "3197427966"
"a1_240" = "771919471"
"a1_241" = "2378239244"
"a1_242" = "619001999"
"a1_243" = "3457102703"
"a1_244" = "3921389679"
"a1_245" = "2140739950"
"a1_246" = "3440259707"
"a1_247" = "1374588388"
"a1_248" = "1553223332"
"a1_249" = "1482582173"
"a4_445" = "3190258845"
"a2_131" = "939148345"
"a2_130" = "931981085"
"a2_133" = "953499034"
"a2_132" = "946330328"
"a2_135" = "967832328"
"a2_134" = "960666927"
"a2_137" = "982167243"
"a2_136" = "974997908"
"a2_139" = "996514576"
"a2_138" = "989346887"
"a2_79" = "566354272"
"a2_78" = "559189666"
"a3_288" = "2048100105"
"a3_289" = "2055027624"
"a3_184" = "1336102801"
"a3_282" = "2038692083"
"a3_283" = "2045680914"
"a3_280" = "1990631473"
"a3_281" = "2031109200"
"a3_286" = "2067091063"
"a3_287" = "2074141334"
"a3_284" = "2019045813"
"a3_285" = "2026624468"
"a3_198" = "1436076335"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Aas]
"a3_196" = "1388556397"
"a3_197" = "1429034124"
"a3_194" = "1407548331"
"a3_195" = "1380982730"
"a3_192" = "1393042153"
"a3_193" = "1400620808"
"a3_190" = "1345525207"
"a3_191" = "1352568438"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Aas]
"a4_438" = "3140074998"
"a4_439" = "3147244119"
"a4_432" = "3097060272"
"a4_433" = "3104229393"
"a4_430" = "3082722030"
"a4_431" = "3089891151"
"a4_436" = "3125736756"
"a4_437" = "3132905877"
"a4_434" = "3111398514"
"a4_435" = "3118567635"
"a4_344" = "2466177624"
"a4_345" = "2473346745"
"a4_346" = "2480515866"
"a4_347" = "2487684987"
"a4_340" = "2437501140"
"a4_341" = "2444670261"
"a4_342" = "2451839382"
"a4_343" = "2459008503"
"a4_348" = "2494854108"
"a4_349" = "2502023229"
"a3_383" = "2729068342"
"a3_382" = "2721620631"
"a3_381" = "2748124788"
"a3_380" = "2741212629"
"a3_387" = "2757612682"
"a3_386" = "2784112747"
"a3_385" = "2776670152"
"a3_384" = "2769681321"
"a1_329" = "3071039719"
"a1_328" = "1956991097"
"a1_327" = "3895741874"
"a1_326" = "59342394"
"a1_325" = "3897863024"
"a1_324" = "2377538931"
"a1_323" = "2014424270"
"a1_322" = "2815374431"
"a1_321" = "966342860"
"a1_320" = "2223175407"
"a1_436" = "1791787889"
"a1_253" = "515800706"
"a1_252" = "1154291751"
"a1_251" = "2350238005"
"a1_250" = "3862919143"
"a1_257" = "1167805752"
"a1_256" = "249389851"
"a1_255" = "3417416913"
"a1_254" = "4112994382"
"a1_259" = "624297062"
"a1_258" = "3957776037"
"a2_144" = "1032348083"
"a2_145" = "1039517531"
"a2_146" = "1046684545"
"a2_147" = "1053867368"
"a2_140" = "1003667754"
"a2_141" = "1010847914"
"a2_142" = "1018018415"
"a2_143" = "1025182104"
"a2_68" = "487503123"
"a2_69" = "494677250"
"a2_148" = "1061035390"
"a2_149" = "1068200343"
"a3_299" = "2126993250"
"a3_298" = "2119545539"
"a3_295" = "2131608046"
"a3_294" = "2091003215"
"a3_297" = "2146049696"
"a3_296" = "2139060737"
"a3_291" = "2103079018"
"a3_290" = "2062081995"
"a3_293" = "2083555628"
"a3_292" = "2110067853"
"a3_181" = "1280611004"
"a3_180" = "1307180573"
"a3_34" = "260325067"
"a3_182" = "1288058591"
"a3_185" = "1309597744"
"a3_33" = "253401768"
"a3_187" = "1324038386"
"a3_186" = "1316586579"
"a3_189" = "1371566516"
"a3_188" = "1364647189"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a4_282" = "2021692122"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"user32.exe" = "by E991"
[HKCU\Software\Aas]
"a2_151" = "1082529120"
"a2_150" = "1075367643"
"a2_271" = "1942836604"
"a2_159" = "1139884192"
"a2_158" = "1132712426"
"a3_80" = "590099577"
"a4_429" = "3075552909"
"a4_428" = "3068383788"
"a4_425" = "3046876425"
"a4_424" = "3039707304"
"a4_427" = "3061214667"
"a4_426" = "3054045546"
"a4_421" = "3018199941"
"a4_420" = "3011030820"
"a4_423" = "3032538183"
"a4_422" = "3025369062"
"a4_357" = "2559376197"
"a4_356" = "2552207076"
"a4_355" = "2545037955"
"a4_354" = "2537868834"
"a4_353" = "2530699713"
"a4_352" = "2523530592"
"a4_351" = "2516361471"
"a4_350" = "2509192350"
"a4_359" = "2573714439"
"a4_358" = "2566545318"
[HKCU\Software\Aas\695404737]
"50183847" = "6F824610A9083D6F0ADB1E2149E6A85A51989AEB08D4396991A030ABB77D7EA7572827D6F62FE2831B17FBEB4E4479FDD28F810C2BFB5EF6D4DD73DF43823EE2023F9B5B46794E1091A709E17273269397788058C7533F3B7BA9B9F595FF23B635BB3799BEF54223435681A97CBB6316E760BCA3A66C72123847802C25623B2E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Aas]
"a1_312" = "2669947628"
"a1_313" = "728067883"
"a1_310" = "3197230408"
"a1_311" = "1165959816"
"a1_316" = "2447485410"
"a1_317" = "1480075827"
"a1_314" = "3009330839"
"a1_315" = "429040386"
"a1_318" = "856412457"
"a1_319" = "296720865"
"a2_448" = "3211768739"
"a2_441" = "3161586935"
"a2_440" = "3154419159"
"a2_443" = "3175912428"
"a2_442" = "3168753977"
"a2_445" = "3190255214"
"a2_444" = "3183084129"
"a2_447" = "3204600341"
"a2_446" = "3197433974"
"a1_266" = "589143934"
"a1_267" = "1710573943"
"a1_264" = "978909012"
"a1_265" = "4145566315"
"a1_262" = "2160125582"
"a1_263" = "1747112663"
"a1_260" = "2092394969"
"a1_261" = "1933127091"
"a1_268" = "1566860241"
"a1_269" = "3899274064"
"a2_157" = "1125553824"
"a2_156" = "1118384491"
"a2_155" = "1111216144"
"a2_154" = "1104050597"
"a2_153" = "1096869314"
"a2_152" = "1089714681"
"a2_99" = "709708052"
"a2_98" = "702574919"
"a2_97" = "695406686"
"a2_96" = "688239019"
"a2_95" = "681059214"
"a2_94" = "673891981"
"a2_93" = "666724365"
"a2_92" = "659557270"
"a2_91" = "652393430"
"a2_90" = "645224368"
"a3_260" = "1847236781"
"a3_261" = "1854160076"
"a3_262" = "1861734767"
"a3_263" = "1902212494"
"a3_264" = "1909255713"
"a3_265" = "1883210304"
"a3_266" = "1890133731"
"a3_267" = "1930746626"
"a3_268" = "1938194341"
"a3_269" = "1945179076"
"a3_404" = "2913010493"
"a3_405" = "2886510428"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a3_406" = "2893962239"
"a3_407" = "2901015582"
"a3_400" = "2884615609"
"a3_401" = "2857980376"
"a3_402" = "2865023611"
"a3_403" = "2906025626"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a1_448" = "2040138905"
"a1_446" = "4099472935"
"a3_408" = "2941554865"
"a1_444" = "2785132579"
"a1_445" = "3621051087"
"a1_442" = "886186796"
"a1_443" = "1069033990"
"a1_440" = "3912086500"
"a3_409" = "2949002448"
"a3_318" = "2262948439"
"a3_319" = "2303950582"
"a3_310" = "2239031135"
"a3_311" = "2246548478"
"a3_312" = "2219916305"
"a3_313" = "2226966704"
"a3_314" = "2267968723"
"a3_315" = "2275010930"
"a3_316" = "2248445333"
"a3_317" = "2255889972"
"a1_447" = "812060422"
"a1_441" = "496202195"
[HKCU\Software\Aas\695404737]
"35845605" = "425"
[HKCU\Software\Aas]
"a4_182" = "1304780022"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_180" = "1290441780"
"a4_181" = "1297610901"
"a4_186" = "1333456506"
"a4_187" = "1340625627"
"a4_184" = "1319118264"
"a4_185" = "1326287385"
"a4_188" = "1347794748"
"a4_189" = "1354963869"
"a4_168" = "1204412328"
"a1_194" = "1995358892"
"a1_195" = "2998445354"
"a4_160" = "1147059360"
"a4_161" = "1154228481"
"a4_162" = "1161397602"
"a4_163" = "1168566723"
"a4_164" = "1175735844"
"a4_165" = "1182904965"
"a4_166" = "1190074086"
"a4_167" = "1197243207"
"a4_296" = "2122059816"
"a4_297" = "2129228937"
"a4_294" = "2107721574"
"a4_295" = "2114890695"
"a4_292" = "2093383332"
"a4_293" = "2100552453"
"a4_290" = "2079045090"
"a4_291" = "2086214211"
"a4_142" = "1018015182"
"a4_298" = "2136398058"
"a4_299" = "2143567179"
"a1_192" = "3797657070"
"a1_193" = "1185349789"
"a4_368" = "2638236528"
"a4_369" = "2645405649"
"a4_362" = "2595221802"
"a4_363" = "2602390923"
"a4_360" = "2580883560"
"a4_361" = "2588052681"
"a4_366" = "2623898286"
"a4_367" = "2631067407"
"a4_364" = "2609560044"
"a4_365" = "2616729165"
"a1_305" = "1392961228"
"a1_304" = "2085218400"
"a1_307" = "1481959741"
"a1_306" = "2967088733"
"a1_301" = "1795726928"
"a1_300" = "235194867"
"a1_303" = "36148468"
"a1_302" = "1380516667"
"a1_309" = "1896866661"
"a1_308" = "2888416483"
"a2_438" = "3140068010"
"a2_439" = "3147250352"
"a2_434" = "3111401173"
"a2_435" = "3118566052"
"a2_436" = "3125731965"
"a2_437" = "3132900846"
"a2_430" = "3082718645"
"a2_431" = "3089885887"
"a2_432" = "3097051997"
"a2_433" = "3104238698"
"a1_279" = "2053908322"
"a1_278" = "1521906469"
"a1_271" = "2583752467"
"a1_270" = "3481268759"
"a1_273" = "3072494285"
"a1_272" = "3162755481"
"a1_275" = "1426338666"
"a1_274" = "1561531783"
"a1_277" = "3955563849"
"a1_276" = "2226518767"
"a2_382" = "2738607216"
"a2_383" = "2745776245"
"a2_380" = "2724259387"
"a2_381" = "2731438421"
"a2_386" = "2767288606"
"a2_387" = "2774441402"
"a2_384" = "2752939916"
"a2_385" = "2760103004"
"a2_388" = "2781626179"
"a2_389" = "2788792649"
"a2_368" = "2638241308"
"a2_369" = "2645407566"
"a2_88" = "630889336"
"a2_89" = "638058318"
"a2_84" = "602208809"
"a2_85" = "609373033"
"a2_86" = "616536535"
"a2_87" = "623706180"
"a2_80" = "573524452"
"a2_81" = "580707210"
"a2_82" = "587874025"
"a2_83" = "595040008"
"a3_273" = "1974165848"
"a3_272" = "1966722361"
"a3_271" = "1926113414"
"a3_270" = "1918678119"
"a3_277" = "2002712284"
"a3_276" = "1962103485"
"a3_275" = "1954659866"
"a3_274" = "1947600379"
"a2_162" = "1161403329"
"a2_163" = "1168568573"
"a3_279" = "1983582110"
"a3_278" = "2009623423"
"a2_166" = "1190070848"
"a2_167" = "1197237768"
"a2_164" = "1175737759"
"a2_165" = "1182904184"
"a3_50" = "341766363"
"a3_51" = "348755322"
"a3_52" = "389745053"
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a3_417" = "3006523432"
"a3_416" = "2965403529"
"a3_415" = "2958480150"
"a3_414" = "2984984311"
"a3_413" = "2977536596"
"a3_412" = "2970543669"
"a3_411" = "2929937810"
"a3_410" = "2922490227"
"a3_419" = "2986877162"
"a3_418" = "3013512267"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a3_309" = "2231976764"
"a3_308" = "2191503005"
"a3_303" = "2155521254"
"a3_302" = "2148466759"
"a3_301" = "2174512164"
"a3_300" = "2167589765"
"a3_307" = "2183924346"
"a3_306" = "2210566619"
"a3_305" = "2203581880"
"a3_304" = "2162448665"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_88" = "630882648"
"a4_89" = "638051769"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
[HKCU\Software\Aas]
"a4_387" = "2774449827"
"a2_75" = "537676261"
"a2_74" = "530518439"
"a2_77" = "552013987"
"a2_76" = "544861981"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas]
"a2_71" = "509002592"
"a2_70" = "501837183"
"a2_73" = "523339886"
"a2_72" = "516170607"
"a4_195" = "1397978595"
"a4_194" = "1390809474"
"a4_197" = "1412316837"
"a4_196" = "1405147716"
"a4_191" = "1369302111"
"a4_190" = "1362132990"
"a4_193" = "1383640353"
"a4_192" = "1376471232"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_198" = "1419485958"
"a4_179" = "1283272659"
"a4_178" = "1276103538"
"a4_173" = "1240257933"
"a4_172" = "1233088812"
"a4_171" = "1225919691"
"a4_170" = "1218750570"
"a4_177" = "1268934417"
"a4_176" = "1261765296"
"a4_175" = "1254596175"
"a4_174" = "1247427054"
"a3_123" = "898388146"
"a3_122" = "891468819"
"a3_121" = "850861040"
"a4_289" = "2071875969"
"a4_288" = "2064706848"
"a3_120" = "843343697"
"a4_281" = "2014523001"
"a4_280" = "2007353880"
"a4_283" = "2028861243"
"a1_108" = "4116731815"
"a4_285" = "2043199485"
"a4_284" = "2036030364"
"a4_287" = "2057537727"
"a3_126" = "886312343"
"a3_125" = "879323508"
"a3_124" = "905966805"
"a4_379" = "2717096859"
"a4_378" = "2709927738"
"a4_375" = "2688420375"
"a4_374" = "2681251254"
"a4_377" = "2702758617"
"a4_376" = "2695589496"
"a4_371" = "2659743891"
"a4_370" = "2652574770"
"a4_373" = "2674082133"
"a4_372" = "2666913012"
"a1_437" = "384839875"
"a2_429" = "3075547407"
"a2_428" = "3068383015"
"a2_427" = "3061216268"
"a2_426" = "3054048445"
"a2_425" = "3046882190"
"a2_424" = "3039712895"
"a2_423" = "3032531208"
"a2_422" = "3025365601"
"a2_421" = "3018197338"
"a2_420" = "3011032651"
"a1_208" = "823653099"
"a1_209" = "619683974"
"a1_204" = "222007061"
"a1_205" = "796117490"
"a1_206" = "167004338"
"a1_207" = "238472502"
"a1_200" = "2810600606"
"a1_201" = "1513802515"
"a1_202" = "312573251"
"a1_203" = "3044776488"
"a2_395" = "2831810555"
"a2_394" = "2824628256"
"a2_397" = "2846145614"
"a2_396" = "2838974862"
"a2_391" = "2803124669"
"a2_390" = "2795959439"
"a2_393" = "2817459518"
"a2_392" = "2810293648"
"a2_399" = "2860476164"
"a2_398" = "2853311315"
"a2_379" = "2717105012"
"a2_378" = "2709924740"
"a2_373" = "2674090242"
"a2_372" = "2666907053"
"a2_371" = "2659741177"
"a2_370" = "2652570299"
"a2_377" = "2702756543"
"a2_376" = "2695591527"
"a2_375" = "2688425853"
"a2_374" = "2681254488"
"a3_246" = "1746738975"
"a3_247" = "1753789374"
"a3_244" = "1765852765"
"a3_245" = "1773304572"
"a2_179" = "1283273042"
"a2_178" = "1276111743"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_241" = "1744311672"
"a2_175" = "1254588520"
"a2_174" = "1247421776"
"a2_177" = "1268940014"
"a2_176" = "1261772679"
"a2_171" = "1225921788"
"a2_170" = "1218754394"
"a2_173" = "1240253154"
"a3_249" = "1801832560"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a1_424" = "629948948"
"a1_425" = "2346501447"
"a1_426" = "4067705556"
"a1_427" = "289836312"
"a1_420" = "2723809174"
"a1_421" = "2034417879"
"a1_422" = "4115044523"
"a1_423" = "1848980883"
"a3_199" = "1409969486"
"a1_428" = "2634181441"
"a1_429" = "2744550364"
"a3_338" = "2439897659"
"a3_339" = "2446886490"
"a3_336" = "2391856505"
"a3_337" = "2432846232"
"a3_334" = "2411437223"
"a3_335" = "2384801990"
"a3_332" = "2363312101"
"a3_333" = "2403923972"
"a3_330" = "2348814115"
"a3_331" = "2356388674"
"a3_428" = "3084957701"
"a3_429" = "3058850980"
"a3_422" = "3041926607"
"a3_423" = "3049502318"
"a3_420" = "2994455821"
"a3_421" = "3001383340"
"a3_426" = "3070911299"
"a3_427" = "3077900258"
"a3_424" = "3022858881"
"a3_425" = "3029913376"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a4_183" = "1311949143"
"a3_89" = "654610320"
"a3_88" = "614067057"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Aas]
"a1_439" = "600801913"
"a1_198" = "2347888712"
"a1_199" = "1500176349"
"a4_148" = "1061029908"
"a4_149" = "1068199029"
"a4_146" = "1046691666"
"a4_147" = "1053860787"
"a1_196" = "3257336593"
"a4_145" = "1039522545"
"a1_190" = "29784515"
"a4_143" = "1025184303"
"a4_140" = "1003676940"
"a4_141" = "1010846061"
"a4_380" = "2724265980"
"a4_381" = "2731435101"
"a4_382" = "2738604222"
"a4_383" = "2745773343"
"a4_384" = "2752942464"
"a4_385" = "2760111585"
"a4_386" = "2767280706"
"a4_169" = "1211581449"
"a4_388" = "2781618948"
"a4_389" = "2788788069"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a1_0" = "2656142111"
"a1_1" = "1443450424"
"a1_2" = "3984930296"
"a1_3" = "4047017611"
"a1_4" = "4192373713"
"a1_5" = "1335286204"
"a1_6" = "1396249590"
"a1_7" = "728823575"
"a1_8" = "3500773044"
"a1_9" = "3568848946"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a2_412" = "2953685275"
"a2_413" = "2960846662"
"a2_410" = "2939345628"
"a2_411" = "2946499224"
"a2_416" = "2982348107"
"a2_417" = "2989530802"
"a2_414" = "2968014433"
"a2_415" = "2975182572"
"a2_418" = "2996695717"
"a2_419" = "3003863627"
"a1_219" = "1580429973"
"a1_218" = "3422766276"
"a1_217" = "837152909"
"a1_216" = "1113806982"
"a1_215" = "1756037416"
"a1_214" = "3294189640"
"a1_213" = "2206684074"
"a1_212" = "3751596520"
"a1_211" = "2954420685"
"a1_210" = "3285657039"
"a4_443" = "3175920603"
"a4_442" = "3168751482"
"a4_441" = "3161582361"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"k400.exe" = "%Documents and Settings%\%current user%\Application Data\k400.exe:*:Enabled:ipsec"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 2c4f3c51f50708de528b3f8b83875d5d | c:\Documents and Settings\"%CurrentUserName%"\Application Data\Hs.exe |
| b4573e6d4a2b593c8dd93f88abb3e0ef | c:\Documents and Settings\"%CurrentUserName%"\Application Data\k400.exe |
| 59d549bdf73c64ad8b682437cab60250 | c:\WINDOWS\system32\drivers\migx25a.obe |
| e39cb9b56d27b01d63ffe83002407e37 | c:\WINDOWS\system32\user32.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:668
k400.exe:1932 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Application Data\k400.exe (1780 bytes)
%Documents and Settings%\%current user%\Application Data\Hs.exe (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\b_8d5afc09[1].png (3924 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\F7E34C2974A5D01D347705C76E2FF5D7 (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\nav_logo80[1].png (16371 bytes)
C:\msxpsdrv.inf (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\sem_96e64197394b4841f958af5c62b4f5cc[1].js (28041 bytes)
%Documents and Settings%\%current user%\Cookies\BR3B0SP0.txt (542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\mgyhp_sm[1].png (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\logo9w[1].png (3526 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6SYQ5KI\www.google[1].xml (496 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ap1bgyhp_smbiokl8ai2XcO-7k1sizdmcYi3z2k[1].png (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\nav_logo176[1].png (5921 bytes)
%Documents and Settings%\%current user%\Cookies\CY32C8S7.txt (523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\chrome-48[1].png (56 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0270780F846F08BEFE0DD8112D932FEF (543 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D4F348B882DF3F205ECCB6243795CB3A (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\google_ca[1].txt (14331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (200 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\F7E34C2974A5D01D347705C76E2FF5D7 (29 bytes)
%Documents and Settings%\%current user%\Cookies\TLQGHX20.txt (135 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D4F348B882DF3F205ECCB6243795CB3A (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\rs=AItRSTPqPxPQq9apHYeYn61I89z9NOuesQ[1] (77397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0270780F846F08BEFE0DD8112D932FEF (268 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014051320140514\index.dat (16 bytes)
%WinDir%\system.ini (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000D04B3_Rar\k400.exe (3073 bytes)
%System%\drivers\migx25a.$$A (4956 bytes)
%System%\user32.$$A (6356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000D064A_Rar\k400.exe (3073 bytes)
%System%\mui\0414\media.$$A (5991 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\Hs.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: FullHack 1HIT.exe
Internal Name: FullHack 1HIT.exe
File Version: 1.0.0.0
File Description:
Comments:
Language: Hebrew (Israel)
Company Name: Product Name: Product Version: 1.0.0.0Legal Copyright: Legal Trademarks: Original Filename: FullHack 1HIT.exeInternal Name: FullHack 1HIT.exeFile Version: 1.0.0.0File Description: Comments: Language: Hebrew (Israel)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 1450276 | 1450496 | 2.77752 | 2b624c607b35a5257d607a9d3e8c3e47 |
| .rsrc | 1466368 | 696 | 1024 | 1.5793 | 941d30c2a4c90c8375b273b6fcc4d865 |
| .reloc | 1474560 | 12 | 512 | 0.070639 | acac4e5aa35667396cfc965da68f560b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://digicert.cachefly.net/DigiCertHighAssuranceEVRootCA.crl | |
| hxxp://cs9.wac.edgecastcdn.net/sha2-ha-server-g1.crl | |
| hxxp://www.google.com/ | |
| hxxp://www.google.ca/?gfe_rd=cr&ei=Rx9yU7i_FI_O8gfRyYHwAw | |
| hxxp://e6845.ce.akamaiedge.net/crls/secureca.crl | |
| hxxp://e6845.ce.akamaiedge.net/crls/gtglobal.crl | |
| hxxp://www3.l.google.com/GIAG2.crl | |
| hxxp://crl.geotrust.com/crls/gtglobal.crl | |
| hxxp://crl3.digicert.com/sha2-ha-server-g1.crl | |
| hxxp://pki.google.com/GIAG2.crl | |
| hxxp://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | |
| hxxp://crl.geotrust.com/crls/secureca.crl |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /sha2-ha-server-g1.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl3.digicert.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: application/x-pkcs7-crl
Date: Tue, 13 May 2014 13:33:36 GMT
Etag: "3776703994"
Expires: Tue, 20 May 2014 13:33:36 GMT
Last-Modified: Mon, 12 May 2014 17:15:04 GMT
Server: ECS (lga/13B7)
X-Cache: HIT
Content-Length: 29270
0.rR0.q:...0...*.H........0p1.0...U....US1.0...U....DigiCert Inc1.0...U....VVV.digicert.com1/0-..U...&DigiCert SHA2 High Assurance Server CA..140512170129Z..140519170000Z0.pb0!......b..g.l/3......131106204216Z0!...R.....O..Y...x...131107194541Z0!....Uw....p...M.p...131112103628Z0!...c....6Rb .3~.*...131112103636Z0!......S..xTx...,....131114203203Z0!......c....X.c..(...131114204602Z0!.....9.E...u."S.T...131114205402Z0!...!.D....(..h#=....131117040802Z0!...E:... M.y...9.j..131122124930Z0!....f.Yl.....[.,f5..131122124930Z0!...|zc....;E.P......131124132702Z0!......Wp;!.....n....131128185912Z0!...9N.P.l..q........131128185912Z0!.....K.)..x...U.UK..131128185912Z0!.....D>.......W.....131202111803Z0!...#.m.N...y........131202233843Z0!...^.10.....l...c!..131202233847Z0!...w..1|.f.4..'.....131205204637Z0!.... H-.0...M.k.w...131206184949Z0!........*1..Q.~.....131208183407Z0!...A&h.\...X20...P..131209025403Z0!.......h...W........131209025403Z0!.....?...<.I .L.u...131214175304Z0!....}6l.K.z{..B.....131214211403Z0!... ....g.B..N.}....131214211403Z0!....;....d.w..{;....131214211403Z0!.......Ys.Q!........131217201052Z0!....>.Z;.;1..?...2..131217203016Z0!......a....kS.......131220162754Z0!....#i..I...r.S.....131220193306Z0!........'.o.U/......131223195906Z0!...c`..T\.S..<.j,...131223195906Z0!......N/z.../..Z....131225201602Z0!...c.z.u.H.... d.C..131231195615Z0!....&y..=.bg.[3.*...131231195615Z0!......04..N...6.....140102052802Z0!......'__..c|.Z.....140102161400Z0!........_sq..O...S..140102181348Z0!....`.O.u gb.pqv{.
<<
<<< skipped >>>
GET /DigiCertHighAssuranceEVRootCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl4.digicert.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Date: Tue, 13 May 2014 13:33:35 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 543
Connection: keep-alive
X-CFHash: "ae5a06b6ed41454d1c542006b73aa43f"
Last-Modified: Sun, 11 May 2014 18:15:03 GMT
X-CF3: H
X-CF2: H
Accept-Ranges: bytes
Server: CFS 0316
X-CF1: 13483:dA.yul1:cf:cacheA.yul1-01:D
0...0......0...*.H........0l1.0...U....US1.0...U....DigiCert Inc1.0...U....VVV.digicert.com1 0)..U..."DigiCert High Assurance EV Root CA..140511170000Z..140601170000Z010/....................061110000100Z0.0...U........00.0...U.#..0....>.i...G...&....cd .0...U........0...*.H.............pkh...M}../eRu..P..J...~a..".1>..6...d...3<).b..w.(T.b.WK..2.^.f.q...0...tBcR.._...aj..f....O{P..x96.l...@...J.{g..)...u.I3.5.-~".?.7..Z..o.sY.f-.G5&......B....l...G..\kB...X...2........m.VL..6uy..,r.Q.s<..^...]..8o`.2.....sv..."}.K.X.|N..c..y.If.4..........
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: VVV.google.com
Connection: Keep-Alive
Cookie: PREF=ID=28da643bc1e67c45:U=f32dce0544f98e52:FF=0:TM=1365778725:LM=1365778725:S=KlaSoYpEhHSBxg_x
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.ca/?gfe_rd=cr&ei=Rx9yU7i_FI_O8gfRyYHwAw
Content-Length: 258
Date: Tue, 13 May 2014 13:33:59 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.ca/?gfe_rd=cr&ei=Rx9yU7i_FI_O8gfRyYHwAw">here</A>...</BODY></HTML>....
GET /GIAG2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: pki.google.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Tue, 13 May 2014 02:22:15 GMT
Date: Tue, 13 May 2014 12:35:01 GMT
Expires: Tue, 13 May 2014 13:35:01 GMT
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 830
X-XSS-Protection: 1; mode=block
Age: 3539
Cache-Control: public, max-age=3600
Alternate-Protocol: 80:quic
0..:0.."...0...*.H........0I1.0...U....US1.0...U....Google Inc1%0#..U....Google Internet Authority G2..140513010003Z..140523010003Z0..q0'..@..q.S....130910151922Z0.0...U.......0'..@ .*..)v..131112093101Z0.0...U.......0'....&..E.@..140411093120Z0.0...U.......0'..h.x../ ...130913110309Z0.0...U.......0'..5..[......130927105255Z0.0...U.......0'....).(_.I..131028093755Z0.0...U.......0'....f.'..{..130910150931Z0.0...U.......0'..O..D..."..140407142442Z0.0...U.......0'....!.jD.E..130612174206Z0.0...U........00.0...U.#..0...J......h.v....b..Z./0...U.......Y0...*.H............. ..^.8P.oc.z...rs... .h.Uk..LK3..........H...z..xz....T2....8a.}.R.Mn"c....s....g.=.$(4v.....9*....7]O...mW.....k..r.....t..t..Dx..ST..iZ_..a...3....F...DW...?..Y]...|..... ...gC....S..../k..-....G..I...#.h...hEZ . ..y).6./u....,.u].5....}.T.ji..A.....i..m..
GET /crls/secureca.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.geotrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "c8028f657e0f78058a0173d373cfe25f:1399985410"
Last-Modified: Tue, 13 May 2014 12:50:10 GMT
Accept-Ranges: bytes
Content-Length: 1604
Date: Tue, 13 May 2014 13:34:00 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0..@0...0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equifax Secure Certificate Authority..140513122300Z..140523122300Z0..(0.....&..120627171036Z0........120627171058Z0....``..120627171034Z0.....3..020515130611Z0....j...140226123519Z0........120627171039Z0........120627171002Z0........120627171038Z0....i...120627171035Z0........100301134531Z0........100623141752Z0........120627171026Z0........120627171025Z0........120627171016Z0........120627171050Z0....S...120627170949Z0....H...120627171011Z0........120627171026Z0....._..120627171036Z0....7...140416231149Z0....%...020514181157Z0........120627171058Z0....x...140507204001Z0....}...120627170911Z0.....8..120627171035Z0....Q...120627171023Z0....."..120627171030Z0........140429180917Z0........100729164439Z0....x...130924204342Z0....M\..140430000442Z0.....D..120627171051Z0.....N..100623141726Z0....X...140427081922Z0........120627171036Z0....7...120627171052Z0..../(..120627171032Z0....zo..120627171025Z0........120627171017Z0........120627171039Z0........120627171031Z0....*...120627171032Z0........100729164732Z0........120627171017Z0........120627171028Z0........120627171030Z0........120627171031Z0........120627171028Z0........120627171029Z0....hA..120627171034Z0....~...120627171035Z0........120627171003Z0.....$..120627171037Z0....x=..120627171055Z0........140416233935Z0....t6..140425041720Z0....S...140423105438Z0....jp..120627171034Z0....Bf..120627171053Z0....[...100730213120Z0...*.H...............}........F.0)......;}.A%..u.$...| c,..s.M.V.......~....E.
<<
<<< skipped >>>
GET /crls/gtglobal.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.geotrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "f69a5fb20b98961b1ae6bc12b19ab527:1399985410"
Last-Modified: Tue, 13 May 2014 12:50:10 GMT
Accept-Ranges: bytes
Content-Length: 554
Date: Tue, 13 May 2014 13:34:00 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0..&0...0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U....GeoTrust Global CA..140513122300Z..140523122300Z0..0....4...031011141952Z0....5...060809140549Z0....4]..020522080843Z0....4\..020522080900Z0....5Y..050722125926Z0....6k..070711055050Z0....4Z..020521134804Z0...*.H.............p......&=..b..d$.E....|..X.^q...J...=;.m.[.R...|..EY.o3S...[......1.]....?9..^...C:..f.F.n..J....A.xXW..!E.`.r.(.<._......*..#..=..E...$;G......._...k...E.I....Z.M..8.L.....?.t!.c. ...$..b...<...Q..i4.|.u".H..i ..;Uc.#.BY.4M....}..;."E~..Qv....0O....X..X....
GET /?gfe_rd=cr&ei=Rx9yU7i_FI_O8gfRyYHwAw HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Cookie: PREF=ID=d1b71ce95180a40b:U=e74275611c737632:FF=0:TM=1365778725:LM=1365778743:S=Y22Iy1cY98t4Pj6o
Connection: Keep-Alive
Host: VVV.google.ca
HTTP/1.1 302 Found
Location: hXXps://VVV.google.ca/?gfe_rd=cr&ei=Rx9yU7i_FI_O8gfRyYHwAw
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=d1b71ce95180a40b:FF=0:TM=1365778725:LM=1399988039:S=iXnqHD1IYZqiDrX9; expires=Thu, 12-May-2016 13:33:59 GMT; path=/; domain=.google.ca
Set-Cookie: NID=67=LuOskETTzlG5YqnvORnM-i9OM7MdZyG9RKZSUTpIoVob1on7fpkxMlGavyRVXMNOf7_xYc-tMD_OFZQjHAuGKNWbh1s79a0ulHmaw6lp3KhyofCzpfVkXv9NbwBVGn65; expires=Wed, 12-Nov-2014 13:33:59 GMT; path=/; domain=.google.ca; HttpOnly
P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."
Date: Tue, 13 May 2014 13:33:59 GMT
Server: gws
Content-Length: 259
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXps://VVV.google.ca/?gfe_rd=cr&ei=Rx9yU7i_FI_O8gfRyYHwAw">here</A>...</BODY></HTML>....
Map
The Virus connects to the servers at the folowing location(s):
Strings from Dumps
Hs.exe_3544_rwx_00D20000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.text
.text
Hs.exe_3544_rwx_00E30000_00001000:
|hs.exeM_3544_
|hs.exeM_3544_
user32.exe_2116:
.text
.text
.data
.data
.rsrc
.rsrc
wmp.dll
wmp.dll
WMPLibCtl.WindowsMediaPlayer
WMPLibCtl.WindowsMediaPlayer
WindowsMediaPlayer
WindowsMediaPlayer
shdocvw.dll
shdocvw.dll
SHDocVwCtl.WebBrowser
SHDocVwCtl.WebBrowser
WebBrowser
WebBrowser
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
7WindowsMediaPlayer1
7WindowsMediaPlayer1
%System%\wmp.oca
%System%\wmp.oca
WebBrowser2
WebBrowser2
1F%System%\shdocvw.oca
1F%System%\shdocvw.oca
WebBrowser1
WebBrowser1
kernel32.dll
kernel32.dll
COMDLG32.DLL
COMDLG32.DLL
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
VBA6.DLL
VBA6.DLL
URLDownloadToFileA
URLDownloadToFileA
ole32.dll
ole32.dll
urlmon
urlmon
IEC http://www.iec.ch
IEC http://www.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
CRT curv
.8Cu%X}%d}%X
.8Cu%X}%d}%X
WindowsMediaPlayer1
WindowsMediaPlayer1
sURLFileName
sURLFileName
@s\Ulead Systems\MPEG\dwmapi.dll
@s\Ulead Systems\MPEG\dwmapi.dll
B*\A%Documents and Settings%\Administrator\Desktop\PB-trial-000-dll hide\E991.VBP
B*\A%Documents and Settings%\Administrator\Desktop\PB-trial-000-dll hide\E991.VBP
http://www.google.com/
http://www.google.com/
PointBlank.exe
PointBlank.exe
HSUpdate.exe
HSUpdate.exe
C:\windows\system32\mui\0414\media.mp3
C:\windows\system32\mui\0414\media.mp3
http://poponclick.com/pu800x600.php?id=bG9sYQ==&affid=32463
http://poponclick.com/pu800x600.php?id=bG9sYQ==&affid=32463
http://toyibg.blogspot.com
http://toyibg.blogspot.com
http://adf.ly/TtB7i
http://adf.ly/TtB7i
C:\windows\system32\drivers\migx25a.obe
C:\windows\system32\drivers\migx25a.obe
%Program Files%\Avira\AntiVir Desktop\avcenter.exe
%Program Files%\Avira\AntiVir Desktop\avcenter.exe
Can't find LoadLibrary API from kernel32.dll
Can't find LoadLibrary API from kernel32.dll
The buffer length is invalid or there was insufficient memory to complete the operation.
The buffer length is invalid or there was insufficient memory to complete the operation.
https://dl.dropboxusercontent.com/s/wtw6rmcl8wcyx7z/ap1bgyhp_smbiokl8ai2XcO-7k1sizdmcYi3z2k.png?token_hash=AAH8RjsLyuNvNujHjSRIXTcZ6LSq4QDOAu4IstvqvbKP-A&dl=1
https://dl.dropboxusercontent.com/s/wtw6rmcl8wcyx7z/ap1bgyhp_smbiokl8ai2XcO-7k1sizdmcYi3z2k.png?token_hash=AAH8RjsLyuNvNujHjSRIXTcZ6LSq4QDOAu4IstvqvbKP-A&dl=1
c:\msxpsdrv.inf
c:\msxpsdrv.inf
@*\A%Documents and Settings%\Administrator\Desktop\PB-trial-000-dll hide\E991.VBP
@*\A%Documents and Settings%\Administrator\Desktop\PB-trial-000-dll hide\E991.VBP
toyibg.blogspot.com
toyibg.blogspot.com
user32.exe
user32.exe
user32.exe_2116_rwx_02150000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.text
.text
user32.exe_2116_rwx_021A0000_00001000:
|user32.exeM_2116_
|user32.exeM_2116_
Explorer.EXE_1948_rwx_00B40000_00002000:
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
.rsrc
.rsrc
.text
.text
Explorer.EXE_1948_rwx_01110000_00001000:
|explorer.exeM_1948_
|explorer.exeM_1948_
Explorer.EXE_1948_rwx_025F0000_0108E000:
c:\windows
c:\windows
http://osterakerlackering.se/images/logo.gif
http://osterakerlackering.se/images/logo.gif
http://pmesb.com/images/logo.gif
http://pmesb.com/images/logo.gif
http://proecosystems.com/images/button.gif
http://proecosystems.com/images/button.gif
http://pratikserver.com/img/logo.gif
http://pratikserver.com/img/logo.gif
http://lolitkaa.za.pl/logo.gif
http://lolitkaa.za.pl/logo.gif
http://aykom.net/img/button.gif
http://aykom.net/img/button.gif
http://www.molozatim.com/images/logo.gif
http://www.molozatim.com/images/logo.gif
http://phen.cdd.go.th/logo.gif
http://phen.cdd.go.th/logo.gif
http://carbonsteelsuppliersindia.co.in/images/logo.gif
http://carbonsteelsuppliersindia.co.in/images/logo.gif
http://paharev.myjino.ru/logo.gif
http://paharev.myjino.ru/logo.gif
http://lifetimelites.com/images/logo.gif
http://lifetimelites.com/images/logo.gif
%System%\drivers\qgpj.sys
%System%\drivers\qgpj.sys
85309342
85309342
.rsrc
.rsrc
.text
.text
SHELL32.DLL
SHELL32.DLL
ShellExecuteA
ShellExecuteA
KERNEL32.DLL
KERNEL32.DLL
http://89.119.67.154/testo5/
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://kukutrustnet987.info/home.gif
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
ntoskrnl.exe
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
http://www.klkjwre9fqwieluoi.info/
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
GdiPlus.dll
http://
http://
ipfltdrv.sys
ipfltdrv.sys
www.microsoft.com
www.microsoft.com
?%x=%d
?%x=%d
&%x=%d
&%x=%d
SYSTEM.INI
SYSTEM.INI
USER32.DLL
USER32.DLL
.%c%s
.%c%s
\\.\amsint32
\\.\amsint32
NTDLL.DLL
NTDLL.DLL
autorun.inf
autorun.inf
ADVAPI32.DLL
ADVAPI32.DLL
win%s.exe
win%s.exe
%s.exe
%s.exe
WININET.DLL
WININET.DLL
InternetOpenUrlA
InternetOpenUrlA
avast! Web Scanner
avast! Web Scanner
Avira AntiVir Premium WebGuard
Avira AntiVir Premium WebGuard
cmdGuard
cmdGuard
cmdAgent
cmdAgent
Eset HTTP Server
Eset HTTP Server
ProtoPort Firewall service
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
SpIDer FS Monitor for Windows NT
Symantec Password Validation
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootDesktopFirewallDataService
WebrootFirewall
WebrootFirewall
%d%d.tmp
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
Explorer.exe
A2CMD.
A2CMD.
ASHWEBSV.
ASHWEBSV.
AVGCC.AVGCHSVX.
AVGCC.AVGCHSVX.
DRWEB
DRWEB
DWEBLLIO
DWEBLLIO
DWEBIO
DWEBIO
FSGUIEXE.
FSGUIEXE.
MCVSSHLD.
MCVSSHLD.
NPFMSG.
NPFMSG.
SYMSPORT.
SYMSPORT.
WEBSCANX.
WEBSCANX.
.adata
.adata
M_%d_
M_%d_
%c%d_%d
%c%d_%d
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryA
GetWindowsDirectoryA
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegCloseKey
RegCloseKey
SHFileOperationA
SHFileOperationA
&3&3&3&389
&3&3&3&389
.rdata
.rdata
.data
.data
Bkrnl.exe?
Bkrnl.exe?
= =$=(=,=
= =$=(=,=
322%2`.50728)
322%2`.50728)
.klkjw:9fqwi
.klkjw:9fqwi
FamXf39.sys
FamXf39.sys
.pBTa8
.pBTa8
%s:*:
%s:*:
Bg.laXV
Bg.laXV
&?%x=
&?%x=
GUrlA'
GUrlA'
Web%w|nc
Web%w|nc
HTTP)
HTTP)
2GUARDCMD.
2GUARDCMD.
.ENHCDM
.ENHCDM
PL/KPCKwWEB
PL/KPCKwWEB
MM.PFW.
MM.PFW.
.bssf
.bssf
J:CRT
J:CRT
ADVAPI32.dll
ADVAPI32.dll
MSVCRT.dll
MSVCRT.dll
SHELL32.dll
SHELL32.dll
WS2_32.dll
WS2_32.dll