Trojan.Win32.FlyStudio_9fc7b567de

by malwarelabrobot on August 10th, 2014 in Malware Descriptions.

Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 9fc7b567decbaaff495bb599f632ed18
SHA1: 03f1ac36d9e2122691b82e58f361646fa43d7fc1
SHA256: 82012bfed67615c03d9dc3819dac3a7b17029185d3c4bc5149a5c73bd26396ee
SSDeep: 196608:Lf3md63XzUdQooqjp4MDhP5vOaLE7a sDoq7w5OTS3yq4ayxFz9QM/CX kYNbxa/:j2d6Hwvp4yhxvOaLr sDb7ZT34yxFz9e
Size: 12196864 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: Popeler.-.Installer
Created at: 2014-06-21 19:48:01
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

regsvr32.exe:1024
regsvr32.exe:840
regsvr32.exe:208
regsvr32.exe:616
regsvr32.exe:644
regsvr32.exe:1404
kuwo_jm306.exe:1132
%original file name%.exe:1720
Netsh.exe:392
Netsh.exe:540

The Trojan injects its code into the following process(es):

kuwo.exe:1344

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:208 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\WMSysPr9.prx (316 bytes)

The process kuwo_jm306.exe:1132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl7E.tmp (732625 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad02.jpg (784 bytes)
%WinDir%\Prefetch\REGSVR32.EXE-25EEFE2F.pf (40 bytes)
C:\ (4 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\lyricshow\LyricTheme.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\KillProcDLL.dll (10 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip\vipMbox_new.zip (15168 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip\songcomment.zip (784 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModMusicTool\conf.txt (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\instAD.dat (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWMUSIC\DownloadUpdate.exe (6360 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad04.jpg (784 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_4a.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_PIC_highlight.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip\sharesong.zip (5 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\KwMusicNsis.dll (13584 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_2b.png (1 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\KuWoNsis_new.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\w7tbp.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad01.jpg (784 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
%WinDir% (768 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_2a.png (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_COLOR_highlight.jpg (1 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%System%\drivers (480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\inetc.dll (784 bytes)
%System% (1456 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_COLOR_nomal.jpg (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_1a.png (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWMUSIC\BindConfig.ini (213 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip\userinfo2012.zip (3312 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_3b.png (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_4b.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\SimpleSC.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\Base64.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad03.jpg (784 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_5b.png (1 bytes)
C:\PROGRAM FILES (4 bytes)
C:\$Directory (212 bytes)
%System%\config (100 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData (4 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\cache\KW_SEARCH_SONG\jay.dat (784 bytes)
%System%\wbem (480 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\cache\DOWNLOAD_ARTISTPIC\49FF334D.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip\netsong.zip (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWMUSIC\DownloadUpdate.ini (120 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Application Data (4 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_3a.png (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_1b.png (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\nsisSlideshowx.dll (2392 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Conf\p2pconf\setup.xml (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_5a.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWMUSIC\mylk.dat (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModResource\NetSong-artists.pl (9608 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_PIC_nomal.jpg (871 bytes)
%WinDir%\KwYlx.dat (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp (4 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Conf\user\config.ini (10466 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\w7tbp.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad02.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\KwMusicNsis.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\Base64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\KuWoNsis_new.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\SimpleSC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\nsisSlideshowx.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad03.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\instAD.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad01.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad04.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp (0 bytes)

The process kuwo.exe:1344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\cityjson[1] (76 bytes)

The process %original file name%.exe:1720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8PUZSXEZ\cityjson[1] (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\58611\kuwo.exe (1849 bytes)
%Program Files%\58611\kuwo_jm306.exe (84227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8PUZSXEZ\desktop.ini (67 bytes)
%WinDir%\pc58611.dll (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O96R4D23\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SP2BK9QF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GDAJ8DEZ\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Program Files%\58611\kuwo_jm306.exe (0 bytes)

Registry activity

The process regsvr32.exe:1024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 1F 2D 08 C1 55 95 06 D3 B8 A1 44 39 9B CC DF"

The process regsvr32.exe:840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED AE F0 7D 72 8D 5E 0D 55 2B 36 A8 94 D0 08 45"

The process regsvr32.exe:208 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F CD AD 34 08 F1 70 90 87 90 0B 98 AE 8C 0A 08"

The process regsvr32.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC ED DB DF ED D6 D5 D5 4A 90 A2 37 41 4B CA 42"

The process regsvr32.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 67 EC 29 5B A8 FF D1 E2 2E F4 49 9A AF C7 9F"

The process regsvr32.exe:1404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 0F 87 CF 43 39 23 5D 77 27 98 35 4A B8 40 6E"

[HKCR\DirectShow\MediaObjects\2eeb4adf-4578-4d10-bca7-bb955f56320a]
"(Default)" = "WMAudio Decoder DMO"

[HKCR\CLSID\{2eeb4adf-4578-4d10-bca7-bb955f56320a}\InprocServer32]
"ThreadingModel" = "Both"

[HKCR\DirectShow\MediaObjects\2eeb4adf-4578-4d10-bca7-bb955f56320a]
"InputTypes" = "61 75 64 73 00 00 10 00 80 00 00 AA 00 38 9B 71"
"OutputTypes" = "61 75 64 73 00 00 10 00 80 00 00 AA 00 38 9B 71"

[HKCR\CLSID\{2eeb4adf-4578-4d10-bca7-bb955f56320a}\InprocServer32]
"(Default)" = "%System%\wmadmod.dll"

[HKCR\CLSID\{2eeb4adf-4578-4d10-bca7-bb955f56320a}]
"(Default)" = "WMAudio Decoder DMO"
"MERIT" = "8390656"

The Trojan deletes the following registry key(s):

[HKCR\DirectShow\MediaObjects\2eeb4adf-4578-4d10-bca7-bb955f56320a]

The process kuwo_jm306.exe:1132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA]
"Progid" = "kwfile_CDA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MP1\UserChoice]
"Progid" = "kwfile_MP1"

[HKCR\.ogg]
"(Default)" = "kwfile_OGG"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC]
"kwbak" = ""

[HKCU\Software\Classes\kwfile_MP1\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
"kwbak" = ""

[HKCU\Software\Classes\kwfile_TTA\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lrcx\UserChoice]
"kwbak" = ""

[HKCR\kwfile_ape\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\ape.ico"

[HKCR\kwfile_AAC\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTA\UserChoice]
"Progid" = "kwfile_TTA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MP1\UserChoice]
"kwbak" = ""

[HKCR\kuwo\Shell\open]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\kwfile_WAV\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_FLAC\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\FLAC.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"HelpLink" = "http://www.kuwo.cn"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP2\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCR\kwfile_AC3\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
"Progid" = "kwfile_MP3"

[HKCR\PROTOCOLS\Handler\kuwo]
"CLSID" = "{3050f3DA-98B5-11CF-BB82-00AA00BDCE0C}"

[HKCR\.wma]
"kwbak" = "WMAFile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKCU\Software\Classes\.MP3]
"(Default)" = "kwfile_MP3"

[HKCU\Software\Classes\.CDA]
"(Default)" = "kwfile_CDA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"DisplayIcon" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ape\UserChoice]
"Progid" = "kwfile_ape"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_WAV\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\kwfile_M4A\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP3\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_M4A\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\M4A.ico"

[HKCR\.mp2]
"kwbak" = "mpegfile"

[HKCR\.flac]
"(Default)" = "kwfile_FLAC"

[HKCR\kuwo\Shell]
"(Default)" = ""

[HKCR\kwfile_AAC\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Classes\.dks]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AC3\UserChoice]
"Progid" = "kwfile_AC3"

[HKCU\Software\Classes\kwfile_ape\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Classes\kwfile_ape\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_CDA\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ape\UserChoice]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP1\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Classes\kwfile_wma\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_AC3\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"Publisher" = "Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ã‚Â¿Ãƒâ€ Ã‚Â¼Ã‚Â¼"

[HKCU\Software\Classes\.MP2]
"(Default)" = "kwfile_MP2"

[HKCR\kwfile_ape\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\kwfile_CDA\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-12589" = "Files Currently on the CD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"NoModify" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_M4A\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\kwfile_CDA\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_AAC\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCR\kuwo]
"URL Protocol" = ""

[HKCR\kwfile_AC3\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\.AC3]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTA\UserChoice]
"kwbak" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Classes\.M4A]
"(Default)" = "kwfile_M4A"

[HKCU\Software\Classes\.MP3]
"kwbak" = ""

[HKCR\kwfile_OGG\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCR\kwfile_TTA\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"Contact" = "Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ã‚Â¿Ãƒâ€ Ã‚Â¼Ã‚Â¼Ã‚Â£Ã‚Â¨Ã‚Â±Ã‚Â±Ã‚Â¾Ã‚Â©Ã‚Â£Ã‚Â©ÃƒÂÃƒÂ¸Ãƒâ€šÃƒÂ§Ã‚Â¼Ã‚Â¼ÃƒÅ ÃƒÂµÃƒâ€œÃƒÂÃƒÂÃƒÅ¾Ã‚Â¹Ã‚Â«Ãƒâ€¹Ã‚Â¾"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\.mp1]
"(Default)" = "kwfile_MP1"

[HKCU\Software\Classes\kwfile_MP2\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_ape\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_ape\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\Directory\shell\kwopen]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_TTA\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCR\.ape]
"(Default)" = "kwfile_ape"

[HKCR\kwfile_WAV\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_wma\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_M4A\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Classes\kwfile_FLAC\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Classes\kwfile_MP3\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_FLAC\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCR\kwfile_lrcx\shell\open\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dks]
"Progid" = "kwfile_dks"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.OGG\UserChoice]
"kwbak" = ""

[HKCR\kwfile_MP3\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_TTA\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_AAC\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Classes\.OGG]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_OGG\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_MP1\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_FLAC\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\kwfile_MP3\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\kwfile_AC3\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\kwfile_AAC\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav]
"kwbak" = ""

[HKCR\.mp3\OpenWithList\KwMusic.exe]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCR\kuwo\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]
"kwbak" = ""

[HKCU\Software\Classes\kwfile_MP1\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\.wma]
"(Default)" = "kwfile_wma"

[HKCU\Software\Classes\.AAC]
"(Default)" = "kwfile_AAC"

[HKCU\Software\Classes\kwfile_MP3\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Classes\kwfile_MP2\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Classes\.TTA]
"kwbak" = ""

[HKCU\Software\Classes\kwfile_MP2\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCR\kwfile_M4A\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\kwfile_MP1\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_WAV\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"UninstallString" = "F:\Program Files\kuwo\kuwomusic\uninstall.exe"

[HKCU\Software\Classes\kwfile_M4A\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_FLAC\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.APE]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M4A]
"Progid" = "kwfile_M4A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP2\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Classes\kwfile_FLAC\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_WAV\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCR\.mp3]
"(Default)" = "kwfile_MP3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3]
"Progid" = "kwfile_MP3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lrcx]
"kwbak" = ""

[HKCR\.ogg]
"kwbak" = ""

[HKCU\Software\Classes\.WMA]
"(Default)" = "kwfile_wma"

[HKCR\kwfile_wma\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MP1]
"Progid" = "kwfile_MP1"

[HKCR\kwfile_MP2\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AC3\UserChoice]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dks]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC\UserChoice]
"Progid" = "kwfile_AAC"

[HKCR\.wav]
"kwbak" = "soundrec"

[HKCR\kwfile_dks\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\dks.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.OGG\UserChoice]
"Progid" = "kwfile_OGG"

[HKCU\Software\Microsoft\Internet Explorer\Styles]
"MaxScriptStatements" = "4294967295"

[HKCR\kwfile_TTA\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\.WAV]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.FLAC]
"Progid" = "kwfile_FLAC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M4A]
"kwbak" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"URLInfoAbout" = "http://www.kuwo.cn"

[HKCR\kwfile_TTA\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\kwfile_CDA\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_CDA\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCR\kwfile_OGG\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCR\kwfile_OGG\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\OGG.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP1\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Classes\kwfile_OGG\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCR\kwfile_CDA\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\.mp3]
"kwbak" = "mp3file"

[HKCU\Software\Classes\.MP1]
"(Default)" = "kwfile_MP1"

[HKCR\kwfile_wma\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\wma.ico"

[HKCR\kwfile_MP3\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"DisplayName" = "Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ 2014"

[HKCU\Software\Classes\kwfile_M4A\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\kwfile_AC3\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
"Progid" = "kwfile_wma"

[HKCU\Software\Classes\.MP2]
"kwbak" = ""

[HKCR\kwfile_AAC\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\AAC.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_AAC\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_MP3\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav]
"Progid" = "kwfile_WAV"

[HKCR\kwfile_MP2\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_WAV\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\Directory\shell\kwopen\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \dir %1"

[HKCU\Software\Classes\kwfile_wma\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\kwfile_AC3\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Classes\kwfile_wma\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.FLAC]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-12590" = "Files Ready to Be Written to the CD"

[HKCR\.cda]
"(Default)" = "kwfile_CDA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_wma\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCR\Directory\shell\kwplaylist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_ape\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dks\UserChoice]
"Progid" = "kwfile_dks"

[HKCR\kwfile_WAV\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\WAV.ico"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"Copyright" = "Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ã‚Â¹Ã‚Â«Ãƒâ€¹Ã‚Â¾Ã‚Â±Ã‚Â£ÃƒÂÃƒÂ´Ãƒâ€¹ÃƒÂ¹Ãƒâ€œÃƒÂÃƒË†Ã‚Â¨Ãƒâ‚¬ÃƒÂ»Ã‚Â¡Ã‚Â£"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP1\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Classes\kwfile_wma\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_CDA\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Classes\kwfile_OGG\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.OGG]
"kwbak" = ""

[HKCR\kwfile_wma\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTA]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_CDA\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\kwfile_WAV\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"DisplayVersion" = "7.5.0.6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_AC3\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_CDA\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Classes\kwfile_OGG\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\.dks]
"kwbak" = ""

[HKCR\.mp1]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP3\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Classes\.lrcx]
"kwbak" = ""

[HKCU\Software\Classes\kwfile_FLAC\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\kwfile_WAV\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Classes\kwfile_AC3\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_OGG\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCR\kwfile_OGG\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Classes\.MP1]
"kwbak" = ""

[HKCU\Software\Classes\kwfile_AAC\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCR\kuwo\Shell\open\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_ape\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3]
"kwbak" = ""

[HKCR\kwfile_ape\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M4A\UserChoice]
"Progid" = "kwfile_M4A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
"Progid" = "kwfile_WAV"

[HKCR\.wav]
"(Default)" = "kwfile_WAV"

[HKCR\.aac]
"(Default)" = "kwfile_AAC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"VersionMinor" = "7.5.0.6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TTA]
"Progid" = "kwfile_TTA"

[HKCU\Software\Classes\kwfile_TTA\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\kwfile_wma\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_FLAC\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_M4A\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_AAC\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lrcx]
"Progid" = "kwfile_lrcx"

[HKCR\kwfile_MP1\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_M4A\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCR\SOFTWARE\Classes\kuwo\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe,0"

[HKCR\kwfile_FLAC\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP3\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\.m4a]
"(Default)" = "kwfile_M4A"

[HKCR\.mp2]
"(Default)" = "kwfile_MP2"

[HKCR\kwfile_MP2\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\kwfile_TTA\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\TTA.ico"

[HKCR\kwfile_TTA\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Classes\kwfile_AAC\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Classes\kwfile_CDA\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\.ac3]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_AAC\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\kwfile_MP1\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\MP1.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_CDA\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Classes\kwfile_AC3\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AC3]
"Progid" = "kwfile_AC3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\UserChoice]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_wma\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Classes\kwfile_M4A\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\.OGG]
"(Default)" = "kwfile_OGG"

[HKCR\kwfile_CDA\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\CDA.ico"

[HKCU\Software\Classes\.APE]
"kwbak" = ""

[HKCU\Software\Classes\kwfile_TTA\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCR\.m4a]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AC3]
"kwbak" = ""

[HKCR\.tta]
"(Default)" = "kwfile_TTA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CDA\UserChoice]
"Progid" = "kwfile_CDA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"InstallLocation" = "F:\Program Files\kuwo\kuwomusic"

[HKCU\Software\Classes\.TTA]
"(Default)" = "kwfile_TTA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_WAV\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_AC3\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.OGG]
"Progid" = "kwfile_OGG"

[HKCU\Software\Classes\.WMA]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M4A\UserChoice]
"kwbak" = ""

[HKCU\Software\Classes\.dks]
"(Default)" = "kwfile_dks"

[HKCU\Software\Classes\kwfile_MP1\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_OGG\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP2\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP1\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Classes\kwfile_ape\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Classes\kwfile_ape\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\kwfile_FLAC\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\.cda]
"kwbak" = "CDAFile"

[HKCR\kuwo]
"(Default)" = "URL:kuwo Protocol"

[HKCU\Software\Classes\.FLAC]
"kwbak" = ""

[HKCU\Software\Classes\.lrcx]
"(Default)" = "kwfile_lrcx"

[HKCR\kwfile_MP2\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"URLUpdateInfo" = "http://www.kuwo.cn"

[HKCR\kwfile_FLAC\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv7F.tmp\KwMusicNsis.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.FLAC\UserChoice]
"Progid" = "kwfile_FLAC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2]
"kwbak" = ""

[HKCR\.dks]
"(Default)" = "kwfile_dks"

[HKCR\kwfile_MP1\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\.wma\OpenWithList\KwMusic.exe]
"(Default)" = ""

[HKCU\Software\Classes\kwfile_CDA\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_M4A\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Classes\kwfile_TTA\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\.tta]
"kwbak" = ""

[HKCR\kwfile_lrcx\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\lrcx.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
"Progid" = "kwfile_MP2"

[HKCR\.lrcx]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lrcx\UserChoice]
"Progid" = "kwfile_lrcx"

[HKCU\Software\Classes\kwfile_MP2\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\.aac]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_wma\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_TTA\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_AC3\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\AC3.ico"

[HKCR\kwfile_MP1\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"VersionMajor" = "7.5.0.6"

[HKCR\kwfile_M4A\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCR\kwfile_OGG\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\.AAC]
"kwbak" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 A2 A3 DE 77 BD 1A C0 36 34 2C CD 28 24 53 4E"

[HKCR\kwfile_AAC\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_M4A\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MP1]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma]
"Progid" = "kwfile_wma"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"BuildTime" = "2014/5/6"

[HKCR\kwfile_ape\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCR\kwfile_MP3\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\MP3.ico"

[HKCU\Software\Classes\.FLAC]
"(Default)" = "kwfile_FLAC"

[HKCR\.flac]
"kwbak" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"Readme" = "F:\Program Files\kuwo\kuwomusic\readme.txt"

[HKCR\kwfile_wma\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\.lrcx]
"(Default)" = "kwfile_lrcx"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Classes\kwfile_WAV\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\kwfile_FLAC\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.APE]
"Progid" = "kwfile_ape"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_OGG\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCR\kwfile_MP2\DefaultIcon]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\bin\res\icons\MP2.ico"

[HKCU\Software\Classes\kwfile_OGG\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Classes\.CDA]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_TTA\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Classes\.M4A]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_ape\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Classes\.APE]
"(Default)" = "kwfile_ape"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC]
"Progid" = "kwfile_AAC"

[HKCU\Software\Classes\kwfile_AC3\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Classes\kwfile_WAV\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP3\shell\playlist]
"(Default)" = "Ã‚Â¼Ãƒâ€œÃƒË†ÃƒÂ« Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦ÃƒÂÃƒÂÃ‚Â±ÃƒÂ"

[HKCR\.ape]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dks\UserChoice]
"kwbak" = ""

[HKCR\.ac3]
"(Default)" = "kwfile_AC3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KwMusic7]
"NoRepair" = "0"

[HKCU\Software\Classes\.WAV]
"(Default)" = "kwfile_WAV"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2]
"Progid" = "kwfile_MP2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.FLAC\UserChoice]
"kwbak" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_AC3\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCU\Software\Classes\kwfile_MP3\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\kwfile_WAV\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\kwfile_AAC\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\kwfile_FLAC\shell\openkw]
"(Default)" = "Ãƒâ€œÃƒÆ’ Ã‚Â¿ÃƒÂ¡ÃƒÅ½Ãƒâ€™Ãƒâ€™ÃƒÂ´Ãƒâ‚¬Ãƒâ€“ Ã‚Â²Ã‚Â¥Ã‚Â·Ãƒâ€¦"

[HKCU\Software\Classes\kwfile_MP3\shell\openkw\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

[HKCR\Directory\shell\kwplaylist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \dirlist %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\kwfile_MP2\shell\playlist\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe \list %1"

[HKCU\Software\Classes\.AC3]
"(Default)" = "kwfile_AC3"

[HKCR\kwfile_dks\shell\open\command]
"(Default)" = "F:\Program Files\kuwo\kuwomusic\KwMusic.exe %1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kwmusic" = "F:\Program Files\kuwo\kuwomusic\Kwmusic.exe /autorun"

The process kuwo.exe:1344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 32 86 0B D4 96 59 8A 83 16 F2 EE EC 8C 92 09"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process %original file name%.exe:1720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 86 74 95 FC 54 E1 1A 93 E7 81 84 D2 46 36 A8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Netsh.exe:392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 46 52 4E 11 75 A2 A1 2F 5A 63 A1 9E 82 E2 45"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process Netsh.exe:540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 49 A5 CC 5C 99 15 78 4A B9 64 CF CF 49 07 DD"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Dropped PE files

MD5	File path
32db45f842b824c88585ccd0c48174e8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\KWMUSIC\DownloadUpdate.exe
4211f60f2299f2ef2da5fefc77630f74	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv7F.tmp\KwMusicNsis.dll
7ed256ddcf5033826b8befee618e60e5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv7F.tmp\nsisSlideshowx.dll
efce190b66b18502bde426d29638dd29	c:\Program Files\58611\kuwo.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????? 2014
Product Name: ????? 2014
Product Version: 7.5.3.6
Legal Copyright: ????? 2014
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 7.5.3.6
File Description: ????? 2014
Comments: ????? 2014
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	1007616	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	1011712	11939840	11937280	5.54517	416acf4ec298fd4b46bbd5c5e4f96289
.rsrc	12951552	262144	258560	3.9429	5e5f4d31ae491ae995934f58a4ebb0ee

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

kuwo.exe_1344:

`.rsrc

t$(SSh

~%UVW

u$SShe

advapi32.dll

kernel32.dll

Kernel32.dll

wininet.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

%Program Files%\58611\kuwo.exe

C:\windows\pc58611.dll

KwMusic.exe

hXXp://union.58611.net/zys_soft_ok.asp?action=kuwo&zys_soft_user=

hXXp://union.58611.net/zys_soft_ok_fl.asp?action=kuwo&zys_soft_user=

\\.\PHYSICALDRIVE

\\.\SCSI

\\.\SMARTVSD

user32.dll

@\\.\PhysicalDrive0

hXXp://pv.sohu.com/cityjson?ie=gb2312

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

hXXps://

hXXp://

VVV.baidu.com

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

icmp.dll

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

X-X-X-X-X-X

\\.\Smartvsd

\\.\PhysicalDrive%d

\\.\Scsi%d:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

GetCPInfo

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

GetViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

ShellExecuteA

GetKeyState

SetWindowsHookExA

CreateDialogIndirectParamA

UnhookWindowsHookEx

InternetCanonicalizeUrlA

InternetCrackUrlA

.text

.rdata

@.data

.rsrc

@.text

fO-r}

#include "l.chs\afxres.rc" // Standard components

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.1.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PAD

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

iphlpapi.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

SHELL32.dll

USER32.dll

WININET.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

(*.*)

7.5.0.6

kuwo.exe_1344_rwx_00401000_000FF000:

t$(SSh

~%UVW

u$SShe

advapi32.dll

kernel32.dll

Kernel32.dll

wininet.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

%Program Files%\58611\kuwo.exe

C:\windows\pc58611.dll

KwMusic.exe

hXXp://union.58611.net/zys_soft_ok.asp?action=kuwo&zys_soft_user=

hXXp://union.58611.net/zys_soft_ok_fl.asp?action=kuwo&zys_soft_user=

\\.\PHYSICALDRIVE

\\.\SCSI

\\.\SMARTVSD

user32.dll

@\\.\PhysicalDrive0

hXXp://pv.sohu.com/cityjson?ie=gb2312

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

HTTP/1.1

hXXps://

hXXp://

VVV.baidu.com

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

icmp.dll

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

X-X-X-X-X-X

\\.\Smartvsd

\\.\PhysicalDrive%d

\\.\Scsi%d:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

GetCPInfo

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

GetViewportExtEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetViewportOrgEx

ShellExecuteA

GetKeyState

SetWindowsHookExA

CreateDialogIndirectParamA

UnhookWindowsHookEx

InternetCanonicalizeUrlA

InternetCrackUrlA

.text

.rdata

@.data

.rsrc

@.text

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

regsvr32.exe:1024
regsvr32.exe:840
regsvr32.exe:208
regsvr32.exe:616
regsvr32.exe:644
regsvr32.exe:1404
kuwo_jm306.exe:1132
%original file name%.exe:1720
Netsh.exe:392
Netsh.exe:540
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%WinDir%\WMSysPr9.prx (316 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl7E.tmp (732625 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad02.jpg (784 bytes)
%WinDir%\Prefetch\REGSVR32.EXE-25EEFE2F.pf (40 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\lyricshow\LyricTheme.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\KillProcDLL.dll (10 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip\vipMbox_new.zip (15168 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip\songcomment.zip (784 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModMusicTool\conf.txt (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\instAD.dat (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWMUSIC\DownloadUpdate.exe (6360 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad04.jpg (784 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_4a.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (388 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_PIC_highlight.jpg (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip\sharesong.zip (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\KwMusicNsis.dll (13584 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_2b.png (1 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\KuWoNsis_new.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\w7tbp.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad01.jpg (784 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (16 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_2a.png (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_COLOR_highlight.jpg (1 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%System%\drivers (480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\inetc.dll (784 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_COLOR_nomal.jpg (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_1a.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWMUSIC\BindConfig.ini (213 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip\userinfo2012.zip (3312 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_3b.png (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_4b.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\SimpleSC.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\Base64.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\instAD\ad03.jpg (784 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_5b.png (1 bytes)
C:\PROGRAM FILES (4 bytes)
C:\$Directory (212 bytes)
%System%\config (100 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\cache\KW_SEARCH_SONG\jay.dat (784 bytes)
%System%\wbem (480 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\cache\DOWNLOAD_ARTISTPIC\49FF334D.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModWebUpdate\zip\netsong.zip (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWMUSIC\DownloadUpdate.ini (120 bytes)
%Documents and Settings%\%current user%\Application Data (4 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_3a.png (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_1b.png (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv7F.tmp\nsisSlideshowx.dll (2392 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Conf\p2pconf\setup.xml (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_Themes_5a.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KWMUSIC\mylk.dat (1 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\ModuleData\ModResource\NetSong-artists.pl (9608 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Res\DeskLyric\DL_PIC_nomal.jpg (871 bytes)
%WinDir%\KwYlx.dat (21 bytes)
%Documents and Settings%\All Users\Application Data\kuwodata\kwmusic2013\Conf\user\config.ini (10466 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\cityjson[1] (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8PUZSXEZ\cityjson[1] (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\58611\kuwo.exe (1849 bytes)
%Program Files%\58611\kuwo_jm306.exe (84227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8PUZSXEZ\desktop.ini (67 bytes)
%WinDir%\pc58611.dll (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O96R4D23\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SP2BK9QF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GDAJ8DEZ\desktop.ini (67 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kwmusic" = "F:\Program Files\kuwo\kuwomusic\Kwmusic.exe /autorun"
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.FlyStudio_9fc7b567de

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.FlyStudio_9fc7b567de

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet