Virus.Win32.Sality_0de3af0720

by malwarelabrobot on May 14th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Barys.712 (B) (Emsisoft), Gen:Variant.Barys.712 (AdAware), VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 0de3af072033d2a8b0159d9be8b087a8
SHA1: 3fce5ec8ebc79cb4ec1c446d1a57075aea161aeb
SHA256: 3d73805c6bfe4c90fccb764d0c33548cb3460e156f094457456c018d13b7d354
SSDeep: 12288:e 1mdD0z8j1Pk20Mt2LW xV33hX Rkq5gh1iWJS/GPuIQkD1LrnxX3SMgAKeyWKy:e2IafzRI4JT39fZx1rR6W7POdkSqSVx
Size: 1452544 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: Windows
Created at: 2014-05-07 19:50:55
Analyzed on: WindowsXP SP3 32-bit

Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Virus creates the following process(es):

%original file name%.exe:668
k400.exe:1932

The Virus injects its code into the following process(es):

Hs.exe:3544
user32.exe:2116
Explorer.EXE:1948

File activity

The process %original file name%.exe:668 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\k400.exe (1780 bytes)
%Documents and Settings%\%current user%\Application Data\Hs.exe (42 bytes)

The process user32.exe:2116 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\b_8d5afc09[1].png (3924 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\F7E34C2974A5D01D347705C76E2FF5D7 (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\nav_logo80[1].png (16371 bytes)
C:\msxpsdrv.inf (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\sem_96e64197394b4841f958af5c62b4f5cc[1].js (28041 bytes)
%Documents and Settings%\%current user%\Cookies\BR3B0SP0.txt (542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\mgyhp_sm[1].png (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\logo9w[1].png (3526 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6SYQ5KI\www.google[1].xml (496 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ap1bgyhp_smbiokl8ai2XcO-7k1sizdmcYi3z2k[1].png (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\nav_logo176[1].png (5921 bytes)
%Documents and Settings%\%current user%\Cookies\CY32C8S7.txt (523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\chrome-48[1].png (56 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0270780F846F08BEFE0DD8112D932FEF (543 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D4F348B882DF3F205ECCB6243795CB3A (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\google_ca[1].txt (14331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (200 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\F7E34C2974A5D01D347705C76E2FF5D7 (29 bytes)
%Documents and Settings%\%current user%\Cookies\TLQGHX20.txt (135 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D4F348B882DF3F205ECCB6243795CB3A (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\rs=AItRSTPqPxPQq9apHYeYn61I89z9NOuesQ[1] (77397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0270780F846F08BEFE0DD8112D932FEF (268 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014051320140514\index.dat (16 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415 (0 bytes)
C:\msxpsdrv.inf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416 (0 bytes)
%Documents and Settings%\%current user%\Cookies\TLQGHX20.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\3QE1QHRN.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\CY32C8S7.txt (0 bytes)
%System%\drivers\migx25a.obe (0 bytes)

The process k400.exe:1932 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000D04B3_Rar\k400.exe (3073 bytes)
%System%\drivers\migx25a.$$A (4956 bytes)
%System%\user32.$$A (6356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000D064A_Rar\k400.exe (3073 bytes)
%System%\mui\0414\media.$$A (5991 bytes)

Registry activity

The process Hs.exe:3544 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF D8 86 88 4E CD E9 DB 58 D5 D3 09 B7 68 21 C0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\Hs.exe"

The process %original file name%.exe:668 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 11 82 3E B1 DC D1 8C E6 DE 1D 8E 3C 65 EB E3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"hs.exe" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"k400.exe" = "k400"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process user32.exe:2116 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\google.ca]
"(Default)" = "52"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"DSGuid" = "{00000000-0000-0000-0000-000000000000}"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"FriendlyName" = "Default DirectSound Device"

[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "52"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CacheLimit" = "8192"
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014051320140514"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"CLSID" = "{07B65360-C445-11CE-AFDE-00AA006C14F4}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"MidiOutId" = "4294967295"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "user32.exe"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"
"fdwSupport" = "1"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"FilterData" = "02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1378682664"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 AB 78 81 28 F8 8C 73 9A D2 4C 2E 17 AC 72 07"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CachePrefix" = ":2014051320140514:"

[HKCU\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache]
"0" = "E0 5A 00 00 65 68 63 66 00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"FilterData" = "02 00 00 00 00 00 80 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device]
"FriendlyName" = "Default MidiOut Device"

[HKCU\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device]
"CLSID" = "{79376820-07D0-11CF-A24D-0020AFD79767}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Virus deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041520130416]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013040820130415]

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache]
"1"

The process k400.exe:1932 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Aas]
"a4_440" = "3154413240"
"a2_348" = "2494853037"
"a2_349" = "2502020874"
"a2_346" = "2480518813"
"a2_347" = "2487687196"
"a2_344" = "2466182582"
"a2_345" = "2473349271"
"a2_342" = "2451836471"
"a2_343" = "2459003037"
"a2_340" = "2437499011"
"a2_341" = "2444668338"
"a2_180" = "1290438737"
"a2_181" = "1297602818"
"a2_182" = "1304774657"
"a2_183" = "1311955525"
"a2_184" = "1319123734"
"a2_185" = "1326290599"
"a2_186" = "1333457113"
"a2_187" = "1340623517"
"a2_188" = "1347792343"
"a2_189" = "1354958391"
"a4_444" = "3183089724"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a3_78" = "542637991"
"a3_79" = "549622726"
"a3_72" = "533156193"
"a3_73" = "506656128"
"a3_70" = "485103791"
"a3_71" = "525712590"
"a3_76" = "561686245"
"a3_77" = "568613636"
"a3_74" = "513568291"
"a3_75" = "554631746"
"a3_259" = "1873798154"
"a3_258" = "1866220523"
"a1_435" = "572582334"
"a1_434" = "2037801535"
"a1_433" = "565557661"
"a1_432" = "3721440971"
"a1_431" = "2047726358"
"a1_430" = "4072006072"
"a3_251" = "1782710578"
"a3_250" = "1809280147"
"a3_253" = "1830771188"
"a3_252" = "1789764949"
"a3_255" = "1844811446"
"a3_254" = "1837822487"
"a3_257" = "1825746760"
"a3_256" = "1818692393"
"a3_321" = "2284435336"
"a3_320" = "2310935401"
"a3_323" = "2332478538"
"a3_322" = "2291869739"
"a3_325" = "2346910988"
"a3_324" = "2339397869"
"a3_327" = "2327338446"
"a3_326" = "2320415151"
"a3_329" = "2375379584"
"a3_328" = "2368468577"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Aas]
"a3_439" = "3130280062"
"a3_438" = "3123369951"
"a3_435" = "3101883130"
"a3_434" = "3094824539"
"a3_437" = "3149870012"
"a3_436" = "3142426397"
"a3_431" = "3106444646"
"a3_430" = "3065901255"
"a3_433" = "3087376952"
"a3_432" = "3113879961"
"a3_94" = "690598327"
"a3_95" = "698045910"
"a3_96" = "671534665"
"a3_97" = "678453992"
"a3_90" = "662052915"
"a3_91" = "669107282"
"a3_92" = "643004661"
"a3_93" = "649993492"
"a3_98" = "685967115"
"a3_99" = "726580138"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a4_151" = "1082537271"
"a4_150" = "1075368150"
"a4_153" = "1096875513"
"a4_152" = "1089706392"
"a4_155" = "1111213755"
"a4_154" = "1104044634"
"a4_157" = "1125551997"
"a4_156" = "1118382876"
"a4_159" = "1139890239"
"a4_158" = "1132721118"
"a1_185" = "3760670375"
"a1_184" = "3881935876"
"a1_183" = "3078440965"
"a1_182" = "1921734633"
"a1_181" = "1396783598"
"a1_180" = "3840548715"
"a4_393" = "2817464553"
"a4_392" = "2810295432"
"a4_391" = "2803126311"
"a4_390" = "2795957190"
"a4_397" = "2846141037"
"a4_396" = "2838971916"
"a4_395" = "2831802795"
"a4_394" = "2824633674"
"a4_399" = "2860479279"
"a4_398" = "2853310158"
"a2_405" = "2903495724"
"a2_404" = "2896317662"
"a2_407" = "2917829600"
"a2_406" = "2910659772"
"a2_401" = "2874810987"
"a2_400" = "2867645073"
"a2_403" = "2889161772"
"a2_402" = "2881978703"
"a2_409" = "2932163654"
"a2_408" = "2924992684"
"a1_222" = "597679436"
"a1_223" = "225882063"
"a1_220" = "315725063"
"a1_221" = "838832363"
"a1_226" = "2242853330"
"a1_227" = "4181774200"
"a1_224" = "3010219581"
"a1_225" = "3979777277"
"a1_228" = "1510553043"
"a1_229" = "1175185564"
"a2_351" = "2516353666"
"a2_350" = "2509188081"
"a2_353" = "2530705335"
"a2_352" = "2523536911"
"a2_355" = "2545035787"
"a2_354" = "2537870493"
"a2_357" = "2559372304"
"a2_356" = "2552214985"
"a2_359" = "2573722136"
"a2_358" = "2566539625"
"a2_193" = "1383642299"
"a2_192" = "1376473263"
"a2_191" = "1369305678"
"a2_190" = "1362126243"
"a2_197" = "1412311164"
"a2_196" = "1405142581"
"a2_195" = "1397973563"
"a2_194" = "1390808031"
"a2_199" = "1426657963"
"a2_198" = "1419491419"
"a1_89" = "4119017126"
"a1_88" = "2981224726"
"a1_85" = "3880251783"
"a1_84" = "1899143302"
"a1_87" = "4153257386"
"a1_86" = "3335011534"
"a1_81" = "669696652"
"a1_80" = "1769008654"
"a1_83" = "141052780"
"a1_82" = "2814532959"
"a1_67" = "2250642478"
"a1_66" = "3323052891"
"a1_65" = "2527229727"
"a3_133" = "970345548"
"a1_63" = "3732109198"
"a3_135" = "950830350"
"a3_136" = "991836577"
"a1_60" = "3680589173"
"a3_138" = "1006335587"
"a3_139" = "979823234"
"a1_438" = "3649819830"
"a1_69" = "375698544"
"a1_68" = "4015294957"
"a3_228" = "1617824845"
"a3_229" = "1624875244"
"a3_224" = "1588903625"
"a3_225" = "1629901672"
"a3_226" = "1636956043"
"a3_227" = "1610836010"
"a3_220" = "1593911669"
"a3_221" = "1600966036"
"a3_222" = "1608410679"
"a3_223" = "1581849174"
"a1_408" = "1457165527"
"a1_409" = "2966186917"
"a1_402" = "2977758726"
"a1_403" = "4097778410"
"a1_400" = "1551717932"
"a1_401" = "2553629356"
"a1_406" = "2813323114"
"a1_407" = "3440859017"
"a1_404" = "2173737817"
"a1_405" = "872395808"
"a3_354" = "2521277451"
"a3_355" = "2528204970"
"a3_356" = "2568813773"
"a3_357" = "2576322924"
"a3_350" = "2492225207"
"a3_351" = "2499791574"
"a3_352" = "2540269385"
"a3_353" = "2547254248"
"a3_358" = "2583246223"
"a3_359" = "2556735022"
"a4_37" = "265257477"
"a4_36" = "258088356"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_30" = "215073630"
"a4_144" = "1032353424"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a3_142" = "1034864615"

[HKCU\Software\Aas\695404737]
"28676484" = "35"

[HKCU\Software\Aas]
"a3_448" = "3194799081"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_124" = "888971004"
"a4_125" = "896140125"
"a4_126" = "903309246"
"a4_127" = "910478367"
"a4_120" = "860294520"
"a4_121" = "867463641"
"a4_122" = "874632762"
"a4_123" = "881801883"
"a4_128" = "917647488"
"a4_129" = "924816609"
"a3_444" = "3166269973"
"a3_445" = "3206813364"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Aas]
"a4_238" = "1706250798"
"a4_239" = "1713419919"
"a4_230" = "1648897830"
"a4_231" = "1656066951"
"a4_232" = "1663236072"
"a4_233" = "1670405193"
"a4_234" = "1677574314"
"a4_235" = "1684743435"
"a4_236" = "1691912556"
"a4_237" = "1699081677"
"a1_158" = "1287035777"
"a1_159" = "287762529"
"a1_150" = "1197407887"
"a1_151" = "1624926349"
"a1_152" = "681098790"
"a1_153" = "1424480585"
"a1_154" = "1503702756"
"a1_155" = "2378885858"
"a1_156" = "3467427406"
"a1_157" = "3035214784"
"a1_235" = "478662329"
"a1_234" = "3243674099"
"a1_237" = "1743165105"
"a1_236" = "3792762929"
"a1_231" = "2053817692"
"a1_230" = "3439548283"
"a1_233" = "4222106887"
"a1_232" = "3509529900"
"a1_239" = "4169513104"
"a1_238" = "3923485586"
"a2_210" = "1505522879"
"a2_211" = "1512677778"
"a2_212" = "1519859418"
"a2_213" = "1527031283"
"a2_214" = "1534194065"
"a2_215" = "1541363665"
"a2_216" = "1548527952"
"a2_217" = "1555696548"
"a2_218" = "1562864909"
"a2_219" = "1570041390"
"a2_324" = "2322798446"
"a2_325" = "2329965829"
"a2_326" = "2337131831"
"a2_327" = "2344296916"
"a2_320" = "2294113881"
"a2_321" = "2301263286"
"a2_322" = "2308463095"
"a2_323" = "2315618288"
"a2_328" = "2351466329"
"a2_329" = "2358648256"
"a1_98" = "364129661"
"a1_99" = "1703298522"
"a1_92" = "4070993760"
"a1_93" = "741281128"
"a1_90" = "735762852"
"a1_91" = "1171683413"
"a1_96" = "2331054910"
"a1_97" = "2205245342"
"a1_94" = "2182723565"
"a1_95" = "268791719"
"a1_74" = "1855472817"
"a1_75" = "2645362725"
"a1_76" = "38338018"
"a1_77" = "3493114524"
"a1_70" = "4023645492"
"a1_71" = "3158540728"
"a1_72" = "2961658006"
"a1_73" = "3575720696"
"a3_129" = "907869896"
"a3_128" = "934369961"
"a1_78" = "3066414275"
"a1_79" = "3340157642"
"a3_239" = "1730403494"
"a3_238" = "1689270279"
"a3_237" = "1682343908"
"a3_236" = "1708909381"
"a3_235" = "1701334818"
"a3_234" = "1660856963"
"a3_233" = "1653814880"
"a3_232" = "1646370241"
"a3_231" = "1672935854"
"a3_230" = "1665877263"
"a1_419" = "2069758110"
"a1_418" = "742164012"
"a1_415" = "916966242"
"a1_414" = "4251210004"
"a1_417" = "1233334979"
"a1_416" = "3102595579"
"a1_411" = "2586794880"
"a1_410" = "851042563"
"a1_413" = "2345332268"
"a1_412" = "1540188117"
"a3_347" = "2504287570"
"a3_346" = "2463809843"
"a3_345" = "2456759440"
"a3_344" = "2482866289"
"a3_343" = "2475825118"
"a3_342" = "2468836287"
"a3_341" = "2427838236"
"a3_340" = "2420783869"
"a3_349" = "2485301780"
"a3_348" = "2511804917"
"a2_360" = "2580886287"
"a2_361" = "2588054549"
"a2_362" = "2595219749"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a2_364" = "2609552422"
"a4_28" = "200735388"
"a4_29" = "207904509"
"a2_365" = "2616723790"
"a2_366" = "2623903101"
"a2_367" = "2631072320"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Aas]
"a2_168" = "1204406001"
"a2_169" = "1211587478"
"a2_160" = "1147050346"
"a2_161" = "1154236172"
"a4_137" = "982169577"
"a4_136" = "975000456"
"a4_135" = "967831335"
"a4_134" = "960662214"
"a4_133" = "953493093"
"a4_132" = "946323972"
"a4_131" = "939154851"
"a4_130" = "931985730"
"a4_139" = "996507819"
"a4_138" = "989338698"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a4_229" = "1641728709"
"a4_228" = "1634559588"
"a4_223" = "1598713983"
"a4_222" = "1591544862"
"a4_221" = "1584375741"
"a4_220" = "1577206620"
"a4_227" = "1627390467"
"a4_226" = "1620221346"
"a4_225" = "1613052225"
"a4_224" = "1605883104"

"a1_149" = "894312907"
"a1_148" = "1142188122"
"a1_143" = "3609557369"
"a1_142" = "590992795"
"a1_141" = "602786616"
"a1_140" = "734314306"
"a1_147" = "1332353758"
"a1_146" = "2189446415"
"a1_145" = "4048987724"
"a1_144" = "3628799974"
"a2_203" = "1455328641"
"a2_202" = "1448160685"
"a2_201" = "1440991578"
"a2_200" = "1433826590"
"a2_207" = "1484010319"
"a2_206" = "1476845409"
"a2_205" = "1469676770"
"a2_204" = "1462490464"
"a2_209" = "1498343510"
"a2_208" = "1491184374"
"a2_337" = "2415999322"
"a2_336" = "2408818105"
"a2_335" = "2401649816"
"a2_334" = "2394481653"
"a2_333" = "2387315509"
"a2_332" = "2380149324"
"a2_331" = "2372981512"
"a2_330" = "2365815990"
"a3_242" = "1718323611"
"a2_339" = "2430334292"
"a2_338" = "2423168889"
"a3_243" = "1725243962"
"a1_398" = "1914459027"
"a1_399" = "249275510"
"a1_392" = "3104884437"
"a1_393" = "3969583955"
"a1_390" = "1387206516"
"a1_391" = "2606424810"
"a1_396" = "1910926165"
"a1_397" = "640096535"
"a1_394" = "576662037"
"a1_395" = "1021399285"
"a3_116" = "814879197"
"a3_117" = "821922428"
"a3_114" = "834001179"
"a3_115" = "807894458"
"a3_112" = "785940569"
"a3_113" = "826942712"
"a3_110" = "771902343"
"a3_111" = "778955814"
"a1_49" = "2683147043"
"a1_48" = "3853391467"
"a3_118" = "862924447"
"a3_119" = "869974846"
"a3_202" = "1465015971"
"a3_203" = "1472066242"
"a3_200" = "1416954337"
"a3_201" = "1424013824"
"a3_206" = "1493543975"
"a3_207" = "1500987462"
"a3_204" = "1445500773"
"a3_205" = "1452936068"
"a1_197" = "3523803605"
"a3_208" = "1508041977"
"a3_209" = "1481480472"
"a1_191" = "660386055"
"a2_17" = "121866588"
"a2_16" = "114711986"
"a2_15" = "107542711"
"a2_14" = "100359642"
"a2_13" = "93193258"
"a2_12" = "86027157"
"a2_11" = "78859814"
"a2_10" = "71693137"
"a2_19" = "136204532"
"a2_18" = "129045613"
"a4_11" = "78860331"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_12" = "86029452"
"a4_15" = "107536815"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a4_16" = "114705936"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_378" = "2693094675"
"a3_379" = "2700145074"
"a3_372" = "2683746013"
"a3_373" = "2657102716"
"a3_370" = "2669182491"
"a3_371" = "2676691642"
"a3_376" = "2712142929"
"a3_377" = "2686171376"
"a3_374" = "2664681375"
"a3_375" = "2705154110"
"a3_127" = "927442486"
"a1_189" = "1039298279"
"a1_188" = "1454231121"
"a1_187" = "556400020"
"a1_186" = "1074993604"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Aas]
"a4_218" = "1562868378"
"a4_219" = "1570037499"
"a4_216" = "1548530136"
"a4_217" = "1555699257"
"a4_214" = "1534191894"
"a4_215" = "1541361015"
"a4_212" = "1519853652"
"a4_213" = "1527022773"
"a4_210" = "1505515410"
"a4_211" = "1512684531"
"a4_108" = "774265068"
"a4_109" = "781434189"
"a4_102" = "731250342"
"a4_103" = "738419463"
"a4_100" = "716912100"
"a4_101" = "724081221"
"a4_106" = "759926826"
"a4_107" = "767095947"
"a4_104" = "745588584"
"a4_105" = "752757705"
"a1_178" = "1200944428"
"a1_179" = "2807601808"
"a1_176" = "675163660"
"a1_177" = "794369351"
"a1_174" = "855826359"
"a1_175" = "423118618"
"a1_172" = "3109272693"
"a1_173" = "328445402"
"a1_170" = "1118051110"
"a1_171" = "3494914933"
"a2_236" = "1691915021"
"a2_237" = "1699084294"
"a2_234" = "1677580100"
"a2_235" = "1684750044"
"a2_232" = "1663230011"
"a2_233" = "1670398199"
"a2_230" = "1648899155"
"a2_231" = "1656063536"
"a2_238" = "1706249738"
"a2_239" = "1713417524"
"a2_308" = "2208096152"
"a2_309" = "2215260554"
"a2_302" = "2165077993"
"a2_303" = "2172245685"
"a2_300" = "2150742527"
"a2_301" = "2157912105"
"a2_306" = "2193739813"
"a2_307" = "2200926356"
"a2_304" = "2179411639"
"a2_305" = "2186579656"
"a1_389" = "1600211477"
"a1_388" = "583800408"
"a1_385" = "2119609947"
"a1_384" = "304363474"
"a1_387" = "1289486185"
"a1_386" = "670399771"
"a1_381" = "2944667908"
"a1_380" = "565269056"
"a1_383" = "2304228145"
"a1_382" = "2011884007"
"a1_58" = "176215461"
"a1_59" = "1350510916"
"a1_56" = "3000447584"
"a1_57" = "166685349"
"a1_54" = "1916140335"
"a1_55" = "26979977"
"a1_52" = "835917289"
"a1_53" = "2741943368"
"a1_50" = "1223874733"
"a1_51" = "1339865118"
"a3_215" = "1524377438"
"a3_214" = "1517454143"
"a3_217" = "1572437008"
"a3_216" = "1565514737"
"a3_211" = "1529532890"
"a3_210" = "1488928187"
"a3_213" = "1510469276"
"a3_212" = "1536445053"
"a3_219" = "1553446098"
"a3_218" = "1545867443"
"a3_109" = "798021476"
"a3_108" = "790966981"

"a3_101" = "707522668"
"a3_100" = "733503437"
"a3_103" = "754977070"
"a3_102" = "714511503"
"a3_105" = "769475040"
"a3_104" = "762555713"
"a3_107" = "750493346"
"a3_106" = "742980099"
"a3_369" = "2628699640"
"a3_368" = "2621645145"
"a3_365" = "2600170596"
"a3_364" = "2592723909"
"a3_367" = "2647756070"
"a3_366" = "2640767111"
"a3_361" = "2604787424"
"a3_360" = "2564178497"
"a3_363" = "2585673634"
"a3_362" = "2611780355"
"a2_62" = "444486293"
"a2_63" = "451646180"
"a2_60" = "430149808"
"a2_61" = "437307440"
"a2_66" = "473167963"
"a2_67" = "480339485"
"a2_64" = "458831895"
"a2_65" = "465983851"
"a1_41" = "1578251570"
"a1_40" = "401528190"
"a1_43" = "544764407"
"a1_42" = "625406262"
"a1_45" = "3736345136"
"a1_44" = "637757429"
"a1_47" = "1464606611"
"a1_46" = "915241249"
"a4_201" = "1440993321"
"a4_200" = "1433824200"
"a4_203" = "1455331563"
"a4_202" = "1448162442"
"a4_205" = "1469669805"
"a4_204" = "1462500684"
"a4_207" = "1484008047"
"a4_206" = "1476838926"
"a4_209" = "1498346289"
"a4_208" = "1491177168"
"a4_448" = "3211766208"
"a4_119" = "853125399"
"a4_118" = "845956278"
"a4_115" = "824448915"
"a4_114" = "817279794"
"a4_117" = "838787157"
"a4_116" = "831618036"
"a4_111" = "795772431"
"a4_110" = "788603310"
"a4_113" = "810110673"
"a4_112" = "802941552"
"a1_161" = "1915890097"
"a1_160" = "843438734"
"a1_163" = "1938984824"
"a1_162" = "133629096"
"a1_165" = "2976090139"
"a1_164" = "3816548948"
"a1_167" = "3272798750"
"a1_166" = "2007819055"
"a1_169" = "656958023"
"a1_168" = "3902534129"
"a4_447" = "3204597087"
"a2_319" = "2286946597"
"a2_318" = "2279779097"
"a2_315" = "2258279218"
"a2_314" = "2251098402"
"a2_317" = "2272614370"
"a2_316" = "2265447140"
"a2_311" = "2229594614"
"a2_310" = "2222430641"
"a2_313" = "2243929852"
"a2_312" = "2236763144"
"a2_229" = "1641730490"
"a2_228" = "1634551221"
"a2_221" = "1584381282"
"a2_220" = "1577212545"
"a2_223" = "1598711061"
"a2_222" = "1591553375"
"a2_225" = "1613046582"
"a2_224" = "1605881631"
"a2_227" = "1627396764"
"a2_226" = "1620215120"
"a1_370" = "1438637452"
"a1_371" = "59113668"
"a1_372" = "1169798306"
"a1_373" = "4290510604"
"a1_374" = "2224975597"
"a1_375" = "4208417184"
"a1_376" = "2260799286"
"a1_377" = "3575438534"
"a1_378" = "3081278200"
"a1_379" = "3824438567"
"a3_36" = "241268621"
"a3_37" = "248309804"
"a3_183" = "1328655230"
"a1_29" = "2388005199"
"a1_28" = "1918134990"
"a1_23" = "3926885359"
"a1_22" = "3930369539"
"a1_21" = "1313846188"
"a1_20" = "2185560506"
"a1_27" = "4264319051"
"a1_26" = "1207797943"
"a1_25" = "698223974"
"a1_24" = "86513316"
"a1_284" = "432936643"
"a1_285" = "3579243845"
"a1_286" = "405777415"
"a1_287" = "3962302696"
"a1_280" = "3755086273"
"a1_281" = "75892930"
"a1_282" = "3323670604"
"a1_283" = "3194722678"
"a3_31" = "205278614"
"a1_288" = "78404990"
"a1_289" = "1175272151"
"a3_32" = "212854281"
"a3_178" = "1292673371"
"a3_179" = "1300121082"
"a3_174" = "1264145351"
"a3_175" = "1271198822"
"a3_176" = "1245079705"
"a3_177" = "1252068664"
"a3_170" = "1235731011"
"a3_171" = "1209100002"
"a3_172" = "1216092933"
"a3_173" = "1223671716"
"a2_31" = "222248808"
"a2_30" = "215079083"
"a2_33" = "236573522"
"a2_32" = "229414125"
"a2_35" = "250911148"
"a2_34" = "243747506"
"a2_37" = "265264088"
"a2_36" = "258082168"
"a2_39" = "279597480"
"a2_38" = "272418364"
"a4_79" = "566360559"
"a4_78" = "559191438"
"a4_73" = "523345833"
"a4_72" = "516176712"
"a4_71" = "509007591"
"a4_70" = "501838470"
"a4_77" = "552022317"
"a4_76" = "544853196"
"a4_75" = "537684075"
"a4_74" = "530514954"
"a3_390" = "2812641775"
"a3_391" = "2786540046"
"a3_392" = "2793594529"
"a3_393" = "2800513728"
"a3_394" = "2841581411"
"a3_395" = "2848623490"
"a3_396" = "2821991461"
"a3_397" = "2829566020"
"a3_398" = "2870043879"
"a3_399" = "2877036806"

[HKCU\Software\Aas\695404737]
"7169121" = "212"

[HKCU\Software\Aas]
"a4_199" = "1426655079"
"a2_363" = "2602386008"
"a4_274" = "1964339154"
"a4_275" = "1971508275"
"a4_276" = "1978677396"
"a4_277" = "1985846517"
"a4_270" = "1935662670"
"a4_271" = "1942831791"
"a4_272" = "1950000912"
"a4_273" = "1957170033"
"a4_278" = "1993015638"
"a4_279" = "2000184759"
"a4_308" = "2208089268"
"a4_309" = "2215258389"
"a4_300" = "2150736300"
"a4_301" = "2157905421"
"a4_302" = "2165074542"
"a4_303" = "2172243663"
"a4_304" = "2179412784"
"a4_305" = "2186581905"
"a4_306" = "2193751026"
"a4_307" = "2200920147"
"a1_114" = "3985886055"
"a1_115" = "1219837130"
"a1_116" = "3842708137"
"a1_117" = "3024706587"
"a1_110" = "1910162115"
"a1_111" = "3626186321"
"a1_112" = "2477734094"
"a1_113" = "1450167816"
"a1_118" = "961907142"
"a1_119" = "2641297018"
"a2_258" = "1849635713"
"a2_259" = "1856805816"
"a2_254" = "1820954184"
"a2_255" = "1828119876"
"a2_256" = "1835286791"
"a2_257" = "1842470009"
"a2_250" = "1792283105"
"a2_251" = "1799452468"
"a2_252" = "1806619027"
"a2_253" = "1813779022"
"a1_363" = "1006490679"
"a1_362" = "2467592308"
"a1_361" = "2405457664"
"a1_360" = "1097095733"
"a1_367" = "311087697"
"a1_366" = "2431645458"
"a1_365" = "1211066353"
"a1_364" = "212302977"
"a1_369" = "354823789"
"a1_368" = "2218332459"
"a1_38" = "437754075"
"a1_39" = "4038607479"
"a1_30" = "1125694984"
"a1_31" = "2662093296"
"a1_32" = "967768690"
"a1_33" = "2486385979"
"a1_34" = "899369308"
"a1_35" = "3910510731"
"a1_36" = "1745498877"
"a1_37" = "3942030667"
"a1_297" = "1973571792"
"a1_296" = "4147290486"
"a1_295" = "3083719291"
"a1_294" = "694191389"
"a1_293" = "3691760220"
"a1_292" = "1198421489"
"a1_291" = "475682301"
"a1_290" = "1419574620"
"a1_299" = "514739986"
"a1_298" = "1730111632"
"a4_286" = "2050368606"
"a2_108" = "774259755"
"a2_109" = "781426758"
"a2_100" = "716908835"
"a2_101" = "724076208"
"a2_102" = "731242793"
"a2_103" = "738424041"
"a2_104" = "745593757"
"a2_105" = "752760718"
"a2_106" = "759924619"
"a2_107" = "767094695"
"a3_169" = "1228156448"
"a3_168" = "1187689857"
"a3_167" = "1180635502"
"a3_166" = "1206680783"
"a3_165" = "1199757484"
"a3_164" = "1192698893"
"a3_163" = "1151697898"
"a3_162" = "1144713035"
"a3_161" = "1171213096"
"a3_160" = "1163777673"
"a2_28" = "200728406"
"a2_29" = "207898491"
"a2_26" = "186394333"
"a2_27" = "193564605"
"a2_24" = "172061447"
"a2_25" = "179230518"
"a2_22" = "157728387"
"a2_23" = "164896656"
"a2_20" = "143379955"
"a2_21" = "150548127"
"a4_68" = "487500228"
"a4_69" = "494669349"
"a4_60" = "430147260"
"a4_61" = "437316381"
"a4_62" = "444485502"
"a4_63" = "451654623"
"a4_64" = "458823744"
"a4_65" = "465992865"
"a4_66" = "473161986"
"a4_67" = "480331107"
"a2_7" = "50176537"
"a2_6" = "43009985"
"a2_5" = "35843325"
"a2_4" = "28674078"
"a2_3" = "21510355"
"a2_2" = "14343653"
"a2_1" = "7173082"
"a2_0" = "5994"
"a3_389" = "2805656908"
"a3_388" = "2765048109"
"a2_9" = "64527438"
"a2_8" = "57358699"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a4_9" = "64522089"
"a4_8" = "57352968"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 C1 2B 73 13 F2 D8 75 E2 40 FC 87 5F 7B 09 0C"

[HKCU\Software\Aas]
"a4_267" = "1914155307"
"a4_266" = "1906986186"
"a4_265" = "1899817065"
"a4_264" = "1892647944"
"a4_263" = "1885478823"
"a4_262" = "1878309702"
"a4_261" = "1871140581"
"a4_260" = "1863971460"

[HKCU\Software\Aas\695404737]
"43014726" = "0B00687474703A2F2F6F73746572616B65726C61636B6572696E672E73652F696D616765732F6C6F676F2E67696600687474703A2F2F706D6573622E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F70726F65636F73797374656D732E636F6D2F696D616765732F627574746F6E2E67696600687474703A2F2F70726174696B7365727665722E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F6C6F6C69746B61612E7A612E706C2F6C6F676F2E67696600687474703A2F2F61796B6F6D2E6E65742F696D672F627574746F6E2E67696600687474703A2F2F7777772E6D6F6C6F7A6174696D2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F7068656E2E6364642E676F2E74682F6C6F676F2E67696600687474703A2F2F636172626F6E737465656C737570706C69657273696E6469612E636F2E696E2F696D616765732F6C6F676F2E67696600687474703A2F2F706168617265762E6D796A696E6F2E72752F6C6F676F2E67696600687474703A2F2F6C69666574696D656C697465732E636F6D2F696D616765732F6C6F676F2E676966"

[HKCU\Software\Aas]
"a4_269" = "1928493549"
"a4_268" = "1921324428"
"a4_319" = "2286949599"
"a4_318" = "2279780478"
"a4_313" = "2243934873"
"a4_312" = "2236765752"
"a4_311" = "2229596631"
"a4_310" = "2222427510"
"a4_317" = "2272611357"
"a4_316" = "2265442236"
"a4_315" = "2258273115"
"a4_314" = "2251103994"

"a3_130" = "915379051"
"a3_131" = "922302346"
"a3_132" = "962897965"
"a1_107" = "873035063"
"a1_106" = "1985361529"
"a1_105" = "2654625172"
"a1_104" = "3436623399"
"a1_103" = "2806310168"
"a1_102" = "2319394803"
"a1_101" = "242185480"
"a1_100" = "1540757949"
"a3_134" = "943841519"
"a1_109" = "4232895747"
"a1_62" = "1873806373"
"a1_61" = "1518353575"
"a3_137" = "998890944"
"a3_145" = "1022800088"
"a3_144" = "1015749817"
"a3_147" = "1070844314"
"a3_146" = "1063277947"
"a3_141" = "1027810116"
"a3_140" = "986812197"
"a3_143" = "1008236550"
"a2_249" = "1785116087"
"a2_248" = "1777936959"
"a2_247" = "1770770224"
"a2_246" = "1763601477"
"a2_245" = "1756434278"
"a2_244" = "1749267282"
"a2_243" = "1742101881"
"a2_242" = "1734931541"
"a2_241" = "1727752858"
"a2_240" = "1720583758"
"a1_356" = "317418142"
"a1_357" = "2168955147"
"a1_354" = "1136247153"
"a1_355" = "103238200"
"a1_352" = "172981557"
"a1_353" = "3414574488"
"a1_350" = "3183629512"
"a1_351" = "687049894"
"a1_358" = "323959029"
"a1_359" = "421304938"
"a2_119" = "853130819"
"a2_118" = "845962125"
"a2_113" = "810111350"
"a2_112" = "802943183"
"a2_111" = "795778067"
"a2_110" = "788609042"
"a2_117" = "838793549"
"a2_116" = "831611219"
"a2_115" = "824446414"
"a2_114" = "817277679"
"a3_152" = "1106310065"
"a3_153" = "1080268752"
"a3_150" = "1092336383"
"a3_151" = "1099259678"
"a3_156" = "1135231285"
"a3_157" = "1108731220"
"a3_154" = "1087178867"
"a3_155" = "1127787666"
"a3_158" = "1115724279"
"a3_159" = "1123168790"
"a2_59" = "422985713"
"a2_58" = "415802957"
"a2_53" = "379966635"
"a2_52" = "372800185"
"a2_51" = "365618883"
"a2_50" = "358452508"
"a2_57" = "408635022"
"a2_56" = "401468387"
"a2_55" = "394300594"
"a2_54" = "387134545"
"a4_55" = "394301655"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a4_52" = "372794292"
"a3_440" = "3171413137"
"a3_441" = "3178398000"
"a3_442" = "3185321299"
"a3_443" = "3159349746"
"a4_59" = "422978139"
"a4_58" = "415809018"
"a3_446" = "3214379735"
"a3_447" = "3187748726"

[HKCU\Software\Aas\695404737]
"21507363" = "0"

[HKCU\Software\Aas]
"a4_414" = "2968016094"
"a4_415" = "2975185215"
"a4_416" = "2982354336"
"a4_417" = "2989523457"
"a4_410" = "2939339610"
"a4_411" = "2946508731"
"a4_412" = "2953677852"
"a4_413" = "2960846973"
"a4_418" = "2996692578"
"a4_419" = "3003861699"
"a1_138" = "1561997843"
"a1_139" = "922022646"
"a1_132" = "3280835655"
"a1_133" = "524678455"
"a1_130" = "1479067135"
"a1_131" = "1333602077"
"a1_136" = "3384745429"
"a1_137" = "2157671826"
"a1_134" = "3742793626"
"a1_135" = "2460979049"
"a4_328" = "2351471688"
"a4_329" = "2358640809"
"a4_326" = "2337133446"
"a4_327" = "2344302567"
"a4_324" = "2322795204"
"a4_325" = "2329964325"
"a4_322" = "2308456962"
"a4_323" = "2315626083"
"a4_320" = "2294118720"
"a4_321" = "2301287841"
"a4_258" = "1849633218"
"a4_259" = "1856802339"
"a4_252" = "1806618492"
"a4_253" = "1813787613"
"a4_250" = "1792280250"
"a4_251" = "1799449371"
"a4_256" = "1835294976"
"a4_257" = "1842464097"
"a4_254" = "1820956734"
"a4_255" = "1828125855"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Aas]
"a1_349" = "3279481955"
"a1_348" = "3828032657"
"a1_341" = "3046937452"
"a1_340" = "3634630686"
"a1_343" = "281694937"
"a1_342" = "1786168013"
"a1_345" = "945729774"
"a1_344" = "1187269261"
"a1_347" = "3755774757"
"a1_346" = "2807081422"
"a2_272" = "1950006292"
"a2_273" = "1957172073"
"a2_270" = "1935655908"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a2_276" = "1978671251"
"a2_277" = "1985839533"
"a2_274" = "1964341978"
"a2_275" = "1971515897"
"a2_278" = "1993021518"
"a2_279" = "2000175229"
"a2_298" = "2136406443"
"a2_299" = "2143560787"
"a2_290" = "2079042810"
"a2_291" = "2086207518"
"a2_292" = "2093376574"
"a2_293" = "2100559056"
"a2_294" = "2107727005"
"a2_295" = "2114892623"
"a2_296" = "2122059189"
"a2_297" = "2129221385"
"a2_128" = "917645931"
"a2_129" = "924813670"
"a2_126" = "903300513"
"a2_127" = "910479842"
"a2_124" = "888965011"
"a2_125" = "896144393"
"a2_122" = "874629937"
"a2_123" = "881796788"
"a2_120" = "860298135"
"a2_121" = "867461371"
"a3_35" = "267899754"
"a1_12" = "1526168060"
"a1_13" = "1628344756"
"a1_10" = "2365646836"
"a1_11" = "365963622"
"a1_16" = "432161859"
"a1_17" = "2062570447"
"a1_14" = "2802932000"
"a1_15" = "136886650"
"a1_18" = "1518309144"
"a1_19" = "118102892"
"a3_149" = "1051199068"
"a3_148" = "1044210237"
"a2_48" = "344126326"
"a2_49" = "351283830"
"a2_40" = "286765901"
"a2_41" = "293930436"
"a2_42" = "301100963"
"a2_43" = "308266258"
"a2_44" = "315447270"
"a2_45" = "322615605"
"a2_46" = "329784324"
"a2_47" = "336950684"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a3_240" = "1737322713"
"a3_248" = "1761236945"
"a2_172" = "1233087323"

"a4_407" = "2917832247"
"a4_406" = "2910663126"
"a4_405" = "2903494005"
"a4_404" = "2896324884"
"a4_403" = "2889155763"
"a4_402" = "2881986642"
"a4_401" = "2874817521"
"a4_400" = "2867648400"
"a4_409" = "2932170489"
"a4_408" = "2925001368"
"a1_129" = "2063859124"
"a1_128" = "2263162073"
"a1_125" = "574786184"
"a1_124" = "1656684210"
"a1_127" = "3767663433"
"a1_126" = "1102188777"
"a1_121" = "246084492"
"a1_120" = "2260336068"
"a1_123" = "4272738085"
"a1_122" = "3664999304"
"a4_331" = "2372979051"
"a4_330" = "2365809930"
"a4_333" = "2387317293"
"a4_332" = "2380148172"
"a4_335" = "2401655535"
"a4_334" = "2394486414"
"a4_337" = "2415993777"
"a4_336" = "2408824656"
"a4_339" = "2430332019"
"a4_338" = "2423162898"
"a4_249" = "1785111129"
"a4_248" = "1777942008"
"a4_245" = "1756434645"
"a4_244" = "1749265524"
"a4_247" = "1770772887"
"a4_246" = "1763603766"
"a4_241" = "1727758161"
"a4_240" = "1720589040"
"a4_243" = "1742096403"
"a4_242" = "1734927282"
"a1_338" = "215487311"
"a1_339" = "1940991945"
"a1_334" = "1432139998"
"a1_335" = "1690909624"
"a1_336" = "2311689481"
"a1_337" = "1154881519"
"a1_330" = "2880440799"
"a1_331" = "3236995389"
"a1_332" = "645746050"
"a1_333" = "1448016752"
"a3_30" = "231909751"
"a1_64" = "1504700924"
"a2_265" = "1899822563"
"a2_264" = "1892656903"
"a2_267" = "1914153802"
"a2_266" = "1906995175"
"a2_261" = "1871134770"
"a2_260" = "1863969379"
"a2_263" = "1885470971"
"a2_262" = "1878304610"
"a2_269" = "1928485568"
"a2_268" = "1921322550"
"a2_289" = "2071874698"
"a2_288" = "2064709343"
"a2_283" = "2028859220"
"a2_282" = "2021691004"
"a2_281" = "2014525687"
"a2_280" = "2007361849"
"a2_287" = "2057540070"
"a2_286" = "2050374957"
"a2_285" = "2043189815"
"a2_284" = "2036024341"
"a4_446" = "3197427966"
"a1_240" = "771919471"
"a1_241" = "2378239244"
"a1_242" = "619001999"
"a1_243" = "3457102703"
"a1_244" = "3921389679"
"a1_245" = "2140739950"
"a1_246" = "3440259707"
"a1_247" = "1374588388"
"a1_248" = "1553223332"
"a1_249" = "1482582173"
"a4_445" = "3190258845"
"a2_131" = "939148345"
"a2_130" = "931981085"
"a2_133" = "953499034"
"a2_132" = "946330328"
"a2_135" = "967832328"
"a2_134" = "960666927"
"a2_137" = "982167243"
"a2_136" = "974997908"
"a2_139" = "996514576"
"a2_138" = "989346887"
"a2_79" = "566354272"
"a2_78" = "559189666"
"a3_288" = "2048100105"
"a3_289" = "2055027624"
"a3_184" = "1336102801"
"a3_282" = "2038692083"
"a3_283" = "2045680914"
"a3_280" = "1990631473"
"a3_281" = "2031109200"
"a3_286" = "2067091063"
"a3_287" = "2074141334"
"a3_284" = "2019045813"
"a3_285" = "2026624468"
"a3_198" = "1436076335"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCU\Software\Aas]
"a3_196" = "1388556397"
"a3_197" = "1429034124"
"a3_194" = "1407548331"
"a3_195" = "1380982730"
"a3_192" = "1393042153"
"a3_193" = "1400620808"
"a3_190" = "1345525207"
"a3_191" = "1352568438"
"a3_29" = "224867540"
"a3_28" = "183865525"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Aas]
"a4_438" = "3140074998"
"a4_439" = "3147244119"
"a4_432" = "3097060272"
"a4_433" = "3104229393"
"a4_430" = "3082722030"
"a4_431" = "3089891151"
"a4_436" = "3125736756"
"a4_437" = "3132905877"
"a4_434" = "3111398514"
"a4_435" = "3118567635"
"a4_344" = "2466177624"
"a4_345" = "2473346745"
"a4_346" = "2480515866"
"a4_347" = "2487684987"
"a4_340" = "2437501140"
"a4_341" = "2444670261"
"a4_342" = "2451839382"
"a4_343" = "2459008503"
"a4_348" = "2494854108"
"a4_349" = "2502023229"
"a3_383" = "2729068342"
"a3_382" = "2721620631"
"a3_381" = "2748124788"
"a3_380" = "2741212629"
"a3_387" = "2757612682"
"a3_386" = "2784112747"
"a3_385" = "2776670152"
"a3_384" = "2769681321"
"a1_329" = "3071039719"
"a1_328" = "1956991097"
"a1_327" = "3895741874"
"a1_326" = "59342394"
"a1_325" = "3897863024"
"a1_324" = "2377538931"
"a1_323" = "2014424270"
"a1_322" = "2815374431"
"a1_321" = "966342860"
"a1_320" = "2223175407"
"a1_436" = "1791787889"
"a1_253" = "515800706"
"a1_252" = "1154291751"
"a1_251" = "2350238005"
"a1_250" = "3862919143"
"a1_257" = "1167805752"
"a1_256" = "249389851"
"a1_255" = "3417416913"
"a1_254" = "4112994382"
"a1_259" = "624297062"
"a1_258" = "3957776037"
"a2_144" = "1032348083"
"a2_145" = "1039517531"
"a2_146" = "1046684545"
"a2_147" = "1053867368"
"a2_140" = "1003667754"
"a2_141" = "1010847914"
"a2_142" = "1018018415"
"a2_143" = "1025182104"
"a2_68" = "487503123"
"a2_69" = "494677250"
"a2_148" = "1061035390"
"a2_149" = "1068200343"
"a3_299" = "2126993250"
"a3_298" = "2119545539"
"a3_295" = "2131608046"
"a3_294" = "2091003215"
"a3_297" = "2146049696"
"a3_296" = "2139060737"
"a3_291" = "2103079018"
"a3_290" = "2062081995"
"a3_293" = "2083555628"
"a3_292" = "2110067853"
"a3_181" = "1280611004"
"a3_180" = "1307180573"
"a3_34" = "260325067"
"a3_182" = "1288058591"
"a3_185" = "1309597744"
"a3_33" = "253401768"
"a3_187" = "1324038386"
"a3_186" = "1316586579"
"a3_189" = "1371566516"
"a3_188" = "1364647189"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a4_282" = "2021692122"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"user32.exe" = "by E991"

[HKCU\Software\Aas]
"a2_151" = "1082529120"
"a2_150" = "1075367643"
"a2_271" = "1942836604"
"a2_159" = "1139884192"
"a2_158" = "1132712426"
"a3_80" = "590099577"
"a4_429" = "3075552909"
"a4_428" = "3068383788"
"a4_425" = "3046876425"
"a4_424" = "3039707304"
"a4_427" = "3061214667"
"a4_426" = "3054045546"
"a4_421" = "3018199941"
"a4_420" = "3011030820"
"a4_423" = "3032538183"
"a4_422" = "3025369062"
"a4_357" = "2559376197"
"a4_356" = "2552207076"
"a4_355" = "2545037955"
"a4_354" = "2537868834"
"a4_353" = "2530699713"
"a4_352" = "2523530592"
"a4_351" = "2516361471"
"a4_350" = "2509192350"
"a4_359" = "2573714439"
"a4_358" = "2566545318"

[HKCU\Software\Aas\695404737]
"50183847" = "6F824610A9083D6F0ADB1E2149E6A85A51989AEB08D4396991A030ABB77D7EA7572827D6F62FE2831B17FBEB4E4479FDD28F810C2BFB5EF6D4DD73DF43823EE2023F9B5B46794E1091A709E17273269397788058C7533F3B7BA9B9F595FF23B635BB3799BEF54223435681A97CBB6316E760BCA3A66C72123847802C25623B2E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Aas]
"a1_312" = "2669947628"
"a1_313" = "728067883"
"a1_310" = "3197230408"
"a1_311" = "1165959816"
"a1_316" = "2447485410"
"a1_317" = "1480075827"
"a1_314" = "3009330839"
"a1_315" = "429040386"
"a1_318" = "856412457"
"a1_319" = "296720865"
"a2_448" = "3211768739"
"a2_441" = "3161586935"
"a2_440" = "3154419159"
"a2_443" = "3175912428"
"a2_442" = "3168753977"
"a2_445" = "3190255214"
"a2_444" = "3183084129"
"a2_447" = "3204600341"
"a2_446" = "3197433974"
"a1_266" = "589143934"
"a1_267" = "1710573943"
"a1_264" = "978909012"
"a1_265" = "4145566315"
"a1_262" = "2160125582"
"a1_263" = "1747112663"
"a1_260" = "2092394969"
"a1_261" = "1933127091"
"a1_268" = "1566860241"
"a1_269" = "3899274064"
"a2_157" = "1125553824"
"a2_156" = "1118384491"
"a2_155" = "1111216144"
"a2_154" = "1104050597"
"a2_153" = "1096869314"
"a2_152" = "1089714681"
"a2_99" = "709708052"
"a2_98" = "702574919"
"a2_97" = "695406686"
"a2_96" = "688239019"
"a2_95" = "681059214"
"a2_94" = "673891981"
"a2_93" = "666724365"
"a2_92" = "659557270"
"a2_91" = "652393430"
"a2_90" = "645224368"
"a3_260" = "1847236781"
"a3_261" = "1854160076"
"a3_262" = "1861734767"
"a3_263" = "1902212494"
"a3_264" = "1909255713"
"a3_265" = "1883210304"
"a3_266" = "1890133731"
"a3_267" = "1930746626"
"a3_268" = "1938194341"
"a3_269" = "1945179076"
"a3_404" = "2913010493"
"a3_405" = "2886510428"
"a3_43" = "324843106"
"a3_42" = "284237251"
"a3_41" = "277248416"
"a3_40" = "269796609"
"a3_47" = "353765350"
"a3_46" = "313221959"
"a3_45" = "305778468"
"a3_44" = "332278405"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a4_99" = "709742979"
"a4_98" = "702573858"
"a3_406" = "2893962239"
"a3_407" = "2901015582"
"a3_400" = "2884615609"
"a3_401" = "2857980376"
"a3_402" = "2865023611"
"a3_403" = "2906025626"
"a4_91" = "652390011"
"a4_90" = "645220890"
"a4_93" = "666728253"
"a4_92" = "659559132"
"a4_95" = "681066495"
"a4_94" = "673897374"
"a4_97" = "695404737"
"a4_96" = "688235616"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKCU\Software\Aas]
"a1_448" = "2040138905"
"a1_446" = "4099472935"
"a3_408" = "2941554865"
"a1_444" = "2785132579"
"a1_445" = "3621051087"
"a1_442" = "886186796"
"a1_443" = "1069033990"
"a1_440" = "3912086500"
"a3_409" = "2949002448"

"a3_318" = "2262948439"
"a3_319" = "2303950582"
"a3_310" = "2239031135"
"a3_311" = "2246548478"
"a3_312" = "2219916305"
"a3_313" = "2226966704"
"a3_314" = "2267968723"
"a3_315" = "2275010930"
"a3_316" = "2248445333"
"a3_317" = "2255889972"
"a1_447" = "812060422"
"a1_441" = "496202195"

[HKCU\Software\Aas\695404737]
"35845605" = "425"

[HKCU\Software\Aas]
"a4_182" = "1304780022"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_180" = "1290441780"
"a4_181" = "1297610901"
"a4_186" = "1333456506"
"a4_187" = "1340625627"
"a4_184" = "1319118264"
"a4_185" = "1326287385"
"a4_188" = "1347794748"
"a4_189" = "1354963869"
"a4_168" = "1204412328"
"a1_194" = "1995358892"
"a1_195" = "2998445354"
"a4_160" = "1147059360"
"a4_161" = "1154228481"
"a4_162" = "1161397602"
"a4_163" = "1168566723"
"a4_164" = "1175735844"
"a4_165" = "1182904965"
"a4_166" = "1190074086"
"a4_167" = "1197243207"
"a4_296" = "2122059816"
"a4_297" = "2129228937"
"a4_294" = "2107721574"
"a4_295" = "2114890695"
"a4_292" = "2093383332"
"a4_293" = "2100552453"
"a4_290" = "2079045090"
"a4_291" = "2086214211"
"a4_142" = "1018015182"
"a4_298" = "2136398058"
"a4_299" = "2143567179"
"a1_192" = "3797657070"
"a1_193" = "1185349789"
"a4_368" = "2638236528"
"a4_369" = "2645405649"
"a4_362" = "2595221802"
"a4_363" = "2602390923"
"a4_360" = "2580883560"
"a4_361" = "2588052681"
"a4_366" = "2623898286"
"a4_367" = "2631067407"
"a4_364" = "2609560044"
"a4_365" = "2616729165"
"a1_305" = "1392961228"
"a1_304" = "2085218400"
"a1_307" = "1481959741"
"a1_306" = "2967088733"
"a1_301" = "1795726928"
"a1_300" = "235194867"
"a1_303" = "36148468"
"a1_302" = "1380516667"
"a1_309" = "1896866661"
"a1_308" = "2888416483"
"a2_438" = "3140068010"
"a2_439" = "3147250352"
"a2_434" = "3111401173"
"a2_435" = "3118566052"
"a2_436" = "3125731965"
"a2_437" = "3132900846"
"a2_430" = "3082718645"
"a2_431" = "3089885887"
"a2_432" = "3097051997"
"a2_433" = "3104238698"
"a1_279" = "2053908322"
"a1_278" = "1521906469"
"a1_271" = "2583752467"
"a1_270" = "3481268759"
"a1_273" = "3072494285"
"a1_272" = "3162755481"
"a1_275" = "1426338666"
"a1_274" = "1561531783"
"a1_277" = "3955563849"
"a1_276" = "2226518767"
"a2_382" = "2738607216"
"a2_383" = "2745776245"
"a2_380" = "2724259387"
"a2_381" = "2731438421"
"a2_386" = "2767288606"
"a2_387" = "2774441402"
"a2_384" = "2752939916"
"a2_385" = "2760103004"
"a2_388" = "2781626179"
"a2_389" = "2788792649"
"a2_368" = "2638241308"
"a2_369" = "2645407566"
"a2_88" = "630889336"
"a2_89" = "638058318"
"a2_84" = "602208809"
"a2_85" = "609373033"
"a2_86" = "616536535"
"a2_87" = "623706180"
"a2_80" = "573524452"
"a2_81" = "580707210"
"a2_82" = "587874025"
"a2_83" = "595040008"
"a3_273" = "1974165848"
"a3_272" = "1966722361"
"a3_271" = "1926113414"
"a3_270" = "1918678119"
"a3_277" = "2002712284"
"a3_276" = "1962103485"
"a3_275" = "1954659866"
"a3_274" = "1947600379"
"a2_162" = "1161403329"
"a2_163" = "1168568573"
"a3_279" = "1983582110"
"a3_278" = "2009623423"
"a2_166" = "1190070848"
"a2_167" = "1197237768"
"a2_164" = "1175737759"
"a2_165" = "1182904184"
"a3_50" = "341766363"
"a3_51" = "348755322"
"a3_52" = "389745053"
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a3_58" = "432789459"
"a3_59" = "406145138"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_417" = "3006523432"
"a3_416" = "2965403529"
"a3_415" = "2958480150"
"a3_414" = "2984984311"
"a3_413" = "2977536596"
"a3_412" = "2970543669"
"a3_411" = "2929937810"
"a3_410" = "2922490227"
"a3_419" = "2986877162"
"a3_418" = "3013512267"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_309" = "2231976764"
"a3_308" = "2191503005"
"a3_303" = "2155521254"
"a3_302" = "2148466759"
"a3_301" = "2174512164"
"a3_300" = "2167589765"
"a3_307" = "2183924346"
"a3_306" = "2210566619"
"a3_305" = "2203581880"
"a3_304" = "2162448665"
"a4_86" = "616544406"
"a4_87" = "623713527"
"a4_84" = "602206164"
"a4_85" = "609375285"
"a4_82" = "587867922"
"a4_83" = "595037043"
"a4_80" = "573529680"
"a4_81" = "580698801"
"a4_88" = "630882648"
"a4_89" = "638051769"

[HKCU\Software\Aas\695404737]
"14338242" = "0"

[HKCU\Software\Aas]
"a4_387" = "2774449827"
"a2_75" = "537676261"
"a2_74" = "530518439"
"a2_77" = "552013987"
"a2_76" = "544861981"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas]
"a2_71" = "509002592"
"a2_70" = "501837183"
"a2_73" = "523339886"
"a2_72" = "516170607"
"a4_195" = "1397978595"
"a4_194" = "1390809474"
"a4_197" = "1412316837"
"a4_196" = "1405147716"
"a4_191" = "1369302111"
"a4_190" = "1362132990"
"a4_193" = "1383640353"
"a4_192" = "1376471232"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_198" = "1419485958"
"a4_179" = "1283272659"
"a4_178" = "1276103538"
"a4_173" = "1240257933"
"a4_172" = "1233088812"
"a4_171" = "1225919691"
"a4_170" = "1218750570"
"a4_177" = "1268934417"
"a4_176" = "1261765296"
"a4_175" = "1254596175"
"a4_174" = "1247427054"
"a3_123" = "898388146"
"a3_122" = "891468819"
"a3_121" = "850861040"
"a4_289" = "2071875969"
"a4_288" = "2064706848"
"a3_120" = "843343697"
"a4_281" = "2014523001"
"a4_280" = "2007353880"
"a4_283" = "2028861243"
"a1_108" = "4116731815"
"a4_285" = "2043199485"
"a4_284" = "2036030364"
"a4_287" = "2057537727"
"a3_126" = "886312343"
"a3_125" = "879323508"
"a3_124" = "905966805"
"a4_379" = "2717096859"
"a4_378" = "2709927738"
"a4_375" = "2688420375"
"a4_374" = "2681251254"
"a4_377" = "2702758617"
"a4_376" = "2695589496"
"a4_371" = "2659743891"
"a4_370" = "2652574770"
"a4_373" = "2674082133"
"a4_372" = "2666913012"
"a1_437" = "384839875"
"a2_429" = "3075547407"
"a2_428" = "3068383015"
"a2_427" = "3061216268"
"a2_426" = "3054048445"
"a2_425" = "3046882190"
"a2_424" = "3039712895"
"a2_423" = "3032531208"
"a2_422" = "3025365601"
"a2_421" = "3018197338"
"a2_420" = "3011032651"
"a1_208" = "823653099"
"a1_209" = "619683974"
"a1_204" = "222007061"
"a1_205" = "796117490"
"a1_206" = "167004338"
"a1_207" = "238472502"
"a1_200" = "2810600606"
"a1_201" = "1513802515"
"a1_202" = "312573251"
"a1_203" = "3044776488"
"a2_395" = "2831810555"
"a2_394" = "2824628256"
"a2_397" = "2846145614"
"a2_396" = "2838974862"
"a2_391" = "2803124669"
"a2_390" = "2795959439"
"a2_393" = "2817459518"
"a2_392" = "2810293648"
"a2_399" = "2860476164"
"a2_398" = "2853311315"
"a2_379" = "2717105012"
"a2_378" = "2709924740"
"a2_373" = "2674090242"
"a2_372" = "2666907053"
"a2_371" = "2659741177"
"a2_370" = "2652570299"
"a2_377" = "2702756543"
"a2_376" = "2695591527"
"a2_375" = "2688425853"
"a2_374" = "2681254488"
"a3_246" = "1746738975"
"a3_247" = "1753789374"
"a3_244" = "1765852765"
"a3_245" = "1773304572"
"a2_179" = "1283273042"
"a2_178" = "1276111743"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\Aas]
"a3_241" = "1744311672"
"a2_175" = "1254588520"
"a2_174" = "1247421776"
"a2_177" = "1268940014"
"a2_176" = "1261772679"
"a2_171" = "1225921788"
"a2_170" = "1218754394"
"a2_173" = "1240253154"
"a3_249" = "1801832560"
"a3_69" = "478110732"
"a3_68" = "470664173"
"a3_65" = "449123976"
"a3_64" = "442135145"
"a3_67" = "497168202"
"a3_66" = "489720619"
"a3_61" = "454263092"
"a3_60" = "413199509"
"a3_63" = "468244982"
"a3_62" = "461186391"
"a1_424" = "629948948"
"a1_425" = "2346501447"
"a1_426" = "4067705556"
"a1_427" = "289836312"
"a1_420" = "2723809174"
"a1_421" = "2034417879"
"a1_422" = "4115044523"
"a1_423" = "1848980883"
"a3_199" = "1409969486"
"a1_428" = "2634181441"
"a1_429" = "2744550364"
"a3_338" = "2439897659"
"a3_339" = "2446886490"
"a3_336" = "2391856505"
"a3_337" = "2432846232"
"a3_334" = "2411437223"
"a3_335" = "2384801990"
"a3_332" = "2363312101"
"a3_333" = "2403923972"
"a3_330" = "2348814115"
"a3_331" = "2356388674"
"a3_428" = "3084957701"
"a3_429" = "3058850980"
"a3_422" = "3041926607"
"a3_423" = "3049502318"
"a3_420" = "2994455821"
"a3_421" = "3001383340"
"a3_426" = "3070911299"
"a3_427" = "3077900258"
"a3_424" = "3022858881"
"a3_425" = "3029913376"
"a3_87" = "607024862"
"a3_86" = "633131711"
"a3_85" = "626081308"
"a3_84" = "585598461"
"a3_83" = "578085210"
"a3_82" = "571034939"
"a3_81" = "597665944"
"a4_183" = "1311949143"
"a3_89" = "654610320"
"a3_88" = "614067057"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a1_439" = "600801913"
"a1_198" = "2347888712"
"a1_199" = "1500176349"
"a4_148" = "1061029908"
"a4_149" = "1068199029"
"a4_146" = "1046691666"
"a4_147" = "1053860787"
"a1_196" = "3257336593"
"a4_145" = "1039522545"
"a1_190" = "29784515"
"a4_143" = "1025184303"
"a4_140" = "1003676940"
"a4_141" = "1010846061"
"a4_380" = "2724265980"
"a4_381" = "2731435101"
"a4_382" = "2738604222"
"a4_383" = "2745773343"
"a4_384" = "2752942464"
"a4_385" = "2760111585"
"a4_386" = "2767280706"
"a4_169" = "1211581449"
"a4_388" = "2781618948"
"a4_389" = "2788788069"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Aas]
"a1_0" = "2656142111"
"a1_1" = "1443450424"
"a1_2" = "3984930296"
"a1_3" = "4047017611"
"a1_4" = "4192373713"
"a1_5" = "1335286204"
"a1_6" = "1396249590"
"a1_7" = "728823575"
"a1_8" = "3500773044"
"a1_9" = "3568848946"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Aas]
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a3_5" = "52535244"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"
"a2_412" = "2953685275"
"a2_413" = "2960846662"
"a2_410" = "2939345628"
"a2_411" = "2946499224"
"a2_416" = "2982348107"
"a2_417" = "2989530802"
"a2_414" = "2968014433"
"a2_415" = "2975182572"
"a2_418" = "2996695717"
"a2_419" = "3003863627"
"a1_219" = "1580429973"
"a1_218" = "3422766276"
"a1_217" = "837152909"
"a1_216" = "1113806982"
"a1_215" = "1756037416"
"a1_214" = "3294189640"
"a1_213" = "2206684074"
"a1_212" = "3751596520"
"a1_211" = "2954420685"
"a1_210" = "3285657039"
"a4_443" = "3175920603"
"a4_442" = "3168751482"
"a4_441" = "3161582361"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data]
"k400.exe" = "%Documents and Settings%\%current user%\Application Data\k400.exe:*:Enabled:ipsec"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

Dropped PE files

MD5	File path
2c4f3c51f50708de528b3f8b83875d5d	c:\Documents and Settings\"%CurrentUserName%"\Application Data\Hs.exe
b4573e6d4a2b593c8dd93f88abb3e0ef	c:\Documents and Settings\"%CurrentUserName%"\Application Data\k400.exe
59d549bdf73c64ad8b682437cab60250	c:\WINDOWS\system32\drivers\migx25a.obe
e39cb9b56d27b01d63ffe83002407e37	c:\WINDOWS\system32\user32.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: FullHack 1HIT.exe
Internal Name: FullHack 1HIT.exe
File Version: 1.0.0.0
File Description:
Comments:
Language: Hebrew (Israel)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	1450276	1450496	2.77752	2b624c607b35a5257d607a9d3e8c3e47
.rsrc	1466368	696	1024	1.5793	941d30c2a4c90c8375b273b6fcc4d865
.reloc	1474560	12	512	0.070639	acac4e5aa35667396cfc965da68f560b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://digicert.cachefly.net/DigiCertHighAssuranceEVRootCA.crl
hxxp://cs9.wac.edgecastcdn.net/sha2-ha-server-g1.crl
hxxp://www.google.com/
hxxp://www.google.ca/?gfe_rd=cr&ei=Rx9yU7i_FI_O8gfRyYHwAw
hxxp://e6845.ce.akamaiedge.net/crls/secureca.crl
hxxp://e6845.ce.akamaiedge.net/crls/gtglobal.crl
hxxp://www3.l.google.com/GIAG2.crl
hxxp://crl.geotrust.com/crls/gtglobal.crl
hxxp://crl3.digicert.com/sha2-ha-server-g1.crl
hxxp://pki.google.com/GIAG2.crl
hxxp://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
hxxp://crl.geotrust.com/crls/secureca.crl

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY DropBox User Content Access over SSL

Traffic

GET /sha2-ha-server-g1.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl3.digicert.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=604800

Content-Type: application/x-pkcs7-crl

Date: Tue, 13 May 2014 13:33:36 GMT

Etag: "3776703994"

Expires: Tue, 20 May 2014 13:33:36 GMT

Last-Modified: Mon, 12 May 2014 17:15:04 GMT

Server: ECS (lga/13B7)

X-Cache: HIT

Content-Length: 29270

0.rR0.q:...0...*.H........0p1.0...U....US1.0...U....DigiCert Inc1.0...
U....VVV.digicert.com1/0-..U...&DigiCert SHA2 High Assurance Server CA
..140512170129Z..140519170000Z0.pb0!......b..g.l/3......131106204216Z0
!...R.....O..Y...x...131107194541Z0!....Uw....p...M.p...131112103628Z0
!...c....6Rb .3~.*...131112103636Z0!......S..xTx...,....131114203203Z0
!......c....X.c..(...131114204602Z0!.....9.E...u."S.T...131114205402Z0
!...!.D....(..h#=....131117040802Z0!...E:... M.y...9.j..131122124930Z0
!....f.Yl.....[.,f5..131122124930Z0!...|zc....;E.P......131124132702Z0
!......Wp;!.....n....131128185912Z0!...9N.P.l..q........131128185912Z0
!.....K.)..x...U.UK..131128185912Z0!.....D>.......W.....13120211180
3Z0!...#.m.N...y........131202233843Z0!...^.10.....l...c!..13120223384
7Z0!...w..1|.f.4..'.....131205204637Z0!.... H-.0...M.k.w...13120618494
9Z0!........*1..Q.~.....131208183407Z0!...A&h.\...X20...P..13120902540
3Z0!.......h...W........131209025403Z0!.....?...<.I .L.u...13121417
5304Z0!....}6l.K.z{..B.....131214211403Z0!... ....g.B..N.}....13121421
1403Z0!....;....d.w..{;....131214211403Z0!.......Ys.Q!........13121720
1052Z0!....>.Z;.;1..?...2..131217203016Z0!......a....kS.......13122
0162754Z0!....#i..I...r.S.....131220193306Z0!........'.o.U/......13122
3195906Z0!...c`..T\.S..<.j,...131223195906Z0!......N/z.../..Z....13
1225201602Z0!...c.z.u.H.... d.C..131231195615Z0!....&y..=.bg.[3.*...13
1231195615Z0!......04..N...6.....140102052802Z0!......'__..c|.Z.....14
0102161400Z0!........_sq..O...S..140102181348Z0!....`.O.u gb.pqv{.

<<< skipped >>>

GET /DigiCertHighAssuranceEVRootCA.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl4.digicert.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache


HTTP/1.1 200 OK

Date: Tue, 13 May 2014 13:33:35 GMT

Content-Type: application/x-pkcs7-crl

Content-Length: 543

Connection: keep-alive

X-CFHash: "ae5a06b6ed41454d1c542006b73aa43f"

Last-Modified: Sun, 11 May 2014 18:15:03 GMT

X-CF3: H

X-CF2: H

Accept-Ranges: bytes

Server: CFS 0316

X-CF1: 13483:dA.yul1:cf:cacheA.yul1-01:D
0...0......0...*.H........0l1.0...U....US1.0...U....DigiCert Inc1.0...
U....VVV.digicert.com1 0)..U..."DigiCert High Assurance EV Root CA..14
0511170000Z..140601170000Z010/....................061110000100Z0.0...U
........00.0...U.#..0....>.i...G...&....cd .0...U........0...*.H...
..........pkh...M}../eRu..P..J...~a..".1>..6...d...3<).b..w.(T.b
.WK..2.^.f.q...0...tBcR.._...aj..f....O{[email protected].{g..)...u.I3.
5.-~".?.7..Z..o.sY.f-.G5&......B....l...G..\kB...X...2........m.VL..6u
y..,r.Q.s<..^...]..8o`.2.....sv..."}.K.X.|N..c..y.If.4..........

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Host: VVV.google.com

Connection: Keep-Alive

Cookie: PREF=ID=28da643bc1e67c45:U=f32dce0544f98e52:FF=0:TM=1365778725:LM=1365778725:S=KlaSoYpEhHSBxg_x


HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.ca/?gfe_rd=cr&ei=Rx9yU7i_FI_O8gfRyYHwAw

Content-Length: 258

Date: Tue, 13 May 2014 13:33:59 GMT

Server: GFE/2.0

Alternate-Protocol: 80:quic
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.ca/?gfe_rd=cr&ei=Rx9yU7i_FI_O8gfR
yYHwAw">here</A>...</BODY></HTML>....

GET /GIAG2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: pki.google.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache


HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Tue, 13 May 2014 02:22:15 GMT

Date: Tue, 13 May 2014 12:35:01 GMT

Expires: Tue, 13 May 2014 13:35:01 GMT

X-Content-Type-Options: nosniff

Server: sffe

Content-Length: 830

X-XSS-Protection: 1; mode=block

Age: 3539

Cache-Control: public, max-age=3600

Alternate-Protocol: 80:quic

0..:0.."...0...*.H........0I1.0...U....US1.0...U....Google Inc1%0#..U.
...Google Internet Authority G2..140513010003Z..140523010003Z0..q0'..@
..q.S....130910151922Z0.0...U.......0'..@ .*..)v..131112093101Z0.0...U
.......0'[email protected]'..h.x../ ...13091311
0309Z0.0...U.......0'..5..[......130927105255Z0.0...U.......0'....).(_
.I..131028093755Z0.0...U.......0'....f.'..{..130910150931Z0.0...U.....
..0'..O..D..."..140407142442Z0.0...U.......0'....!.jD.E..130612174206Z
0.0...U........00.0...U.#..0...J......h.v....b..Z./0...U.......Y0...*.
H............. ..^.8P.oc.z...rs... .h.Uk..LK3..........H...z..xz....T2
....8a.}.R.Mn"c....s....g.=.$(4v.....9*....7]O...mW.....k..r.....t..t.
.Dx..ST..iZ_..a...3....F...DW...?..Y]...|..... ...gC....S..../k..-....
G..I...#.h...hEZ . ..y).6./u....,.u].5....}.T.ji..A.....i..m..

GET /crls/secureca.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.geotrust.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache


HTTP/1.1 200 OK

Server: Apache

ETag: "c8028f657e0f78058a0173d373cfe25f:1399985410"

Last-Modified: Tue, 13 May 2014 12:50:10 GMT

Accept-Ranges: bytes

Content-Length: 1604

Date: Tue, 13 May 2014 13:34:00 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

[email protected]...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equ
ifax Secure Certificate Authority..140513122300Z..140523122300Z0..(0..
...&..120627171036Z0........120627171058Z0....``..120627171034Z0.....3
..020515130611Z0....j...140226123519Z0........120627171039Z0........12
0627171002Z0........120627171038Z0....i...120627171035Z0........100301
134531Z0........100623141752Z0........120627171026Z0........1206271710
25Z0........120627171016Z0........120627171050Z0....S...120627170949Z0
....H...120627171011Z0........120627171026Z0....._..120627171036Z0....
7...140416231149Z0....%...020514181157Z0........120627171058Z0....x...
140507204001Z0....}...120627170911Z0.....8..120627171035Z0....Q...1206
27171023Z0....."..120627171030Z0........140429180917Z0........10072916
4439Z0....x...130924204342Z0....M\..140430000442Z0.....D..120627171051
Z0.....N..100623141726Z0....X...140427081922Z0........120627171036Z0..
..7...120627171052Z0..../(..120627171032Z0....zo..120627171025Z0......
..120627171017Z0........120627171039Z0........120627171031Z0....*...12
0627171032Z0........100729164732Z0........120627171017Z0........120627
171028Z0........120627171030Z0........120627171031Z0........1206271710
28Z0........120627171029Z0....hA..120627171034Z0....~...120627171035Z0
........120627171003Z0.....$..120627171037Z0....x=..120627171055Z0....
....140416233935Z0....t6..140425041720Z0....S...140423105438Z0....jp..
120627171034Z0....Bf..120627171053Z0....[...100730213120Z0...*.H......
.........}........F.0)......;}.A%..u.$...| c,..s.M.V.......~....E.

<<< skipped >>>

GET /crls/gtglobal.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.geotrust.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache


HTTP/1.1 200 OK

Server: Apache

ETag: "f69a5fb20b98961b1ae6bc12b19ab527:1399985410"

Last-Modified: Tue, 13 May 2014 12:50:10 GMT

Accept-Ranges: bytes

Content-Length: 554

Date: Tue, 13 May 2014 13:34:00 GMT

Connection: keep-alive

Content-Type: application/pkix-crl
0..&0...0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U.
...GeoTrust Global CA..140513122300Z..140523122300Z0..0....4...0310111
41952Z0....5...060809140549Z0....4]..020522080843Z0....4\..02052208090
0Z0....5Y..050722125926Z0....6k..070711055050Z0....4Z..020521134804Z0.
..*.H.............p......&=..b..d$.E....|..X.^q...J...=;.m.[.R...|..EY
.o3S...[......1.]....?9..^...C:..f.F.n..J....A.xXW..!E.`.r.(.<._...
...*..#..=..E...$;G......._...k...E.I....Z.M..8.L.....?.t!.c. ...$..b.
..<...Q..i4.|.u".H..i ..;Uc.#.BY.4M....}..;."E~..Qv....0O....X..X..
..

GET /?gfe_rd=cr&ei=Rx9yU7i_FI_O8gfRyYHwAw HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Cookie: PREF=ID=d1b71ce95180a40b:U=e74275611c737632:FF=0:TM=1365778725:LM=1365778743:S=Y22Iy1cY98t4Pj6o

Connection: Keep-Alive

Host: VVV.google.ca


HTTP/1.1 302 Found

Location: hXXps://VVV.google.ca/?gfe_rd=cr&ei=Rx9yU7i_FI_O8gfRyYHwAw

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Set-Cookie: PREF=ID=d1b71ce95180a40b:FF=0:TM=1365778725:LM=1399988039:S=iXnqHD1IYZqiDrX9; expires=Thu, 12-May-2016 13:33:59 GMT; path=/; domain=.google.ca

Set-Cookie: NID=67=LuOskETTzlG5YqnvORnM-i9OM7MdZyG9RKZSUTpIoVob1on7fpkxMlGavyRVXMNOf7_xYc-tMD_OFZQjHAuGKNWbh1s79a0ulHmaw6lp3KhyofCzpfVkXv9NbwBVGn65; expires=Wed, 12-Nov-2014 13:33:59 GMT; path=/; domain=.google.ca; HttpOnly

P3P: CP="This is not a P3P policy! See hXXp://VVV.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Date: Tue, 13 May 2014 13:33:59 GMT

Server: gws

Content-Length: 259

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Alternate-Protocol: 80:quic
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXps://VVV.google.ca/?gfe_rd=cr&ei=Rx9yU7i_FI_O8gf
RyYHwAw">here</A>...</BODY></HTML>....

The Virus connects to the servers at the folowing location(s):

Hs.exe_3544_rwx_00D20000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

Hs.exe_3544_rwx_00E30000_00001000:

|hs.exeM_3544_

user32.exe_2116:

.text

.data

.rsrc

wmp.dll

WMPLibCtl.WindowsMediaPlayer

WindowsMediaPlayer

shdocvw.dll

SHDocVwCtl.WebBrowser

WebBrowser

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

7WindowsMediaPlayer1

%System%\wmp.oca

WebBrowser2

1F%System%\shdocvw.oca

WebBrowser1

kernel32.dll

COMDLG32.DLL

shell32.dll

ShellExecuteA

VBA6.DLL

URLDownloadToFileA

ole32.dll

urlmon

IEC http://www.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

.8Cu%X}%d}%X

WindowsMediaPlayer1

sURLFileName

@s\Ulead Systems\MPEG\dwmapi.dll

B*\A%Documents and Settings%\Administrator\Desktop\PB-trial-000-dll hide\E991.VBP

http://www.google.com/

PointBlank.exe

HSUpdate.exe

C:\windows\system32\mui\0414\media.mp3

http://poponclick.com/pu800x600.php?id=bG9sYQ==&affid=32463

http://toyibg.blogspot.com

http://adf.ly/TtB7i

C:\windows\system32\drivers\migx25a.obe

%Program Files%\Avira\AntiVir Desktop\avcenter.exe

Can't find LoadLibrary API from kernel32.dll

The buffer length is invalid or there was insufficient memory to complete the operation.

https://dl.dropboxusercontent.com/s/wtw6rmcl8wcyx7z/ap1bgyhp_smbiokl8ai2XcO-7k1sizdmcYi3z2k.png?token_hash=AAH8RjsLyuNvNujHjSRIXTcZ6LSq4QDOAu4IstvqvbKP-A&dl=1

c:\msxpsdrv.inf

@*\A%Documents and Settings%\Administrator\Desktop\PB-trial-000-dll hide\E991.VBP

toyibg.blogspot.com

user32.exe

user32.exe_2116_rwx_02150000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

user32.exe_2116_rwx_021A0000_00001000:

|user32.exeM_2116_

Explorer.EXE_1948_rwx_00B40000_00002000:

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

.rsrc

.text

Explorer.EXE_1948_rwx_01110000_00001000:

|explorer.exeM_1948_

Explorer.EXE_1948_rwx_025F0000_0108E000:

c:\windows

http://osterakerlackering.se/images/logo.gif

http://pmesb.com/images/logo.gif

http://proecosystems.com/images/button.gif

http://pratikserver.com/img/logo.gif

http://lolitkaa.za.pl/logo.gif

http://aykom.net/img/button.gif

http://www.molozatim.com/images/logo.gif

http://phen.cdd.go.th/logo.gif

http://carbonsteelsuppliersindia.co.in/images/logo.gif

http://paharev.myjino.ru/logo.gif

http://lifetimelites.com/images/logo.gif

%System%\drivers\qgpj.sys

85309342

.rsrc

.text

SHELL32.DLL

ShellExecuteA

KERNEL32.DLL

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

KERNEL32.dll

USER32.dll

h.rdata

H.data

.reloc

ntoskrnl.exe

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)

Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Software\Microsoft\Windows\CurrentVersion

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Software\Microsoft\Windows\CurrentVersion\policies\system

Software\Microsoft\Windows\ShellNoRoam\MUICache

%s:*:Enabled:ipsec

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

GdiPlus.dll

http://

ipfltdrv.sys

www.microsoft.com

?%x=%d

&%x=%d

SYSTEM.INI

USER32.DLL

.%c%s

\\.\amsint32

NTDLL.DLL

autorun.inf

ADVAPI32.DLL

win%s.exe

%s.exe

WININET.DLL

InternetOpenUrlA

avast! Web Scanner

Avira AntiVir Premium WebGuard

cmdGuard

cmdAgent

Eset HTTP Server

ProtoPort Firewall service

SpIDer FS Monitor for Windows NT

Symantec Password Validation

WebrootDesktopFirewallDataService

WebrootFirewall

%d%d.tmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

%s\%s

%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats

Software\Microsoft\Windows\CurrentVersion\Ext\Stats

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Explorer.exe

A2CMD.

ASHWEBSV.

AVGCC.AVGCHSVX.

DRWEB

DWEBLLIO

DWEBIO

FSGUIEXE.

MCVSSHLD.

NPFMSG.

SYMSPORT.

WEBSCANX.

.adata

M_%d_

%c%d_%d

?456789:;<=

!"#$%&'()* ,-./0123

GetProcessHeap

GetWindowsDirectoryA

RegEnumKeyExA

RegDeleteKeyA

RegOpenKeyExA

RegCreateKeyA

RegCloseKey

SHFileOperationA

&3&3&3&389

.rdata

.data

Bkrnl.exe?

= =$=(=,=

322%2`.50728)

.klkjw:9fqwi

FamXf39.sys

.pBTa8

%s:*:

Bg.laXV

&?%x=

GUrlA'

Web%w|nc

HTTP)

2GUARDCMD.

.ENHCDM

PL/KPCKwWEB

MM.PFW.

.bssf

J:CRT

ADVAPI32.dll

MSVCRT.dll

SHELL32.dll

WS2_32.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:668
k400.exe:1932
Delete the original Virus file.
Delete or disinfect the following files created/modified by the Virus:

%Documents and Settings%\%current user%\Application Data\k400.exe (1780 bytes)
%Documents and Settings%\%current user%\Application Data\Hs.exe (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\b_8d5afc09[1].png (3924 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\F7E34C2974A5D01D347705C76E2FF5D7 (220 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448 (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\nav_logo80[1].png (16371 bytes)
C:\msxpsdrv.inf (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\sem_96e64197394b4841f958af5c62b4f5cc[1].js (28041 bytes)
%Documents and Settings%\%current user%\Cookies\BR3B0SP0.txt (542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\mgyhp_sm[1].png (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\logo9w[1].png (3526 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6SYQ5KI\www.google[1].xml (496 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8A574ED5927B3CEC9626151D220C7448 (830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ap1bgyhp_smbiokl8ai2XcO-7k1sizdmcYi3z2k[1].png (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\nav_logo176[1].png (5921 bytes)
%Documents and Settings%\%current user%\Cookies\CY32C8S7.txt (523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\chrome-48[1].png (56 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0270780F846F08BEFE0DD8112D932FEF (543 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D4F348B882DF3F205ECCB6243795CB3A (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\google_ca[1].txt (14331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\23B523C9E7746F715D33C6527C18EB9D (200 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\23B523C9E7746F715D33C6527C18EB9D (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\F7E34C2974A5D01D347705C76E2FF5D7 (29 bytes)
%Documents and Settings%\%current user%\Cookies\TLQGHX20.txt (135 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D4F348B882DF3F205ECCB6243795CB3A (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\rs=AItRSTPqPxPQq9apHYeYn61I89z9NOuesQ[1] (77397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0270780F846F08BEFE0DD8112D932FEF (268 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014051320140514\index.dat (16 bytes)
%WinDir%\system.ini (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000D04B3_Rar\k400.exe (3073 bytes)
%System%\drivers\migx25a.$$A (4956 bytes)
%System%\user32.$$A (6356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000D064A_Rar\k400.exe (3073 bytes)
%System%\mui\0414\media.$$A (5991 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\Hs.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Virus.Win32.Sality_0de3af0720

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Virus.Win32.Sality_0de3af0720

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet