Virus.Win32.Sality_5c34e4f581
Trojan-Dropper.Win32.Agent.hjne (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan-Dropper.Win32.Agent!IK (Emsisoft), Backdoor.Win32.Farfli.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, Worm.Win32.Dorkbot.FD, GenericUSBInfector.YR, GenericProxy.YR, GenericSYNFlooder.YR, GenericUDPFlooder.YR, GenericDNSBlocker.YR, GenericMSNWorm.YR, GenericIRCBot.YR, GenericAutorunWorm.YR, VirusSality.YR, WormDorkbot.YR, GenericPhysicalDrive0.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Banker, Trojan, Backdoor, Flooder, Worm, Virus, WormAutorun, IRCBot, MSNWorm, DNSBlocker, UDPFlooder, SYNFlooder, Trojan-Proxy, USBInfector
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 5c34e4f5813f978e5d97bc39a1977749
SHA1: 12005bcb9d129ebc47136e8089b98f2354c4cde2
SHA256: bc392bdd3d96fa1079496b49c271a960ad60fc316dd0e0fae94c088a240354de
SSDeep: 6144:hwNMkmWLk2FqgAJITs6l0E9DtnVJNYngU:hwGYjAag6lXhn
Size: 468480 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1998-02-16 10:02:44
Summary:
Virus. A program that recursively replicates a possibly evolved copy of itself.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
| MSNWorm | A worm can spread its copies through the MSN Messanger. |
| DNSBlocker | A program can block designated DNS servers for making it difficult for users to locate specific domains or web sites on the Internet. |
| UDPFlooder | This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host. |
| SYNFlooder | This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. |
| Trojan-Proxy | This program can launch a proxy server (SOCKS4) on a designated TCP port. |
| USBInfector | A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer. |
Process activity
The Virus creates the following process(es):
5c34e4f5813f978e5d97bc39a1977749.exe:47068
5c34e4f5813f978e5d97bc39a1977749.exe:47132
The Virus injects its code into the following process(es):
mspaint.exe:47160
5c34e4f5813f978e5d97bc39a1977749.exe:1672
File activity
The process mspaint.exe:47160 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe (3073 bytes)
The Virus deletes the following file(s):
C:\5c34e4f5813f978e5d97bc39a1977749.exe (0 bytes)
The process 5c34e4f5813f978e5d97bc39a1977749.exe:47068 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (3073 bytes)
%Documents and Settings%\%current user%\Application Data\temp.bin (3073 bytes)
The process 5c34e4f5813f978e5d97bc39a1977749.exe:1672 makes changes in a file system.
The Virus creates and/or writes to the following file(s):
%WinDir%\system.ini (70 bytes)
D:\disablejavawarnsec.exe (984 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winorjtg.exe (15019 bytes)
%System%\drivers\qnpjm.sys (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\windcnpe.exe (741 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
The Virus deletes the following file(s):
%System%\drivers\qnpjm.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\windcnpe.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winorjtg.exe (0 bytes)
Registry activity
The process mspaint.exe:47160 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 6F 36 A5 E4 D2 65 1D 72 B7 02 56 6F A6 2C 25"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Virus modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Cukmko" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process 5c34e4f5813f978e5d97bc39a1977749.exe:47068 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 AF AF DD 84 A0 1D 4C 5D D9 32 C1 75 46 12 20"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr"
The process 5c34e4f5813f978e5d97bc39a1977749.exe:47132 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 28 D8 CF 8E 18 0D 89 13 6B 39 D6 BC F3 BD 15"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process 5c34e4f5813f978e5d97bc39a1977749.exe:1672 makes changes in a system registry.
The Virus creates and/or sets the following values in system registry:
[HKCU\Software\Aas]
"a4_116" = "831618036"
[HKCU\Software\Aas]
"a4_157" = "1125551997"
[HKCU\Software\Aas]
"a3_149" = "1051199068"
[HKCU\Software\Aas]
"a4_156" = "1118382876"
[HKCU\Software\Aas]
"a3_148" = "1044210237"
[HKCU\Software\Aas]
"a2_180" = "1290440045"
[HKCU\Software\Aas]
"a4_159" = "1139890239"
[HKCU\Software\Aas]
"a2_182" = "1304775337"
[HKCU\Software\Aas]
"a2_183" = "1311957880"
[HKCU\Software\Aas]
"a2_184" = "1319121751"
[HKCU\Software\Aas]
"a2_185" = "1326289270"
[HKCU\Software\Aas]
"a2_186" = "1333457327"
[HKCU\Software\Aas]
"a4_158" = "1132721118"
[HKCU\Software\Aas]
"a2_188" = "1347785992"
[HKCU\Software\Aas]
"a2_189" = "1355005039"
[HKCU\Software\Aas]
"a3_263" = "1902212494"
[HKCU\Software\Aas]
"a3_223" = "1581849174"
[HKCU\Software\Aas]
"a1_185" = "1160636107"
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a1_184" = "666694550"
[HKCU\Software\Aas]
"a2_255" = "1828118808"
[HKCU\Software\Aas]
"a1_183" = "3274189868"
[HKCU\Software\Aas]
"a1_182" = "599482242"
[HKCU\Software\Aas]
"a3_193" = "1400620808"
[HKCU\Software\Aas]
"a1_181" = "2641388380"
[HKCU\Software\Aas]
"a1_180" = "3839430506"
[HKCU\Software\Aas]
"a3_78" = "542637991"
[HKCU\Software\Aas]
"a3_79" = "549622726"
[HKCU\Software\Aas]
"a4_206" = "1476838926"
[HKCU\Software\Aas]
"a3_72" = "533156193"
[HKCU\Software\Aas]
"a3_73" = "506656128"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Aas]
"a3_71" = "525712590"
[HKCU\Software\Aas]
"a3_76" = "561686245"
[HKCU\Software\Aas]
"a3_77" = "568613636"
[HKCU\Software\Aas]
"a3_74" = "513568291"
[HKCU\Software\Aas]
"a3_75" = "554631746"
[HKCU\Software\Aas]
"a4_181" = "1297610901"
[HKCU\Software\Aas]
"a4_218" = "1562868378"
[HKCU\Software\Aas]
"a4_219" = "1570037499"
[HKCU\Software\Aas]
"a4_216" = "1548530136"
[HKCU\Software\Aas]
"a4_217" = "1555699257"
[HKCU\Software\Aas]
"a4_214" = "1534191894"
[HKCU\Software\Aas]
"a4_215" = "1541361015"
[HKCU\Software\Aas]
"a4_212" = "1519853652"
[HKCU\Software\Aas]
"a4_213" = "1527022773"
[HKCU\Software\Aas]
"a4_210" = "1505515410"
[HKCU\Software\Aas]
"a4_211" = "1512684531"
[HKCU\Software\Aas]
"a3_152" = "1106310065"
[HKCU\Software\Aas]
"a3_153" = "1080268752"
[HKCU\Software\Aas]
"a4_108" = "774265068"
[HKCU\Software\Aas]
"a4_109" = "781434189"
[HKCU\Software\Aas]
"a3_156" = "1135231285"
[HKCU\Software\Aas]
"a3_157" = "1108731220"
[HKCU\Software\Aas]
"a3_154" = "1087178867"
[HKCU\Software\Aas]
"a3_155" = "1127787666"
[HKCU\Software\Aas]
"a4_102" = "731250342"
[HKCU\Software\Aas]
"a4_103" = "738419463"
[HKCU\Software\Aas]
"a4_100" = "716912100"
[HKCU\Software\Aas]
"a4_101" = "724081221"
[HKCU\Software\Aas]
"a4_106" = "759926826"
[HKCU\Software\Aas]
"a4_107" = "767095947"
[HKCU\Software\Aas]
"a4_104" = "745588584"
[HKCU\Software\Aas]
"a4_105" = "752757705"
[HKCU\Software\Aas]
"a2_59" = "422985122"
[HKCU\Software\Aas]
"a2_58" = "415801128"
[HKCU\Software\Aas]
"a2_53" = "379969424"
[HKCU\Software\Aas]
"a2_52" = "372798579"
[HKCU\Software\Aas]
"a2_51" = "365616487"
[HKCU\Software\Aas]
"a2_50" = "358450741"
[HKCU\Software\Aas]
"a2_57" = "408637246"
[HKCU\Software\Aas]
"a2_56" = "401466134"
[HKCU\Software\Aas]
"a2_55" = "394297936"
[HKCU\Software\Aas]
"a2_54" = "387133522"
[HKCU\Software\Aas]
"a2_187" = "1340621596"
[HKCU\Software\Aas]
"a4_251" = "1799449371"
[HKCU\Software\Aas]
"a4_55" = "394301655"
[HKCU\Software\Aas]
"a4_54" = "387132534"
[HKCU\Software\Aas]
"a4_57" = "408639897"
[HKCU\Software\Aas]
"a4_56" = "401470776"
[HKCU\Software\Aas]
"a4_51" = "365625171"
[HKCU\Software\Aas]
"a4_50" = "358456050"
[HKCU\Software\Aas]
"a4_53" = "379963413"
[HKCU\Software\Aas]
"a4_52" = "372794292"
[HKCU\Software\Aas\695404737]
"50183847" = "4B0C1ACCFEF76671CC19B2472947B89ADBC1B3E1DD905C5AB2843C3A84EDCF6F17A4547E0E9250886096036CFAC3A46EE12558210578AE55D6C0F02593FED47E0CC870C0A0F906762622E4855C635CC4EF7D18DBDAC4B2A8E728A18980F31AA51B9984A39616D681334370FCD3CA6786870A5E9E662CFE328DB70D6B0182B0BE"
[HKCU\Software\Aas]
"a4_59" = "422978139"
[HKCU\Software\Aas]
"a4_58" = "415809018"
[HKCU\Software\Aas]
"a1_248" = "1444487846"
[HKCU\Software\Aas]
"a3_249" = "1801832560"
[HKCU\Software\Aas]
"a1_178" = "712172380"
[HKCU\Software\Aas]
"a1_179" = "380874265"
[HKCU\Software\Aas]
"a1_176" = "3732763117"
[HKCU\Software\Aas]
"a3_135" = "950830350"
[HKCU\Software\Aas]
"a1_174" = "851219538"
[HKCU\Software\Aas]
"a1_175" = "3705795609"
[HKCU\Software\Aas]
"a1_172" = "273791324"
[HKCU\Software\Aas\695404737]
"21507363" = "0"
[HKCU\Software\Aas]
"a1_170" = "1878634665"
[HKCU\Software\Aas]
"a1_171" = "4171014687"
[HKCU\Software\Aas]
"a2_236" = "1691915023"
[HKCU\Software\Aas]
"a2_237" = "1699084204"
[HKCU\Software\Aas]
"a2_234" = "1677581833"
[HKCU\Software\Aas]
"a2_235" = "1684749666"
[HKCU\Software\Aas]
"a2_232" = "1663227859"
[HKCU\Software\Aas]
"a2_233" = "1670398214"
[HKCU\Software\Aas]
"a2_230" = "1648900417"
[HKCU\Software\Aas]
"a2_231" = "1656065694"
[HKCU\Software\Aas]
"a4_209" = "1498346289"
[HKCU\Software\Aas]
"a2_238" = "1706259065"
[HKCU\Software\Aas]
"a2_239" = "1713417635"
[HKCU\Software\Aas]
"a3_94" = "690598327"
[HKCU\Software\Aas]
"a3_95" = "698045910"
[HKCU\Software\Aas]
"a3_96" = "671534665"
[HKCU\Software\Aas]
"a3_97" = "678453992"
[HKCU\Software\Aas]
"a3_90" = "662052915"
[HKCU\Software\Aas]
"a3_91" = "669107282"
[HKCU\Software\Aas]
"a3_92" = "643004661"
[HKCU\Software\Aas]
"a3_93" = "649993492"
[HKCU\Software\Aas]
"a3_209" = "1481480472"
[HKCU\Software\Aas]
"a3_98" = "685967115"
[HKCU\Software\Aas]
"a3_99" = "726580138"
[HKCU\Software\Aas]
"a3_282" = "2038692083"
[HKCU\Software\Aas]
"a3_271" = "1926113414"
[HKCU\Software\Aas]
"a2_181" = "1297602843"
[HKCU\Software\Aas]
"a3_254" = "1837822487"
[HKCU\Software\Aas]
"a1_138" = "1297591575"
[HKCU\Software\Aas]
"a1_139" = "2233051378"
[HKCU\Software\Aas]
"a3_270" = "1918678119"
[HKCU\Software\Aas]
"a1_159" = "2688932227"
[HKCU\Software\Aas]
"a1_266" = "1509299385"
[HKCU\Software\Aas]
"a1_267" = "2931622006"
[HKCU\Software\Aas]
"a1_264" = "3248204369"
[HKCU\Software\Aas]
"a1_265" = "4282249941"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a1_263" = "3498886941"
[HKCU\Software\Aas]
"a1_260" = "2861779270"
[HKCU\Software\Aas]
"a1_261" = "1654795952"
[HKCU\Software\Aas]
"a3_280" = "1990631473"
[HKCU\Software\Aas]
"a1_130" = "1351712789"
[HKCU\Software\Aas]
"a1_268" = "279085018"
[HKCU\Software\Aas]
"a1_269" = "3040492724"
[HKCU\Software\Aas]
"a2_157" = "1125555130"
[HKCU\Software\Aas]
"a2_156" = "1118387285"
[HKCU\Software\Aas]
"a2_155" = "1111219544"
[HKCU\Software\Aas]
"a1_131" = "1153189661"
[HKCU\Software\Aas]
"a2_153" = "1096868029"
[HKCU\Software\Aas]
"a2_152" = "1089701247"
[HKCU\Software\Aas]
"a2_99" = "709742066"
[HKCU\Software\Aas]
"a2_98" = "702575211"
[HKCU\Software\Aas]
"a2_97" = "695407422"
[HKCU\Software\Aas]
"a2_96" = "688242687"
[HKCU\Software\Aas]
"a2_95" = "681058467"
[HKCU\Software\Aas]
"a2_94" = "673891853"
[HKCU\Software\Aas]
"a2_93" = "666722692"
[HKCU\Software\Aas]
"a2_92" = "659557947"
[HKCU\Software\Aas]
"a2_91" = "652390942"
[HKCU\Software\Aas]
"a2_90" = "645222559"
[HKCU\Software\Aas]
"a4_151" = "1082537271"
[HKCU\Software\Aas]
"a4_150" = "1075368150"
[HKCU\Software\Aas]
"a4_153" = "1096875513"
[HKCU\Software\Aas]
"a4_152" = "1089706392"
[HKCU\Software\Aas]
"a4_155" = "1111213755"
[HKCU\Software\Aas]
"a4_154" = "1104044634"
[HKCU\Software\Aas]
"a1_58" = "2036318535"
[HKCU\Software\Aas]
"a1_59" = "570040809"
[HKCU\Software\Aas]
"a1_56" = "417797381"
[HKCU\Software\Aas]
"a1_57" = "1390599756"
[HKCU\Software\Aas]
"a1_54" = "1900694977"
[HKCU\Software\Aas]
"a1_55" = "1617278313"
[HKCU\Software\Aas]
"a1_52" = "3166003464"
[HKCU\Software\Aas]
"a1_53" = "363502419"
[HKCU\Software\Aas]
"a1_50" = "2750472527"
[HKCU\Software\Aas]
"a1_51" = "2060767754"
[HKCU\Software\Aas]
"a3_215" = "1524377438"
[HKCU\Software\Aas]
"a3_214" = "1517454143"
[HKCU\Software\Aas]
"a3_217" = "1572437008"
[HKCU\Software\Aas]
"a3_216" = "1565514737"
[HKCU\Software\Aas]
"a3_211" = "1529532890"
[HKCU\Software\Aas]
"a3_210" = "1488928187"
[HKCU\Software\Aas]
"a3_213" = "1510469276"
[HKCU\Software\Aas]
"a3_212" = "1536445053"
[HKCU\Software\Aas]
"a3_136" = "991836577"
[HKCU\Software\Aas]
"a3_219" = "1553446098"
[HKCU\Software\Aas]
"a3_218" = "1545867443"
[HKCU\Software\Aas]
"a1_155" = "2047799010"
[HKCU\Software\Aas]
"a4_208" = "1491177168"
[HKCU\Software\Aas]
"a1_217" = "740595589"
[HKCU\Software\Aas]
"a3_275" = "1954659866"
[HKCU\Software\Aas]
"a3_269" = "1945179076"
[HKCU\Software\Aas]
"a4_266" = "1906986186"
[HKCU\Software\Aas]
"a3_43" = "324843106"
[HKCU\Software\Aas]
"a3_42" = "284237251"
[HKCU\Software\Aas]
"a3_41" = "277248416"
[HKCU\Software\Aas]
"a3_40" = "269796609"
[HKCU\Software\Aas]
"a3_47" = "353765350"
[HKCU\Software\Aas]
"a3_46" = "313221959"
[HKCU\Software\Aas]
"a3_45" = "305778468"
[HKCU\Software\Aas]
"a3_44" = "332278405"
[HKCU\Software\Aas]
"a1_132" = "3985445558"
[HKCU\Software\Aas]
"a1_133" = "3687082280"
[HKCU\Software\Aas]
"a3_49" = "368270520"
[HKCU\Software\Aas]
"a3_48" = "360822809"
[HKCU\Software\Aas]
"a1_136" = "3728943581"
[HKCU\Software\Aas]
"a2_119" = "853128499"
[HKCU\Software\Aas]
"a1_134" = "2310023034"
[HKCU\Software\Aas]
"a1_135" = "3880904858"
[HKCU\Software\Aas]
"a4_99" = "709742979"
[HKCU\Software\Aas]
"a4_98" = "702573858"
[HKCU\Software\Aas]
"a4_280" = "2007353880"
[HKCU\Software\Aas]
"a2_118" = "845960113"
[HKCU\Software\Aas]
"a3_274" = "1947600379"
[HKCU\Software\Aas]
"a1_189" = "4220211777"
[HKCU\Software\Aas]
"a4_91" = "652390011"
[HKCU\Software\Aas]
"a4_90" = "645220890"
[HKCU\Software\Aas]
"a4_93" = "666728253"
[HKCU\Software\Aas]
"a4_92" = "659559132"
[HKCU\Software\Aas]
"a4_95" = "681066495"
[HKCU\Software\Aas]
"a4_94" = "673897374"
[HKCU\Software\Aas]
"a4_97" = "695404737"
[HKCU\Software\Aas]
"a4_96" = "688235616"
[HKCU\Software\Aas]
"a3_109" = "798021476"
[HKCU\Software\Aas]
"a3_108" = "790966981"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"
[HKCU\Software\Aas]
"a4_259" = "1856802339"
[HKCU\Software\Aas]
"a3_245" = "1773304572"
[HKCU\Software\Aas]
"a1_160" = "2156094399"
[HKCU\Software\Aas]
"a3_101" = "707522668"
[HKCU\Software\Aas]
"a3_100" = "733503437"
[HKCU\Software\Aas]
"a3_103" = "754977070"
[HKCU\Software\Aas]
"a3_102" = "714511503"
[HKCU\Software\Aas]
"a3_105" = "769475040"
[HKCU\Software\Aas]
"a3_104" = "762555713"
[HKCU\Software\Aas]
"a3_107" = "750493346"
[HKCU\Software\Aas]
"a3_106" = "742980099"
[HKCU\Software\Aas]
"a3_284" = "2019045813"
[HKCU\Software\Aas]
"a2_113" = "810117802"
[HKCU\Software\Aas]
"a1_250" = "674932728"
[HKCU\Software\Aas]
"a2_112" = "802942995"
[HKCU\Software\Aas]
"a4_264" = "1892647944"
[HKCU\Software\Aas]
"a1_165" = "1693656911"
[HKCU\Software\Aas]
"a3_262" = "1861734767"
[HKCU\Software\Aas]
"a3_70" = "485103791"
[HKCU\Software\Aas]
"a1_164" = "217410941"
[HKCU\Software\Aas]
"a2_110" = "788608003"
[HKCU\Software\Aas]
"a2_117" = "838792586"
[HKCU\Software\Aas]
"a4_258" = "1849633218"
[HKCU\Software\Aas]
"a3_285" = "2026624468"
[HKCU\Software\Aas]
"a2_116" = "831611953"
[HKCU\Software\Aas]
"a1_169" = "3579784007"
[HKCU\Software\Aas]
"a2_115" = "824443222"
[HKCU\Software\Aas]
"a4_263" = "1885478823"
[HKCU\Software\Aas]
"a1_168" = "1819696660"
[HKCU\Software\Aas]
"a2_114" = "817276222"
[HKCU\Software\Aas]
"a2_179" = "1283274175"
[HKCU\Software\Aas]
"a3_279" = "1983582110"
[HKCU\Software\Aas]
"a4_252" = "1806618492"
[HKCU\Software\Aas]
"a3_232" = "1646370241"
[HKCU\Software\Aas]
"a4_262" = "1878309702"
[HKCU\Software\Aas]
"a4_253" = "1813787613"
[HKCU\Software\Aas]
"a4_250" = "1792280250"
[HKCU\Software\Aas]
"a2_215" = "1541369434"
[HKCU\Software\Aas]
"a1_222" = "3724748871"
[HKCU\Software\Aas]
"a2_144" = "1032348143"
[HKCU\Software\Aas]
"a1_104" = "2153999143"
[HKCU\Software\Aas]
"a1_221" = "542043907"
[HKCU\Software\Aas]
"a1_226" = "307680784"
[HKCU\Software\Aas]
"a1_227" = "4282540880"
[HKCU\Software\Aas]
"a1_224" = "1247787829"
[HKCU\Software\Aas]
"a2_145" = "1039516214"
[HKCU\Software\Aas]
"a4_256" = "1835294976"
[HKCU\Software\Aas]
"a1_228" = "1444615225"
[HKCU\Software\Aas]
"a2_217" = "1555697634"
[HKCU\Software\Aas]
"a3_278" = "2009623423"
[HKCU\Software\Aas]
"a2_146" = "1046684471"
[HKCU\Software\Aas]
"a4_257" = "1842464097"
[HKCU\Software\Aas]
"a4_261" = "1871140581"
[HKCU\Software\Aas]
"a2_147" = "1053865044"
[HKCU\Software\Aas]
"a4_254" = "1820956734"
[HKCU\Software\Aas]
"a2_140" = "1003680203"
[HKCU\Software\Aas]
"a2_253" = "1813785026"
[HKCU\Software\Aas]
"a2_141" = "1010854374"
[HKCU\Software\Aas]
"a2_272" = "1950005431"
[HKCU\Software\Aas]
"a2_273" = "1957171214"
[HKCU\Software\Aas]
"a2_270" = "1935656211"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a2_276" = "1978674428"
[HKCU\Software\Aas]
"a2_142" = "1018016578"
[HKCU\Software\Aas]
"a2_274" = "1964340976"
[HKCU\Software\Aas]
"a2_275" = "1971516612"
[HKCU\Software\Aas]
"a2_278" = "1993021644"
[HKCU\Software\Aas]
"a2_143" = "1025180864"
[HKCU\Software\Aas]
"a4_260" = "1863971460"
[HKCU\Software\Aas]
"a3_259" = "1873798154"
[HKCU\Software\Aas]
"a1_246" = "3339856780"
[HKCU\Software\Aas]
"a3_258" = "1866220523"
[HKCU\Software\Aas]
"a1_240" = "4246737472"
[HKCU\Software\Aas]
"a3_150" = "1092336383"
[HKCU\Software\Aas]
"a2_193" = "1383642630"
[HKCU\Software\Aas]
"a2_192" = "1376474646"
[HKCU\Software\Aas]
"a2_191" = "1369294624"
[HKCU\Software\Aas]
"a3_151" = "1099259678"
[HKCU\Software\Aas]
"a3_133" = "970345548"
[HKCU\Software\Aas]
"a2_196" = "1405144435"
[HKCU\Software\Aas\695404737]
"35845605" = "256"
[HKCU\Software\Aas]
"a2_194" = "1390808948"
[HKCU\Software\Aas]
"a2_199" = "1426659490"
[HKCU\Software\Aas]
"a2_198" = "1419492238"
[HKCU\Software\Aas]
"a3_116" = "814879197"
[HKCU\Software\Aas]
"a3_117" = "821922428"
[HKCU\Software\Aas]
"a1_241" = "2390934532"
[HKCU\Software\Aas]
"a3_114" = "834001179"
[HKCU\Software\Aas]
"a4_182" = "1304780022"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_180" = "1290441780"
[HKCU\Software\Aas]
"a3_115" = "807894458"
[HKCU\Software\Aas]
"a1_89" = "3407090670"
[HKCU\Software\Aas]
"a1_88" = "2771171126"
[HKCU\Software\Aas]
"a4_184" = "1319118264"
[HKCU\Software\Aas]
"a4_185" = "1326287385"
[HKCU\Software\Aas]
"a1_85" = "1724151916"
[HKCU\Software\Aas]
"a1_84" = "3879723171"
[HKCU\Software\Aas]
"a1_87" = "94163616"
[HKCU\Software\Aas]
"a1_86" = "4102612318"
[HKCU\Software\Aas]
"a1_81" = "301936131"
[HKCU\Software\Aas]
"a1_80" = "1385730080"
[HKCU\Software\Aas]
"a1_83" = "1744326161"
[HKCU\Software\Aas]
"a1_82" = "427493436"
[HKCU\Software\Aas]
"a3_159" = "1123168790"
[HKCU\Software\Aas]
"a3_110" = "771902343"
[HKCU\Software\Aas]
"a2_128" = "917640109"
[HKCU\Software\Aas]
"a2_129" = "924814113"
[HKCU\Software\Aas]
"a2_126" = "903314111"
[HKCU\Software\Aas]
"a2_127" = "910480793"
[HKCU\Software\Aas]
"a2_124" = "888964427"
[HKCU\Software\Aas]
"a3_111" = "778955814"
[HKCU\Software\Aas]
"a2_122" = "874630097"
[HKCU\Software\Aas]
"a2_123" = "881795361"
[HKCU\Software\Aas]
"a2_120" = "860297878"
[HKCU\Software\Aas]
"a2_121" = "867455128"
[HKCU\Software\Aas]
"a1_67" = "2196925242"
[HKCU\Software\Aas]
"a1_66" = "749995735"
[HKCU\Software\Aas]
"a1_65" = "1845594655"
[HKCU\Software\Aas]
"a1_64" = "1126656540"
[HKCU\Software\Aas]
"a1_63" = "3049865867"
[HKCU\Software\Aas]
"a1_62" = "4146062540"
[HKCU\Software\Aas]
"a1_61" = "1160547491"
[HKCU\Software\Aas]
"a1_60" = "1795641829"
[HKCU\Software\Aas]
"a3_138" = "1006335587"
[HKCU\Software\Aas]
"a3_139" = "979823234"
[HKCU\Software\Aas]
"a4_162" = "1161397602"
[HKCU\Software\Aas]
"a4_163" = "1168566723"
[HKCU\Software\Aas]
"a4_164" = "1175735844"
[HKCU\Software\Aas]
"a4_165" = "1182904965"
[HKCU\Software\Aas]
"a1_69" = "2152265842"
[HKCU\Software\Aas]
"a1_68" = "4111613558"
[HKCU\Software\Aas]
"a1_12" = "1638216017"
[HKCU\Software\Aas]
"a1_13" = "267835759"
[HKCU\Software\Aas]
"a1_10" = "4125198980"
[HKCU\Software\Aas]
"a1_11" = "985504347"
[HKCU\Software\Aas]
"a1_16" = "2943401800"
[HKCU\Software\Aas]
"a1_17" = "4107259943"
[HKCU\Software\Aas]
"a1_14" = "2993929862"
[HKCU\Software\Aas]
"a1_15" = "2847071506"
[HKCU\Software\Aas]
"a4_115" = "824448915"
[HKCU\Software\Aas]
"a4_114" = "817279794"
[HKCU\Software\Aas]
"a1_18" = "453271214"
[HKCU\Software\Aas]
"a1_19" = "2397297225"
[HKCU\Software\Aas]
"a4_111" = "795772431"
[HKCU\Software\Aas]
"a4_110" = "788603310"
[HKCU\Software\Aas]
"a4_113" = "810110673"
[HKCU\Software\Aas]
"a4_112" = "802941552"
[HKCU\Software\Aas]
"a2_48" = "344126055"
[HKCU\Software\Aas]
"a2_49" = "351284670"
[HKCU\Software\Aas]
"a4_140" = "1003676940"
[HKCU\Software\Aas]
"a2_40" = "286766087"
[HKCU\Software\Aas]
"a2_41" = "293930625"
[HKCU\Software\Aas]
"a2_42" = "301094832"
[HKCU\Software\Aas]
"a2_43" = "308267977"
[HKCU\Software\Aas]
"a2_44" = "315448779"
[HKCU\Software\Aas]
"a2_45" = "322613828"
[HKCU\Software\Aas]
"a2_46" = "329784836"
[HKCU\Software\Aas]
"a2_47" = "336951023"
[HKCU\Software\Aas]
"a1_244" = "2599416865"
[HKCU\Software\Aas]
"a3_203" = "1472066242"
[HKCU\Software\Aas]
"a4_148" = "1061029908"
[HKCU\Software\Aas]
"a4_146" = "1046691666"
[HKCU\Software\Aas]
"a4_42" = "301103082"
[HKCU\Software\Aas]
"a4_43" = "308272203"
[HKCU\Software\Aas]
"a4_40" = "286764840"
[HKCU\Software\Aas]
"a4_41" = "293933961"
[HKCU\Software\Aas]
"a4_46" = "329779566"
[HKCU\Software\Aas]
"a4_47" = "336948687"
[HKCU\Software\Aas]
"a4_44" = "315441324"
[HKCU\Software\Aas]
"a4_45" = "322610445"
[HKCU\Software\Aas]
"a4_48" = "344117808"
[HKCU\Software\Aas]
"a4_49" = "351286929"
[HKCU\Software\Aas]
"a4_198" = "1419485958"
[HKCU\Software\Aas]
"a4_278" = "1993015638"
[HKCU\Software\Aas]
"a4_137" = "982169577"
[HKCU\Software\Aas]
"a4_255" = "1828125855"
[HKCU\Software\Aas]
"a4_136" = "975000456"
[HKCU\Software\Aas]
"a3_205" = "1452936068"
[HKCU\Software\Aas]
"a4_147" = "1053860787"
[HKCU\Software\Aas]
"a3_244" = "1765852765"
[HKCU\Software\Aas]
"a1_161" = "3058269371"
[HKCU\Software\Aas]
"a3_140" = "986812197"
[HKCU\Software\Aas]
"a1_163" = "3772076723"
[HKCU\Software\Aas]
"a1_162" = "2996015738"
[HKCU\Software\Aas]
"a3_18" = "112354555"
[HKCU\Software\Aas]
"a3_19" = "152901914"
[HKCU\Software\Aas]
"a1_167" = "3488831878"
[HKCU\Software\Aas]
"a1_166" = "3180817584"
[HKCU\Software\Aas]
"a3_14" = "83367783"
[HKCU\Software\Aas]
"a3_15" = "124488582"
[HKCU\Software\Aas]
"a3_16" = "131411001"
[HKCU\Software\Aas]
"a3_17" = "104906840"
[HKCU\Software\Aas]
"a3_10" = "88506851"
[HKCU\Software\Aas]
"a3_11" = "95435266"
[HKCU\Software\Aas]
"a3_12" = "69459621"
[HKCU\Software\Aas]
"a3_13" = "76378820"
[HKCU\Software\Aas]
"a4_37" = "265257477"
[HKCU\Software\Aas]
"a4_36" = "258088356"
[HKCU\Software\Aas]
"a4_35" = "250919235"
[HKCU\Software\Aas]
"a4_34" = "243750114"
[HKCU\Software\Aas]
"a4_33" = "236580993"
[HKCU\Software\Aas]
"a4_32" = "229411872"
[HKCU\Software\Aas]
"a4_31" = "222242751"
[HKCU\Software\Aas]
"a4_30" = "215073630"
[HKCU\Software\Aas]
"a3_241" = "1744311672"
[HKCU\Software\Aas]
"a4_39" = "279595719"
[HKCU\Software\Aas]
"a4_38" = "272426598"
[HKCU\Software\Aas]
"a2_175" = "1254590421"
[HKCU\Software\Aas]
"a2_174" = "1247420945"
[HKCU\Software\Aas]
"a1_103" = "2631105209"
[HKCU\Software\Aas]
"a2_178" = "1276107213"
[HKCU\Software\Aas]
"a2_177" = "1268925284"
[HKCU\Software\Aas]
"a4_244" = "1749265524"
[HKCU\Software\Aas]
"a4_268" = "1921324428"
[HKCU\Software\Aas]
"a2_176" = "1261772760"
[HKCU\Software\Aas]
"a1_196" = "1904154164"
[HKCU\Software\Aas]
"a4_145" = "1039522545"
[HKCU\Software\Aas]
"a2_171" = "1225921620"
[HKCU\Software\Aas]
"a3_251" = "1782710578"
[HKCU\Software\Aas]
"a2_170" = "1218753553"
[HKCU\Software\Aas]
"a2_283" = "2028858712"
[HKCU\Software\Aas]
"a4_139" = "996507819"
[HKCU\Software\Aas]
"a1_102" = "954811129"
[HKCU\Software\Aas]
"a4_138" = "989338698"
[HKCU\Software\Aas\695404737]
"28676484" = "35"
[HKCU\Software\Aas]
"a1_279" = "2118321401"
[HKCU\Software\Aas]
"a1_278" = "1928746761"
[HKCU\Software\Aas]
"a2_209" = "1498345359"
[HKCU\Software\Aas]
"a4_131" = "939154851"
[HKCU\Software\Aas]
"a1_270" = "4280572683"
[HKCU\Software\Aas]
"a1_273" = "3783339304"
[HKCU\Software\Aas]
"a1_272" = "3277625389"
[HKCU\Software\Aas]
"a1_275" = "149971853"
[HKCU\Software\Aas]
"a1_274" = "2824717711"
[HKCU\Software\Aas]
"a3_261" = "1854160076"
[HKCU\Software\Aas]
"a1_276" = "3768486090"
[HKCU\Software\Aas]
"a3_228" = "1617824845"
[HKCU\Software\Aas]
"a1_101" = "353423494"
[HKCU\Software\Aas]
"a1_249" = "2290454885"
[HKCU\Software\Aas]
"a1_237" = "189893763"
[HKCU\Software\Aas]
"a4_149" = "1068199029"
[HKCU\Software\Aas]
"a3_141" = "1027810116"
[HKCU\Software\Aas]
"a3_247" = "1753789374"
[HKCU\Software\Aas]
"a2_221" = "1584366702"
[HKCU\Software\Aas]
"a2_220" = "1577212515"
[HKCU\Software\Aas]
"a2_223" = "1598711978"
[HKCU\Software\Aas]
"a2_222" = "1591553510"
[HKCU\Software\Aas]
"a2_225" = "1613046462"
[HKCU\Software\Aas]
"a2_224" = "1605891255"
[HKCU\Software\Aas]
"a2_227" = "1627400137"
[HKCU\Software\Aas]
"a2_226" = "1620216693"
[HKCU\Software\Aas]
"a1_229" = "4194311033"
[HKCU\Software\Aas]
"a3_229" = "1624875244"
[HKCU\Software\Aas]
"a2_207" = "1484011083"
[HKCU\Software\Aas]
"a3_181" = "1280611004"
[HKCU\Software\Aas]
"a4_267" = "1914155307"
[HKCU\Software\Aas]
"a2_88" = "630889831"
[HKCU\Software\Aas]
"a2_89" = "638057633"
[HKCU\Software\Aas]
"a3_180" = "1307180573"
[HKCU\Software\Aas]
"a2_84" = "602207607"
[HKCU\Software\Aas]
"a2_85" = "609372890"
[HKCU\Software\Aas]
"a2_86" = "616542201"
[HKCU\Software\Aas]
"a2_87" = "623721578"
[HKCU\Software\Aas]
"a2_80" = "573522475"
[HKCU\Software\Aas]
"a3_34" = "260325067"
[HKCU\Software\Aas]
"a2_82" = "587873244"
[HKCU\Software\Aas]
"a2_83" = "595038636"
[HKCU\Software\Aas]
"a4_124" = "888971004"
[HKCU\Software\Aas]
"a4_125" = "896140125"
[HKCU\Software\Aas]
"a1_29" = "4116943501"
[HKCU\Software\Aas]
"a1_28" = "3807785708"
[HKCU\Software\Aas]
"a4_120" = "860294520"
[HKCU\Software\Aas]
"a4_121" = "867463641"
[HKCU\Software\Aas]
"a4_122" = "874632762"
[HKCU\Software\Aas]
"a4_123" = "881801883"
[HKCU\Software\Aas]
"a1_23" = "580480199"
[HKCU\Software\Aas]
"a1_22" = "1174422543"
[HKCU\Software\Aas]
"a1_21" = "4205635416"
[HKCU\Software\Aas]
"a1_20" = "2222289630"
[HKCU\Software\Aas]
"a1_27" = "298709013"
[HKCU\Software\Aas]
"a1_26" = "1617303137"
[HKCU\Software\Aas]
"a1_25" = "704238887"
[HKCU\Software\Aas]
"a1_24" = "1788451142"
[HKCU\Software\Aas]
"a4_141" = "1010846061"
[HKCU\Software\Aas]
"a1_285" = "1694881451"
[HKCU\Software\Aas]
"a1_280" = "2205655885"
[HKCU\Software\Aas]
"a3_187" = "1324038386"
[HKCU\Software\Aas]
"a1_282" = "1872842852"
[HKCU\Software\Aas]
"a1_283" = "3315828582"
[HKCU\Software\Aas]
"a3_186" = "1316586579"
[HKCU\Software\Aas]
"a3_189" = "1371566516"
[HKCU\Software\Aas]
"a4_269" = "1928493549"
[HKCU\Software\Aas]
"a2_268" = "1921321416"
[HKCU\Software\Aas]
"a3_227" = "1610836010"
[HKCU\Software\Aas]
"a3_50" = "341766363"
[HKCU\Software\Aas]
"a3_51" = "348755322"
[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_53" = "396796476"
[HKCU\Software\Aas]
"a3_54" = "370165343"
[HKCU\Software\Aas]
"a3_55" = "377748222"
[HKCU\Software\Aas]
"a3_56" = "384737041"
[HKCU\Software\Aas]
"a3_57" = "425210800"
[HKCU\Software\Aas]
"a3_58" = "432789459"
[HKCU\Software\Aas]
"a3_59" = "406145138"
[HKCU\Software\Aas]
"a1_127" = "539605082"
[HKCU\Software\Aas]
"a1_126" = "2615650560"
[HKCU\Software\Aas]
"a1_121" = "3811768484"
[HKCU\Software\Aas]
"a1_120" = "378600742"
[HKCU\Software\Aas]
"a1_123" = "623513285"
[HKCU\Software\Aas]
"a1_122" = "3773585286"
[HKCU\Software\Aas]
"a4_238" = "1706250798"
[HKCU\Software\Aas]
"a4_239" = "1713419919"
[HKCU\Software\Aas]
"a3_267" = "1930746626"
[HKCU\Software\Aas]
"a1_277" = "1918087241"
[HKCU\Software\Aas]
"a2_111" = "795775192"
[HKCU\Software\Aas]
"a4_230" = "1648897830"
[HKCU\Software\Aas]
"a4_231" = "1656066951"
[HKCU\Software\Aas]
"a4_232" = "1663236072"
[HKCU\Software\Aas]
"a4_233" = "1670405193"
[HKCU\Software\Aas]
"a4_234" = "1677574314"
[HKCU\Software\Aas]
"a4_235" = "1684743435"
[HKCU\Software\Aas]
"a4_236" = "1691912556"
[HKCU\Software\Aas]
"a4_237" = "1699081677"
[HKCU\Software\Aas]
"a3_178" = "1292673371"
[HKCU\Software\Aas]
"a3_179" = "1300121082"
[HKCU\Software\Aas]
"a3_174" = "1264145351"
[HKCU\Software\Aas]
"a3_175" = "1271198822"
[HKCU\Software\Aas]
"a3_176" = "1245079705"
[HKCU\Software\Aas]
"a3_177" = "1252068664"
[HKCU\Software\Aas]
"a3_170" = "1235731011"
[HKCU\Software\Aas]
"a3_171" = "1209100002"
[HKCU\Software\Aas]
"a3_172" = "1216092933"
[HKCU\Software\Aas]
"a3_173" = "1223671716"
[HKCU\Software\Aas]
"a2_31" = "222245455"
[HKCU\Software\Aas]
"a2_30" = "215080741"
[HKCU\Software\Aas]
"a2_33" = "236542682"
[HKCU\Software\Aas]
"a2_32" = "229414093"
[HKCU\Software\Aas]
"a2_35" = "250913268"
[HKCU\Software\Aas]
"a2_34" = "243758261"
[HKCU\Software\Aas]
"a2_37" = "265261198"
[HKCU\Software\Aas]
"a2_36" = "258082939"
[HKCU\Software\Aas]
"a2_39" = "279598055"
[HKCU\Software\Aas]
"a2_38" = "272432878"
[HKCU\Software\Aas]
"a4_79" = "566360559"
[HKCU\Software\Aas]
"a4_78" = "559191438"
[HKCU\Software\Aas]
"a3_226" = "1636956043"
[HKCU\Software\Aas]
"a1_223" = "2617515710"
[HKCU\Software\Aas]
"a4_73" = "523345833"
[HKCU\Software\Aas]
"a4_72" = "516176712"
[HKCU\Software\Aas]
"a4_71" = "509007591"
[HKCU\Software\Aas]
"a4_70" = "501838470"
[HKCU\Software\Aas]
"a4_77" = "552022317"
[HKCU\Software\Aas]
"a4_76" = "544853196"
[HKCU\Software\Aas]
"a4_75" = "537684075"
[HKCU\Software\Aas]
"a4_74" = "530514954"
[HKCU\Software\Aas]
"a2_264" = "1892653656"
[HKCU\Software\Aas]
"a3_266" = "1890133731"
[HKCU\Software\Aas]
"a1_137" = "808755794"
[HKCU\Software\Aas]
"a2_265" = "1899822996"
[HKCU\Software\Aas]
"a4_86" = "616544406"
[HKCU\Software\Aas]
"a4_87" = "623713527"
[HKCU\Software\Aas]
"a4_84" = "602206164"
[HKCU\Software\Aas]
"a4_85" = "609375285"
[HKCU\Software\Aas]
"a4_82" = "587867922"
[HKCU\Software\Aas]
"a4_83" = "595037043"
[HKCU\Software\Aas]
"a4_80" = "573529680"
[HKCU\Software\Aas]
"a4_81" = "580698801"
[HKCU\Software\Aas]
"a4_183" = "1311949143"
[HKCU\Software\Aas]
"a1_225" = "201472648"
[HKCU\Software\Aas]
"a4_197" = "1412316837"
[HKCU\Software\Aas]
"a4_88" = "630882648"
[HKCU\Software\Aas]
"a4_89" = "638051769"
[HKCU\Software\Aas]
"a1_158" = "442436972"
[HKCU\Software\Aas]
"a2_100" = "716908715"
[HKCU\Software\Aas]
"a4_196" = "1405147716"
[HKCU\Software\Aas\695404737]
"14338242" = "0"
[HKCU\Software\Aas]
"a1_150" = "2089857176"
[HKCU\Software\Aas]
"a1_151" = "1527362699"
[HKCU\Software\Aas\695404737]
"7169121" = "155"
[HKCU\Software\Aas]
"a1_153" = "1192896199"
[HKCU\Software\Aas]
"a1_154" = "888679941"
[HKCU\Software\Aas]
"a2_102" = "731241324"
[HKCU\Software\Aas]
"a1_156" = "2277631902"
[HKCU\Software\Aas]
"a1_157" = "70953283"
[HKCU\Software\Aas]
"a1_235" = "37553503"
[HKCU\Software\Aas]
"a2_229" = "1641733195"
[HKCU\Software\Aas]
"a1_188" = "2377969281"
[HKCU\Software\Aas]
"a2_103" = "738425764"
[HKCU\Software\Aas]
"a1_231" = "1226505293"
[HKCU\Software\Aas]
"a1_230" = "4283002733"
[HKCU\Software\Aas]
"a1_233" = "2671187447"
[HKCU\Software\Aas]
"a2_228" = "1634551589"
[HKCU\Software\Aas]
"a2_104" = "745594457"
[HKCU\Software\Aas]
"a4_201" = "1440993321"
[HKCU\Software\Aas]
"a1_247" = "3770496043"
[HKCU\Software\Aas]
"a1_239" = "11794653"
[HKCU\Software\Aas]
"a1_238" = "3080589179"
[HKCU\Software\Aas]
"a2_105" = "752759379"
[HKCU\Software\Aas]
"a2_210" = "1505512843"
[HKCU\Software\Aas]
"a2_211" = "1512679066"
[HKCU\Software\Aas]
"a2_212" = "1519860324"
[HKCU\Software\Aas]
"a2_213" = "1527029418"
[HKCU\Software\Aas]
"a2_214" = "1534193799"
[HKCU\Software\Aas]
"a2_106" = "759926130"
[HKCU\Software\Aas]
"a2_216" = "1548529185"
[HKCU\Software\Aas]
"a1_177" = "470952367"
[HKCU\Software\Aas]
"a2_218" = "1562860193"
[HKCU\Software\Aas]
"a2_219" = "1570045612"
[HKCU\Software\Aas]
"a3_253" = "1830771188"
[HKCU\Software\Aas]
"a2_107" = "767088550"
[HKCU\Software\Aas]
"a1_187" = "3972134761"
[HKCU\Software\Aas]
"a3_221" = "1600966036"
[HKCU\Software\Aas]
"a2_267" = "1914147458"
[HKCU\Software\Aas]
"a2_266" = "1906989789"
[HKCU\Software\Aas]
"a2_261" = "1871137926"
[HKCU\Software\Aas]
"a2_260" = "1863963479"
[HKCU\Software\Aas]
"a2_263" = "1885471826"
[HKCU\Software\Aas]
"a2_262" = "1878305998"
[HKCU\Software\Aas]
"a1_96" = "2166311725"
[HKCU\Software\Aas]
"a2_269" = "1928488275"
[HKCU\Software\Aas]
"a3_185" = "1309597744"
[HKCU\Software\Aas]
"a4_275" = "1971508275"
[HKCU\Software\Aas]
"a1_173" = "2779636899"
[HKCU\Software\Aas]
"a2_244" = "1749257971"
[HKCU\Software\Aas]
"a1_232" = "970858168"
[HKCU\Software\Aas]
"a3_183" = "1328655230"
[HKCU\Software\Aas]
"a1_186" = "3629230893"
[HKCU\Software\Aas]
"a3_222" = "1608410679"
[HKCU\Software\Aas]
"a4_272" = "1950000912"
[HKCU\Software\Aas]
"a2_131" = "939148275"
[HKCU\Software\Aas]
"a2_130" = "931980892"
[HKCU\Software\Aas]
"a4_179" = "1283272659"
[HKCU\Software\Aas]
"a2_282" = "2021690506"
[HKCU\Software\Aas]
"a2_281" = "2014526272"
[HKCU\Software\Aas]
"a2_280" = "2007361845"
[HKCU\Software\Aas]
"a2_133" = "953495690"
[HKCU\Software\Aas]
"a2_285" = "2043190152"
[HKCU\Software\Aas]
"a2_284" = "2036026523"
[HKCU\Software\Aas]
"a2_132" = "946329059"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Aas]
"a2_135" = "967832544"
[HKCU\Software\Aas]
"a3_182" = "1288058591"
[HKCU\Software\Aas]
"a4_273" = "1957170033"
[HKCU\Software\Aas]
"a2_134" = "960663719"
[HKCU\Software\Aas]
"a1_107" = "3755454019"
[HKCU\Software\Aas]
"a2_137" = "982165656"
[HKCU\Software\Aas]
"a4_178" = "1276103538"
[HKCU\Software\Aas]
"a1_106" = "2036258663"
[HKCU\Software\Aas]
"a4_227" = "1627390467"
[HKCU\Software\Aas]
"a2_136" = "974998160"
[HKCU\Software\Aas]
"a1_105" = "1087821212"
[HKCU\Software\Aas]
"a4_265" = "1899817065"
[HKCU\Software\Aas]
"a4_195" = "1397978595"
[HKCU\Software\Aas]
"a4_194" = "1390809474"
[HKCU\Software\Aas]
"a1_98" = "2592894521"
[HKCU\Software\Aas]
"a1_99" = "3181045198"
[HKCU\Software\Aas]
"a4_191" = "1369302111"
[HKCU\Software\Aas]
"a4_190" = "1362132990"
[HKCU\Software\Aas]
"a4_193" = "1383640353"
[HKCU\Software\Aas]
"a4_192" = "1376471232"
[HKCU\Software\Aas]
"a1_92" = "230538761"
[HKCU\Software\Aas]
"a1_93" = "4146568531"
[HKCU\Software\Aas]
"a1_90" = "4103394676"
[HKCU\Software\Aas]
"a1_91" = "2693508295"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a1_97" = "4032971784"
[HKCU\Software\Aas]
"a1_94" = "2563476179"
[HKCU\Software\Aas]
"a1_95" = "1880096845"
[HKCU\Software\Aas]
"a2_75" = "537686644"
[HKCU\Software\Aas]
"a2_74" = "530519021"
[HKCU\Software\Aas]
"a2_77" = "552020814"
[HKCU\Software\Aas]
"a2_76" = "544856683"
[HKCU\Software\Aas]
"a2_71" = "509005601"
[HKCU\Software\Aas]
"a2_70" = "501836477"
[HKCU\Software\Aas]
"a2_73" = "523339184"
[HKCU\Software\Aas]
"a2_72" = "516170644"
[HKCU\Software\Aas]
"a2_139" = "996514157"
[HKCU\Software\Aas]
"a2_138" = "989332705"
[HKCU\Software\Aas]
"a1_100" = "651254442"
[HKCU\Software\Aas]
"a2_79" = "566355938"
[HKCU\Software\Aas]
"a2_78" = "559189694"
[HKCU\Software\Aas]
"a1_74" = "3712448086"
[HKCU\Software\Aas]
"a1_75" = "2305774243"
[HKCU\Software\Aas]
"a1_76" = "3276670834"
[HKCU\Software\Aas]
"a1_77" = "3724402272"
[HKCU\Software\Aas]
"a1_70" = "2388188986"
[HKCU\Software\Aas]
"a1_71" = "467270601"
[HKCU\Software\Aas]
"a1_72" = "2074245911"
[HKCU\Software\Aas]
"a1_73" = "1632699927"
[HKCU\Software\Aas]
"a4_173" = "1240257933"
[HKCU\Software\Aas]
"a4_172" = "1233088812"
[HKCU\Software\Aas]
"a3_129" = "907869896"
[HKCU\Software\Aas]
"a3_128" = "934369961"
[HKCU\Software\Aas]
"a1_78" = "1825873650"
[HKCU\Software\Aas]
"a1_79" = "589051172"
[HKCU\Software\Aas]
"a4_175" = "1254596175"
[HKCU\Software\Aas]
"a4_174" = "1247427054"
[HKCU\Software\Aas]
"a3_123" = "898388146"
[HKCU\Software\Aas]
"a3_239" = "1730403494"
[HKCU\Software\Aas]
"a3_122" = "891468819"
[HKCU\Software\Aas]
"a3_237" = "1682343908"
[HKCU\Software\Aas]
"a3_236" = "1708909381"
[HKCU\Software\Aas]
"a3_235" = "1701334818"
[HKCU\Software\Aas]
"a3_234" = "1660856963"
[HKCU\Software\Aas]
"a3_233" = "1653814880"
[HKCU\Software\Aas]
"a3_121" = "850861040"
[HKCU\Software\Aas]
"a3_231" = "1672935854"
[HKCU\Software\Aas]
"a3_230" = "1665877263"
[HKCU\Software\Aas]
"a3_252" = "1789764949"
[HKCU\Software\Aas]
"a3_120" = "843343697"
[HKCU\Software\Aas]
"a1_109" = "2323905024"
[HKCU\Software\Aas]
"a2_173" = "1240255563"
[HKCU\Software\Aas]
"a3_127" = "927442486"
[HKCU\Software\Aas]
"a4_283" = "2028861243"
[HKCU\Software\Aas]
"a1_108" = "1520711842"
[HKCU\Software\Aas]
"a4_285" = "2043199485"
[HKCU\Software\Aas]
"a4_284" = "2036030364"
[HKCU\Software\Aas]
"a3_126" = "886312343"
[HKCU\Software\Aas]
"a1_0" = "4009576638"
[HKCU\Software\Aas]
"a2_279" = "2000191324"
[HKCU\Software\Aas]
"a4_276" = "1978677396"
[HKCU\Software\Aas]
"a3_125" = "879323508"
[HKCU\Software\Aas]
"a3_198" = "1436076335"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"
[HKCU\Software\Aas]
"a3_196" = "1388556397"
[HKCU\Software\Aas]
"a3_197" = "1429034124"
[HKCU\Software\Aas]
"a3_194" = "1407548331"
[HKCU\Software\Aas]
"a3_124" = "905966805"
[HKCU\Software\Aas]
"a3_192" = "1393042153"
[HKCU\Software\Aas]
"a1_2" = "2038562718"
[HKCU\Software\Aas]
"a3_190" = "1345525207"
[HKCU\Software\Aas]
"a3_191" = "1352568438"
[HKCU\Software\Aas]
"a1_242" = "2988710124"
[HKCU\Software\Aas]
"a1_3" = "1297216851"
[HKCU\Software\Aas]
"a2_172" = "1233086445"
[HKCU\Software\Aas]
"a3_283" = "2045680914"
[HKCU\Software\Aas]
"a1_4" = "4127739863"
[HKCU\Software\Aas]
"a4_171" = "1225919691"
[HKCU\Software\Aas]
"a1_5" = "743853717"
[HKCU\Software\Aas]
"a4_170" = "1218750570"
[HKCU\Software\Aas]
"a1_6" = "3383332918"
[HKCU\Software\Aas]
"a4_177" = "1268934417"
[HKCU\Software\Aas]
"a1_7" = "3317489641"
[HKCU\Software\Aas]
"a4_176" = "1261765296"
[HKCU\Software\Aas]
"a3_29" = "224867540"
[HKCU\Software\Aas]
"a3_28" = "183865525"
[HKCU\Software\Aas]
"a1_116" = "466766554"
[HKCU\Software\Aas]
"a1_117" = "347842328"
[HKCU\Software\Aas]
"a1_110" = "411267582"
[HKCU\Software\Aas]
"a1_111" = "3909553750"
[HKCU\Software\Aas]
"a1_112" = "153798441"
[HKCU\Software\Aas]
"a1_9" = "1623432731"
[HKCU\Software\Aas]
"a3_21" = "167399900"
[HKCU\Software\Aas]
"a3_20" = "159956413"
[HKCU\Software\Aas]
"a3_23" = "148336286"
[HKCU\Software\Aas]
"a3_22" = "140888703"
[HKCU\Software\Aas]
"a3_25" = "195929936"
[HKCU\Software\Aas]
"a3_24" = "188875569"
[HKCU\Software\Aas]
"a3_27" = "176880658"
[HKCU\Software\Aas]
"a3_26" = "169827315"
[HKCU\Software\Aas]
"a4_24" = "172058904"
[HKCU\Software\Aas]
"a4_25" = "179228025"
[HKCU\Software\Aas]
"a4_26" = "186397146"
[HKCU\Software\Aas]
"a4_27" = "193566267"
[HKCU\Software\Aas]
"a4_20" = "143382420"
[HKCU\Software\Aas]
"a4_21" = "150551541"
[HKCU\Software\Aas]
"a4_22" = "157720662"
[HKCU\Software\Aas]
"a4_23" = "164889783"
[HKCU\Software\Aas]
"a4_28" = "200735388"
[HKCU\Software\Aas]
"a4_29" = "207904509"
[HKCU\Software\Aas]
"a2_81" = "580706068"
[HKCU\Software\Aas]
"a4_279" = "2000184759"
[HKCU\Software\Aas]
"a4_203" = "1455331563"
[HKCU\Software\Aas]
"a3_273" = "1974165848"
[HKCU\Software\Aas]
"a3_272" = "1966722361"
[HKCU\Software\Aas]
"a3_238" = "1689270279"
[HKCU\Software\Aas]
"a4_126" = "903309246"
[HKCU\Software\Aas]
"a1_190" = "3160753716"
[HKCU\Software\Aas]
"a4_127" = "910478367"
[HKCU\Software\Aas]
"a3_277" = "2002712284"
[HKCU\Software\Aas]
"a3_276" = "1962103485"
[HKCU\Software\Aas]
"a1_208" = "575080102"
[HKCU\Software\Aas]
"a1_209" = "2558137741"
[HKCU\Software\Aas]
"a3_255" = "1844811446"
[HKCU\Software\Aas]
"a1_204" = "868570401"
[HKCU\Software\Aas]
"a1_205" = "1590559188"
[HKCU\Software\Aas]
"a1_206" = "3147665447"
[HKCU\Software\Aas]
"a1_207" = "2097939766"
[HKCU\Software\Aas]
"a1_200" = "831328670"
[HKCU\Software\Aas]
"a1_201" = "468382320"
[HKCU\Software\Aas]
"a1_202" = "3301786583"
[HKCU\Software\Aas]
"a1_203" = "2257701797"
[HKCU\Software\Aas]
"a2_162" = "1161404161"
[HKCU\Software\Aas]
"a3_112" = "785940569"
[HKCU\Software\Aas]
"a2_163" = "1168568936"
[HKCU\Software\Aas]
"a4_277" = "1985846517"
[HKCU\Software\Aas]
"a2_160" = "1147053759"
[HKCU\Software\Aas]
"a2_161" = "1154236254"
[HKCU\Software\Aas]
"a2_258" = "1849636041"
[HKCU\Software\Aas]
"a2_259" = "1856802931"
[HKCU\Software\Aas]
"a1_243" = "1997484463"
[HKCU\Software\Aas]
"a2_254" = "1820950948"
[HKCU\Software\Aas]
"a4_128" = "917647488"
[HKCU\Software\Aas]
"a2_256" = "1835301711"
[HKCU\Software\Aas]
"a2_257" = "1842470302"
[HKCU\Software\Aas]
"a2_250" = "1792288564"
[HKCU\Software\Aas]
"a2_251" = "1799453975"
[HKCU\Software\Aas]
"a2_252" = "1806619728"
[HKCU\Software\Aas]
"a4_129" = "924816609"
[HKCU\Software\Aas]
"a3_113" = "826942712"
[HKCU\Software\Aas]
"a2_164" = "1175738391"
[HKCU\Software\Aas]
"a2_165" = "1182903305"
[HKCU\Software\Aas]
"a1_284" = "3742722376"
[HKCU\Software\Aas]
"a2_101" = "724075026"
[HKCU\Software\Aas]
"a1_38" = "2064527432"
[HKCU\Software\Aas]
"a1_39" = "3942181565"
[HKCU\Software\Aas]
"a4_135" = "967831335"
[HKCU\Software\Aas]
"a4_134" = "960662214"
[HKCU\Software\Aas]
"a4_133" = "953493093"
[HKCU\Software\Aas]
"a4_132" = "946323972"
[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"
[HKCU\Software\Aas]
"a4_130" = "931985730"
[HKCU\Software\Aas]
"a1_30" = "806348592"
[HKCU\Software\Aas]
"a1_31" = "870687860"
[HKCU\Software\Aas]
"a1_32" = "3838772970"
[HKCU\Software\Aas]
"a1_33" = "4254140652"
[HKCU\Software\Aas]
"a1_34" = "3129678256"
[HKCU\Software\Aas]
"a1_35" = "3620007452"
[HKCU\Software\Aas]
"a1_36" = "3611499515"
[HKCU\Software\Aas]
"a1_37" = "554281259"
[HKCU\Software\Aas]
"a4_282" = "2021692122"
[HKCU\Software\Aas]
"a2_190" = "1362124181"
[HKCU\Software\Aas]
"a3_158" = "1115724279"
[HKCU\Software\Aas]
"a2_197" = "1412310149"
[HKCU\Software\Aas]
"a2_168" = "1204404783"
[HKCU\Software\Aas]
"a1_251" = "1457374887"
[HKCU\Software\Aas]
"a2_108" = "774259341"
[HKCU\Software\Aas]
"a2_109" = "781427774"
[HKCU\Software\Aas]
"a3_69" = "478110732"
[HKCU\Software\Aas]
"a3_68" = "470664173"
[HKCU\Software\Aas]
"a3_65" = "449123976"
[HKCU\Software\Aas]
"a3_64" = "442135145"
[HKCU\Software\Aas]
"a3_67" = "497168202"
[HKCU\Software\Aas]
"a3_66" = "489720619"
[HKCU\Software\Aas]
"a3_61" = "454263092"
[HKCU\Software\Aas]
"a3_60" = "413199509"
[HKCU\Software\Aas]
"a3_63" = "468244982"
[HKCU\Software\Aas]
"a3_62" = "461186391"
[HKCU\Software\Aas]
"a4_229" = "1641728709"
[HKCU\Software\Aas]
"a4_228" = "1634559588"
[HKCU\Software\Aas]
"a4_223" = "1598713983"
[HKCU\Software\Aas]
"a4_222" = "1591544862"
[HKCU\Software\Aas]
"a4_221" = "1584375741"
[HKCU\Software\Aas]
"a4_220" = "1577206620"
[HKCU\Software\Aas]
"a2_169" = "1211586886"
[HKCU\Software\Aas]
"a4_226" = "1620221346"
[HKCU\Software\Aas]
"a4_225" = "1613052225"
[HKCU\Software\Aas]
"a4_224" = "1605883104"
[HKCU\Software\Aas]
"a1_1" = "4010546748"
[HKCU\Software\Aas]
"a3_169" = "1228156448"
[HKCU\Software\Aas]
"a3_168" = "1187689857"
[HKCU\Software\Aas]
"a3_167" = "1180635502"
[HKCU\Software\Aas]
"a3_166" = "1206680783"
[HKCU\Software\Aas]
"a3_165" = "1199757484"
[HKCU\Software\Aas]
"a3_164" = "1192698893"
[HKCU\Software\Aas]
"a3_163" = "1151697898"
[HKCU\Software\Aas]
"a3_162" = "1144713035"
[HKCU\Software\Aas]
"a3_161" = "1171213096"
[HKCU\Software\Aas]
"a3_160" = "1163777673"
[HKCU\Software\Aas]
"a4_270" = "1935662670"
[HKCU\Software\Aas]
"a2_28" = "200729765"
[HKCU\Software\Aas]
"a2_29" = "207897942"
[HKCU\Software\Aas]
"a2_26" = "186394582"
[HKCU\Software\Aas]
"a2_27" = "193561022"
[HKCU\Software\Aas]
"a2_24" = "172062616"
[HKCU\Software\Aas]
"a2_25" = "179231358"
[HKCU\Software\Aas]
"a2_22" = "157726257"
[HKCU\Software\Aas]
"a2_23" = "164894512"
[HKCU\Software\Aas]
"a2_20" = "143380462"
[HKCU\Software\Aas]
"a2_21" = "150546097"
[HKCU\Software\Aas]
"a4_68" = "487500228"
[HKCU\Software\Aas]
"a4_69" = "494669349"
[HKCU\Software\Aas]
"a3_195" = "1380982730"
[HKCU\Software\Aas]
"a4_60" = "430147260"
[HKCU\Software\Aas]
"a4_61" = "437316381"
[HKCU\Software\Aas]
"a4_62" = "444485502"
[HKCU\Software\Aas]
"a4_63" = "451654623"
[HKCU\Software\Aas]
"a4_64" = "458823744"
[HKCU\Software\Aas]
"a4_65" = "465992865"
[HKCU\Software\Aas]
"a4_66" = "473161986"
[HKCU\Software\Aas]
"a4_67" = "480331107"
[HKCU\Software\Aas]
"a1_271" = "752356637"
[HKCU\Software\Aas]
"a1_220" = "1165965833"
[HKCU\Software\Aas]
"a3_246" = "1746738975"
[HKCU\Software\Aas]
"a3_256" = "1818692393"
[HKCU\Software\Aas]
"a1_198" = "2443892571"
[HKCU\Software\Aas]
"a3_250" = "1809280147"
[HKCU\Software\Aas]
"a4_200" = "1433824200"
[HKCU\Software\Aas]
"a2_7" = "50177192"
[HKCU\Software\Aas]
"a2_6" = "43008659"
[HKCU\Software\Aas]
"a2_5" = "35843972"
[HKCU\Software\Aas]
"a2_4" = "28674795"
[HKCU\Software\Aas]
"a2_3" = "21509327"
[HKCU\Software\Aas]
"a2_2" = "14341137"
[HKCU\Software\Aas]
"a2_1" = "7176051"
[HKCU\Software\Aas]
"a2_0" = "8289"
[HKCU\Software\Aas]
"a1_236" = "1075273013"
[HKCU\Software\Aas]
"a2_9" = "64529582"
[HKCU\Software\Aas]
"a4_5" = "35845605"
[HKCU\Software\Aas]
"a4_4" = "28676484"
[HKCU\Software\Aas]
"a4_7" = "50183847"
[HKCU\Software\Aas]
"a4_6" = "43014726"
[HKCU\Software\Aas]
"a4_1" = "7169121"
[HKCU\Software\Aas]
"a4_0" = "0"
[HKCU\Software\Aas]
"a4_3" = "21507363"
[HKCU\Software\Aas]
"a4_2" = "14338242"
[HKCU\Software\Aas]
"a1_143" = "822372706"
[HKCU\Software\Aas]
"a1_142" = "2626072277"
[HKCU\Software\Aas]
"a1_141" = "2073261875"
[HKCU\Software\Aas]
"a1_140" = "942657365"
[HKCU\Software\Aas]
"a4_9" = "64522089"
[HKCU\Software\Aas]
"a4_8" = "57352968"
[HKCU\Software\Aas]
"a1_145" = "359696441"
[HKCU\Software\Aas]
"a1_144" = "976065533"
[HKCU\Software\Aas]
"a3_52" = "389745053"
[HKCU\Software\Aas]
"a2_203" = "1455325458"
[HKCU\Software\Aas]
"a2_202" = "1448157853"
[HKCU\Software\Aas]
"a2_201" = "1440991663"
[HKCU\Software\Aas]
"a2_200" = "1433825335"
[HKCU\Software\Aas]
"a4_202" = "1448162442"
[HKCU\Software\Aas]
"a2_206" = "1476846559"
[HKCU\Software\Aas]
"a2_205" = "1469677033"
[HKCU\Software\Aas]
"a2_204" = "1462495367"
[HKCU\Software\Aas]
"a1_129" = "3901373592"
[HKCU\Software\Aas]
"a1_192" = "754213811"
[HKCU\Software\Aas]
"a2_8" = "57358615"
[HKCU\Software\Aas]
"a1_128" = "2755663433"
[HKCU\Software\Aas]
"a3_87" = "607024862"
[HKCU\Software\Aas]
"a3_86" = "633131711"
[HKCU\Software\Aas]
"a3_85" = "626081308"
[HKCU\Software\Aas]
"a3_84" = "585598461"
[HKCU\Software\Aas]
"a3_83" = "578085210"
[HKCU\Software\Aas]
"a3_82" = "571034939"
[HKCU\Software\Aas]
"a3_81" = "597665944"
[HKCU\Software\Aas]
"a3_80" = "590099577"
[HKCU\Software\Aas]
"a2_154" = "1104051940"
[HKCU\Software\Aas]
"a1_218" = "1060393710"
[HKCU\Software\Aas]
"a1_149" = "1995391393"
[HKCU\Software\Aas]
"a3_89" = "654610320"
[HKCU\Software\Aas]
"a3_88" = "614067057"
[HKCU\Software\Aas]
"a1_125" = "440743683"
[HKCU\Software\Aas]
"a4_205" = "1469669805"
[HKCU\Software\Aas]
"a1_148" = "2044651720"
[HKCU\Software\Aas]
"a1_124" = "2165511373"
[HKCU\Software\Aas]
"a4_186" = "1333456506"
[HKCU\Software\Aas]
"a4_168" = "1204412328"
[HKCU\Software\Aas]
"a4_187" = "1340625627"
[HKCU\Software\Aas]
"a3_268" = "1938194341"
[HKCU\Software\Aas]
"a1_234" = "1392348647"
[HKCU\Software\Aas]
"a4_271" = "1942831791"
[HKCU\Software\Aas]
"a3_199" = "1409969486"
[HKCU\Software\Aas]
"a1_281" = "1484349990"
[HKCU\Software\Aas]
"a4_274" = "1964339154"
[HKCU\Software\Aas]
"a3_242" = "1718323611"
[HKCU\Software\Aas]
"a1_194" = "3130483679"
[HKCU\Software\Aas]
"a1_212" = "1719930699"
[HKCU\Software\Aas]
"a4_204" = "1462500684"
[HKCU\Software\Aas]
"a1_245" = "3212041144"
[HKCU\Software\Aas]
"a4_245" = "1756434645"
[HKCU\Software\Aas]
"a4_169" = "1211581449"
[HKCU\Software\Aas]
"a4_188" = "1347794748"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E E8 C2 F8 8E ED A5 A9 3E CD 64 FE 35 29 CE 49"
[HKCU\Software\Aas]
"a4_189" = "1354963869"
[HKCU\Software\Aas]
"a2_125" = "896148234"
[HKCU\Software\Aas]
"a1_147" = "2209673481"
[HKCU\Software\Aas]
"a3_243" = "1725243962"
[HKCU\Software\Aas]
"a1_195" = "1174101178"
[HKCU\Software\Aas]
"a3_257" = "1825746760"
[HKCU\Software\Aas]
"a4_207" = "1484008047"
[HKCU\Software\Aas]
"a1_146" = "3323647200"
[HKCU\Software\Aas]
"a3_220" = "1593911669"
[HKCU\Software\Aas]
"a1_252" = "3708635191"
[HKCU\Software\Aas]
"a1_8" = "1780424979"
[HKCU\Software\Aas]
"a4_199" = "1426655079"
[HKCU\Software\Aas]
"a1_257" = "3094105151"
[HKCU\Software\Aas]
"a1_256" = "3732262345"
[HKCU\Software\Aas]
"a1_255" = "3396703433"
[HKCU\Software\Aas]
"a1_254" = "1682631266"
[HKCU\Software\Aas]
"a1_259" = "2359281912"
[HKCU\Software\Aas]
"a1_258" = "2160088732"
[HKCU\Software\Aas]
"a4_281" = "2014523001"
[HKCU\Software\Aas]
"a2_62" = "444487362"
[HKCU\Software\Aas]
"a2_63" = "451653157"
[HKCU\Software\Aas]
"a2_60" = "430152207"
[HKCU\Software\Aas]
"a2_61" = "437320954"
[HKCU\Software\Aas]
"a2_66" = "473153807"
[HKCU\Software\Aas]
"a2_67" = "480334406"
[HKCU\Software\Aas]
"a2_64" = "458821004"
[HKCU\Software\Aas]
"a2_65" = "465986875"
[HKCU\Software\Aas]
"a3_240" = "1737322713"
[HKCU\Software\Aas]
"a2_68" = "487505509"
[HKCU\Software\Aas]
"a2_69" = "494670668"
[HKCU\Software\Aas]
"a2_148" = "1061039320"
[HKCU\Software\Aas]
"a2_149" = "1068201222"
[HKCU\Software\Aas]
"a1_41" = "419261126"
[HKCU\Software\Aas]
"a1_40" = "1863027557"
[HKCU\Software\Aas]
"a1_43" = "3335198197"
[HKCU\Software\Aas]
"a1_42" = "3884956974"
[HKCU\Software\Aas]
"a1_45" = "1353783382"
[HKCU\Software\Aas]
"a1_44" = "4263283932"
[HKCU\Software\Aas]
"a1_47" = "1869744281"
[HKCU\Software\Aas]
"a1_46" = "2116635705"
[HKCU\Software\Aas]
"a1_49" = "2050981679"
[HKCU\Software\Aas]
"a1_48" = "3388760942"
[HKCU\Software\Aas]
"a4_144" = "1032353424"
[HKCU\Software\Aas\695404737]
"43014726" = "0700687474703A2F2F6A7374686F6D65732E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F61646979616D616E6C696369676B6F66746563696D2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F616B6F72646B6574727A796E2E7567752E706C2F6C6F676F2E67696600687474703A2F2F616B6361696E736161742E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F616B646172692E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F616C736861727170617065722E6E65742F6C6F676F2E67696600687474703A2F2F61706164616E617075622E636F6D2F6C6F676F2E676966"
[HKCU\Software\Aas]
"a4_142" = "1018015182"
[HKCU\Software\Aas]
"a4_143" = "1025184303"
[HKCU\Software\Aas]
"a3_118" = "862924447"
[HKCU\Software\Aas]
"a3_119" = "869974846"
[HKCU\Software\Aas]
"a3_202" = "1465015971"
[HKCU\Software\Aas]
"a1_114" = "4206639979"
[HKCU\Software\Aas]
"a3_200" = "1416954337"
[HKCU\Software\Aas]
"a3_201" = "1424013824"
[HKCU\Software\Aas]
"a3_206" = "1493543975"
[HKCU\Software\Aas]
"a3_207" = "1500987462"
[HKCU\Software\Aas]
"a3_204" = "1445500773"
[HKCU\Software\Aas]
"a1_115" = "1436170186"
[HKCU\Software\Aas]
"a1_197" = "3245612900"
[HKCU\Software\Aas]
"a2_166" = "1190071309"
[HKCU\Software\Aas]
"a3_208" = "1508041977"
[HKCU\Software\Aas]
"a2_195" = "1397976648"
[HKCU\Software\Aas]
"a1_199" = "3872552254"
[HKCU\Software\Aas]
"a4_246" = "1763603766"
[HKCU\Software\Aas]
"a1_262" = "3680570907"
[HKCU\Software\Aas]
"a3_36" = "241268621"
[HKCU\Software\Aas]
"a3_37" = "248309804"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"
[HKCU\Software\Aas]
"a3_35" = "267899754"
[HKCU\Software\Aas]
"a3_32" = "212854281"
[HKCU\Software\Aas]
"a3_33" = "253401768"
[HKCU\Software\Aas]
"a3_30" = "231909751"
[HKCU\Software\Aas]
"a3_31" = "205278614"
[HKCU\Software\Aas]
"a2_167" = "1197235162"
[HKCU\Software\Aas]
"a3_188" = "1364647189"
[HKCU\Software\Aas]
"a1_113" = "2600941188"
[HKCU\Software\Aas]
"a4_241" = "1727758161"
[HKCU\Software\Aas]
"a3_38" = "289377359"
[HKCU\Software\Aas]
"a3_39" = "296296686"
[HKCU\Software\Aas]
"a4_249" = "1785111129"
[HKCU\Software\Aas]
"a3_184" = "1336102801"
[HKCU\Software\Aas]
"a2_277" = "1985842050"
[HKCU\Software\Aas]
"a4_248" = "1777942008"
[HKCU\Software\Aas]
"a3_130" = "915379051"
[HKCU\Software\Aas]
"a1_191" = "2967410147"
[HKCU\Software\Aas]
"a3_131" = "922302346"
[HKCU\Software\Aas]
"a1_118" = "2515249304"
[HKCU\Software\Aas]
"a3_132" = "962897965"
[HKCU\Software\Aas]
"a1_119" = "3126950366"
[HKCU\Software\Aas]
"a2_17" = "121877066"
[HKCU\Software\Aas]
"a2_16" = "114710967"
[HKCU\Software\Aas]
"a2_15" = "107542644"
[HKCU\Software\Aas]
"a2_14" = "100361905"
[HKCU\Software\Aas]
"a2_13" = "93206613"
[HKCU\Software\Aas]
"a2_12" = "86027216"
[HKCU\Software\Aas]
"a2_11" = "78859220"
[HKCU\Software\Aas]
"a2_10" = "71683009"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"
[HKCU\Software\Aas]
"a3_134" = "943841519"
[HKCU\Software\Aas]
"a4_247" = "1770772887"
[HKCU\Software\Aas]
"a2_19" = "136206073"
[HKCU\Software\Aas]
"a2_18" = "129045986"
[HKCU\Software\Aas]
"a4_11" = "78860331"
[HKCU\Software\Aas]
"a4_10" = "71691210"
[HKCU\Software\Aas]
"a4_13" = "93198573"
[HKCU\Software\Aas]
"a4_12" = "86029452"
[HKCU\Software\Aas]
"a4_15" = "107536815"
[HKCU\Software\Aas]
"a4_14" = "100367694"
[HKCU\Software\Aas]
"a4_17" = "121875057"
[HKCU\Software\Aas]
"a4_16" = "114705936"
[HKCU\Software\Aas]
"a4_19" = "136213299"
[HKCU\Software\Aas]
"a4_18" = "129044178"
[HKCU\Software\Aas]
"a3_137" = "998890944"
[HKCU\Software\Aas]
"a4_240" = "1720589040"
[HKCU\Software\Aas]
"a4_160" = "1147059360"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"
[HKCU\Software\Aas]
"a4_243" = "1742096403"
[HKCU\Software\Aas]
"a3_8" = "40388897"
[HKCU\Software\Aas]
"a3_9" = "47967552"
[HKCU\Software\Aas]
"a3_6" = "59977839"
[HKCU\Software\Aas]
"a3_7" = "67032206"
[HKCU\Software\Aas]
"a3_4" = "11991981"
[HKCU\Software\Aas]
"a3_5" = "52535244"
[HKCU\Software\Aas]
"a3_2" = "31040235"
[HKCU\Software\Aas]
"a3_3" = "4933386"
[HKCU\Software\Aas]
"a3_0" = "17001001"
[HKCU\Software\Aas]
"a3_1" = "23989832"
[HKCU\Software\Aas]
"a1_193" = "2634096750"
[HKCU\Software\Aas]
"a2_208" = "1491178347"
[HKCU\Software\Aas]
"a2_151" = "1082534259"
[HKCU\Software\Aas]
"a4_242" = "1734927282"
[HKCU\Software\Aas]
"a2_150" = "1075367793"
[HKCU\Software\Aas]
"a3_281" = "2031109200"
[HKCU\Software\Aas]
"a2_271" = "1942836344"
[HKCU\Software\Aas]
"a4_166" = "1190074086"
[HKCU\Software\Aas]
"a4_167" = "1197243207"
[HKCU\Software\Aas]
"a3_145" = "1022800088"
[HKCU\Software\Aas]
"a1_219" = "3527411925"
[HKCU\Software\Aas]
"a3_144" = "1015749817"
[HKCU\Software\Aas]
"a4_161" = "1154228481"
[HKCU\Software\Aas]
"a1_216" = "998725476"
[HKCU\Software\Aas]
"a1_215" = "603176235"
[HKCU\Software\Aas]
"a1_214" = "1165548618"
[HKCU\Software\Aas]
"a1_213" = "3975327724"
[HKCU\Software\Aas]
"a3_147" = "1070844314"
[HKCU\Software\Aas]
"a1_211" = "2167547195"
[HKCU\Software\Aas]
"a1_210" = "771506125"
[HKCU\Software\Aas]
"a3_146" = "1063277947"
[HKCU\Software\Aas]
"a2_159" = "1139884636"
[HKCU\Software\Aas]
"a4_119" = "853125399"
[HKCU\Software\Aas]
"a2_158" = "1132718859"
[HKCU\Software\Aas]
"a1_253" = "3338243731"
[HKCU\Software\Aas]
"a4_118" = "845956278"
[HKCU\Software\Aas]
"a3_260" = "1847236781"
[HKCU\Software\Aas]
"a3_143" = "1008236550"
[HKCU\Software\Aas]
"a2_249" = "1785117090"
[HKCU\Software\Aas]
"a2_248" = "1777935012"
[HKCU\Software\Aas]
"a2_247" = "1770767846"
[HKCU\Software\Aas]
"a2_246" = "1763601821"
[HKCU\Software\Aas]
"a2_245" = "1756433515"
[HKCU\Software\Aas]
"a3_142" = "1034864615"
[HKCU\Software\Aas]
"a2_243" = "1742099124"
[HKCU\Software\Aas]
"a2_242" = "1734934284"
[HKCU\Software\Aas]
"a2_241" = "1727752073"
[HKCU\Software\Aas]
"a2_240" = "1720582291"
[HKCU\Software\Aas]
"a3_224" = "1588903625"
[HKCU\Software\Aas]
"a1_152" = "3097576131"
[HKCU\Software\Aas]
"a3_225" = "1629901672"
[HKCU\Software\Aas]
"a3_248" = "1761236945"
[HKCU\Software\Aas]
"a3_264" = "1909255713"
[HKCU\Software\Aas]
"a4_117" = "838787157"
[HKCU\Software\Aas]
"a3_265" = "1883210304"
Firewall notifications are disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"5c34e4f5813f978e5d97bc39a1977749.exe" = "c:\5c34e4f5813f978e5d97bc39a1977749.exe:*:Enabled:ipsec"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Antivirus notifications are disabled:
[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"
[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"
The Virus deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\nm]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys]
The Virus deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://api.wipmania.com/ (ET POLICY External IP Lookup Attempt To Wipmania ) |  69.197.137.58 |
| e.joyyven.com |  Unresolvable |
| e.lartanato.com | Unresolvable |
| e.balkrev.com | Unresolvable |
Rootkit activity
The Virus installs the following user-mode hooks in WININET.dll:
HttpSendRequestW
InternetWriteFile
HttpSendRequestA
The Virus installs the following user-mode hooks in dnsapi.dll:
DnsQuery_A
DnsQuery_W
The Virus installs the following user-mode hooks in WS2_32.dll:
send
GetAddrInfoW
The Virus installs the following user-mode hooks in kernel32.dll:
MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA
The Virus installs the following user-mode hooks in ntdll.dll:
LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
5c34e4f5813f978e5d97bc39a1977749.exe:47068
5c34e4f5813f978e5d97bc39a1977749.exe:47132 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe (3073 bytes)
%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (3073 bytes)
%Documents and Settings%\%current user%\Application Data\temp.bin (3073 bytes)
%WinDir%\system.ini (70 bytes)
D:\disablejavawarnsec.exe (984 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winorjtg.exe (15019 bytes)
%System%\drivers\qnpjm.sys (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\windcnpe.exe (741 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Cukmko" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Cukmko.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
