HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), SpyTool.Win32.Ardamax.FD, Trojan.Win32.Swrort.3.FD (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, SpyTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2f9e864b52474c400bd02edce6a5810a
SHA1: 13959a8421acb6a27bc9b42b1b4ebd8e5f38419d
SHA256: ff8ee126dc6a57934f6a9e458b4e1ff769c8ace4abff6881bc34402e186223bb
SSDeep: 6144:6/QiQPsDJZVpdtyhvOVYgBpl7 hCnaTxUKsE9ceJRvcj68xhxXqo7V5/q/hAUfB:CQiGs1ZVpXyVOLlKhC2Iqjzva6WXd554
Size: 385387 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: SpyTool. A program used to apply passive protection methods to spyware, such as obfuscation, encryption or polymorphism. The original malicious program is usually encrypted/compressed and stored inside the wrapper.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The SpyTool creates the following process(es):
taskkill.exe:1552
taskkill.exe:1400
taskkill.exe:444
%original file name%.exe:272
2f9e864b52474c400bd02edce6a5810a.tmp:1328
tasklist.exe:564
tasklist.exe:1392
mbot_no_014010247.exe:1952
upmbot_no_014010247.exe:1300
encrypt.exe:1340
encrypt.exe:592
encrypt.exe:1612
encrypt.exe:516
setup.tmp:340
setup.exe:636
The SpyTool injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:272 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-2RM17.tmp\2f9e864b52474c400bd02edce6a5810a.tmp (3780 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-2RM17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2RM17.tmp\2f9e864b52474c400bd02edce6a5810a.tmp (0 bytes)
The process 2f9e864b52474c400bd02edce6a5810a.tmp:1328 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-AJQR7.tmp\idp.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AJQR7.tmp\setup.exe (654387 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AJQR7.tmp\_isetup\_shfoldr.dll (23 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-AJQR7.tmp\idp.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AJQR7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AJQR7.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AJQR7.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AJQR7.tmp\setup.exe (0 bytes)
The process mbot_no_014010247.exe:1952 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_no_014010247\mbot_no_014010247\1.10\cnf.cyl (269 bytes)
The process upmbot_no_014010247.exe:1300 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (231 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_no_014010247\upmbot_no_014010247.cyl (428 bytes)
The process encrypt.exe:1340 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\predm.exe (3300 bytes)
The process encrypt.exe:592 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mbot_no_014010247.exe (20219 bytes)
The process encrypt.exe:1612 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\upmbot_no_014010247.exe (16156 bytes)
The process encrypt.exe:516 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mybestofferstoday_widget.exe (16647 bytes)
The process setup.tmp:340 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\is-MMSKC.tmp (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MYBESTOFFERSTODAY\MyBestOffersToday.lnk (837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\encrypt.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\is-FFGNK.tmp (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_no_014010247\upmbot_no_014010247.exe (22575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mbot_no_014010247.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\is-7LEL7.tmp (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\idp.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\is-5KA43.tmp (8657 bytes)
%Program Files%\mbot_no_014010247\unins000.dat (35465 bytes)
%Program Files%\mbot_no_014010247\mbot_no_014010247.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\ex.bat (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mybestofferstoday_widget.7z (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\upmbot_no_014010247.7z (7433 bytes)
%Program Files%\mbot_no_014010247\mybestofferstoday_widget.exe (23404 bytes)
%Program Files%\mbot_no_014010247\predm.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\is-KCQUJ.tmp (7433 bytes)
%Program Files%\mbot_no_014010247\is-DP063.tmp (28787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\predm.7z (2321 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\MYBESTOFFERSTODAY_WIDGET.7Z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\upmbot_no_014010247.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mybestofferstoday_widget.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mbot_no_014010247.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mybestofferstoday_widget.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\idp.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\MBOT_NO_014010247.7Z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\av.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\encrypt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mbot_no_014010247.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\upmbot_no_014010247.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\UPMBOT_NO_014010247.7Z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\ex.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\predm.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\predm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\CheckProc.cmd (0 bytes)
The process setup.exe:636 makes changes in the file system.
The SpyTool creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-47LIN.tmp\setup.tmp (6319 bytes)
The SpyTool deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-47LIN.tmp\setup.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-47LIN.tmp (0 bytes)
Registry activity
The process taskkill.exe:1552 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 82 B2 E0 74 03 4F F2 1E 80 55 65 1F 48 4A 1F"
The process taskkill.exe:1400 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 B0 54 08 14 6B E9 7B 13 DC 1B D1 3A 42 72 B2"
The process taskkill.exe:444 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 4D 02 E5 EA EA 6A 5B 36 60 8E EC 39 BE A8 2B"
The process %original file name%.exe:272 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE DA 59 7E 22 02 D4 7D 32 42 F3 41 97 38 13 64"
The process 2f9e864b52474c400bd02edce6a5810a.tmp:1328 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 B0 CC 9E 77 B9 7B A9 51 05 9D C4 71 0F A5 F5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process tasklist.exe:564 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 24 58 14 CF 8A 1C 08 FE 60 7D CD AB AC B6 EA"
The process tasklist.exe:1392 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 83 29 A6 33 1B 1C 60 75 54 82 04 5E 87 42 8F"
The process mbot_no_014010247.exe:1952 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED C0 45 A2 EA 1A C9 31 66 DF 79 05 23 B9 0F 87"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process upmbot_no_014010247.exe:1300 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Tutorials\updatetutorialeshp]
"Version" = "mbot_no_014010247"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Tutorials]
"HostGUID" = "649C451D-006D-4D88-B0D8-84C87E479608"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 6D 4F D8 D6 A8 73 AA 1A 52 F5 AB EC D9 B8 41"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Tutorials\updatetutorialeshp]
"MainDir" = "%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_no_014010247"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The SpyTool modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upmbot_no_014010247.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_no_014010247\upmbot_no_014010247.exe -runhelper"
The SpyTool modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The SpyTool modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The SpyTool deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process encrypt.exe:1340 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F FE 65 8A C5 9E A1 78 8B 4E 07 E6 0B 8C E0 0E"
The process encrypt.exe:592 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 65 71 32 12 49 C4 E8 87 01 C9 57 84 6E 4B D3"
The process encrypt.exe:1612 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 A6 28 26 FC BE 77 C2 BB 4A 01 8E 99 43 EB A2"
The process encrypt.exe:516 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 E7 65 6C 36 32 5A 53 32 76 9B 37 86 9A AF 02"
The process setup.tmp:340 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKCU\Software\Tutorials\updv]
"Version" = "16.02.23"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_no_014010247_is1]
"UninstallString" = "%Program Files%\mbot_no_014010247\unins000.exe"
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Tinstalls]
"20160224" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_no_014010247_is1]
"QuietUninstallString" = "%Program Files%\mbot_no_014010247\unins000.exe /SILENT"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_no_014010247_is1]
"Inno Setup: Language" = "no"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_no_014010247_is1]
"InstallLocation" = "%Program Files%\mbot_no_014010247\"
"Inno Setup: Setup Version" = "5.5.4 (a)"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\TutoTag]
"OnceInstalled" = "no"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_no_014010247_is1]
"Inno Setup: Icon Group" = "MYBESTOFFERSTODAY"
[HKCU\Software\Tutorials\updatetutorialshp]
"MainDir" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_no_014010247_is1]
"Publisher" = "MYBESTOFFERSTODAY"
[HKCU\Software\Microsoft]
"Tinstalls" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 82 BE E1 35 4C 12 EB 38 85 41 86 0B 2A 66 59"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_no_014010247_is1]
"Inno Setup: App Path" = "%Program Files%\mbot_no_014010247"
"DisplayName" = "MyBestOffersToday 012.014010247"
"NoRepair" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_no_014010247_is1]
"Inno Setup: User" = "%CurrentUserName%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mbot_no_014010247_is1]
"InstallDate" = "20160224"
[HKCU\Software\TutoTag]
"AgenceInstalledYet" = "true"
[HKLM\SOFTWARE\MYBESTOFFERSTODAY\mbot_no_014010247]
"PathInstall" = "%Program Files%\mbot_no_014010247"
[HKCU\Software\TutoTag]
"OnceInstalled2" = "no"
To automatically run itself each time Windows is booted, the SpyTool adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mbot_no_014010247" = "%Program Files%\mbot_no_014010247\mbot_no_014010247.exe"
The SpyTool deletes the following registry key(s):
[HKCU\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA848-CC51-11CF-AAFA-00AA00B6015C}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
[HKCU\Software\Microsoft\Active Setup\Installed Components]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
[HKCU\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
The process setup.exe:636 makes changes in the system registry.
The SpyTool creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 93 27 42 3D C1 68 70 0C 4B D2 17 5D 6F BF 29"
Dropped PE files
MD5 | File path |
---|---|
67ec1bca85b9e25d412c6260a1f3a540 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\mbot_no_014010247\upmbot_no_014010247.exe |
4a947f7a42c04346eb1d1d88fff9a702 | c:\Program Files\mbot_no_014010247\mbot_no_014010247 - uninstall.exe |
1fe8380e8fd3e47926f6d5d8662c8478 | c:\Program Files\mbot_no_014010247\mbot_no_014010247.exe |
c785d8b8ee601622de8b7f013cca98ab | c:\Program Files\mbot_no_014010247\mybestofferstoday_widget.exe |
75003d65884e335b2a78514ec8433e41 | c:\Program Files\mbot_no_014010247\predm.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:1552
taskkill.exe:1400
taskkill.exe:444
%original file name%.exe:272
2f9e864b52474c400bd02edce6a5810a.tmp:1328
tasklist.exe:564
tasklist.exe:1392
mbot_no_014010247.exe:1952
upmbot_no_014010247.exe:1300
encrypt.exe:1340
encrypt.exe:592
encrypt.exe:1612
encrypt.exe:516
setup.tmp:340
setup.exe:636 - Delete the original SpyTool file.
- Delete or disinfect the following files created/modified by the SpyTool:
%Documents and Settings%\%current user%\Local Settings\Temp\is-2RM17.tmp\2f9e864b52474c400bd02edce6a5810a.tmp (3780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AJQR7.tmp\idp.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AJQR7.tmp\setup.exe (654387 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-AJQR7.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_no_014010247\mbot_no_014010247\1.10\cnf.cyl (269 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@prof.youandmeandmeandyouhihi[1].txt (231 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@youandmeandmeandyouhihi[1].txt (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_no_014010247\upmbot_no_014010247.cyl (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\predm.exe (3300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mbot_no_014010247.exe (20219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\upmbot_no_014010247.exe (16156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mybestofferstoday_widget.exe (16647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\is-MMSKC.tmp (2321 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\MYBESTOFFERSTODAY\MyBestOffersToday.lnk (837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\encrypt.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\is-FFGNK.tmp (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_no_014010247\upmbot_no_014010247.exe (22575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mbot_no_014010247.7z (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\CheckProc.cmd (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\is-7LEL7.tmp (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\idp.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\is-5KA43.tmp (8657 bytes)
%Program Files%\mbot_no_014010247\unins000.dat (35465 bytes)
%Program Files%\mbot_no_014010247\mbot_no_014010247.exe (29430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\ex.bat (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\mybestofferstoday_widget.7z (7971 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\upmbot_no_014010247.7z (7433 bytes)
%Program Files%\mbot_no_014010247\mybestofferstoday_widget.exe (23404 bytes)
%Program Files%\mbot_no_014010247\predm.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\is-KCQUJ.tmp (7433 bytes)
%Program Files%\mbot_no_014010247\is-DP063.tmp (28787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-10M1U.tmp\predm.7z (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-47LIN.tmp\setup.tmp (6319 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"upmbot_no_014010247.exe" = "%Documents and Settings%\%current user%\Local Settings\Application Data\mbot_no_014010247\upmbot_no_014010247.exe -runhelper"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mbot_no_014010247" = "%Program Files%\mbot_no_014010247\mbot_no_014010247.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name: MyBestOffersToday
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: MyBestOffersToday Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)
Company Name: Product Name: MyBestOffersToday Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: MyBestOffersToday Setup Comments: This installation was built with Inno Setup.Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 40240 | 40448 | 4.59679 | c3bd95c4b1a8e5199981e0d9b45fd18c |
DATA | 45056 | 592 | 1024 | 1.90742 | 1ee71d84f1c77af85f1f5c278f880572 |
BSS | 49152 | 3724 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
.tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
.reloc | 65536 | 2244 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 69632 | 11264 | 11264 | 3.14703 | 86384a97e0453cb56499ecc334d6f61b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 163
2b7b7a52efe8396b0216f4a05260ef2d
9d284e9fed9955f910eef1ae7287159d
97c94f7678fa89eb87858f8e5a7c13ab
5932f9c130120565222b600225023e41
7059a51294e236d4fc52cd0e424241bf
4bfd0d9d96cea895041cdf4b1e654631
66b59b5cb4eb3b9f42fb05d650abf687
956c81b158d392a57c94cc58b1d9b96b
c84ece819a6175620d08eacc6851084d
2331123d3fc0308c0bc5c576566ded63
aae70780f303d40607f55afe6c40671d
e5996e0b5bdeae2492661b82c41ed663
c5ea6329994c08a6947bc53a8d7f468c
9e3305071b41c395fa799af6533f7a9c
610ed4fbad849e51346d035c8f0af609
db7804c6c3b9bddaee87754eeb036518
be41f2a70019f8d54dbf1f3ad7c6f76d
53e82bc5fee2ad1a1f2751287d719811
f70c244a1965e12409fcced19c0f23da
a10d93a8f5ecb7a4affff17751521a6d
d8478b37b2f855b5435090b481cbdf0c
1a2c205f9b6a6905620d3c462c7babc8
253c1c04e27a5fe49c4dabaefe94773a
c41947ad52f30f0423cbd088be9956a1
242b1a149e8945fe47933f0c677afff0
Network Activity
URLs
URL | IP |
---|---|
hxxp://dl.tuto4pc.com/download/trasgo/amonetize/no/setup_mbot_no.exe | |
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US | 37.187.148.135 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=241818&tag=NO_AMONETIZE_INSTALL_INI | 37.59.49.202 |
hxxp://prof.eorezo.com/cgi-bin/get_protect.cgi | 37.187.148.135 |
hxxp://ads.under-myscreen.be/cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc | 188.165.239.67 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=241818&tag=NO_AMONETIZE_INSTALL_F11 | 37.59.49.202 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=241818&tag=NO_AMONETIZE_INSTALL_FIN | 37.59.49.202 |
hxxp://ads.regiedepub.com/cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=241818&tag=NO_AMONETIZE_COUNT1 | 37.59.49.202 |
hxxp://dl.tcoupichou.eu/download/trasgo/amonetize/no/setup_mbot_no.exe | 176.31.126.133 |
hxxp://prof.youandmeandmeandyouhihi.com/cgi-bin/get_protect.cgi | 37.187.148.123 |
upd.adskyforever.com | 37.187.147.141 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /cgi-bin/get_protect.cgi HTTP/1.1
x-spidermessenger-crypted: 2
x-spidermessenger-crc32: 2151785580
x-spidermessenger-length: 275
Content-Type: text/*
User-Agent: mbot_no_014010247-mbot_no_014010247
Host: prof.youandmeandmeandyouhihi.com
Content-Length: 382
Cache-Control: no-cache
ujXl2iaEv3+xg2nmk5XqjA2NDw6VcVyNE/FQ79QnF5NuKLZ9A9TPBReu5Z+wEYUxCYSUZGS3SkXsZ/j7P3K2eTgFMPeb6Ih8rrD3sgQnUWpOQzHtwM3a0qvN70X11Tn8wXI/uTWrrGEFi8o8hgrIPuuXVPm94ILh6QbZ1jjCVoUiLXMp6ydlJClXhLpxEbHvLW2K15md84KmovpNtuIJUoS522cARElLWZpMCgSUrWtqL+rQymJU9c8nHq6SfJkLiDPHK7z/70FhpMj53bU8GjqBeUyzTE76qdjF/3TiFf38F9liR4ZoEjcfIk5qEmYCpCEjoiDXv1n1NDapg7abzR0xlrnL2rorJ1LzlZdsGWE=
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 05:07:36 GMT
Server: Apache/2.2.22
x-SPIDERMESSENGER-crypted: 2
x-SPIDERMESSENGER-length: 5587
x-SPIDERMESSENGER-crc32: -1
Set-Cookie: conftime=1456290456; expires=Sun, 18 Jun 16 22:54:00 GMT; domain=youandmeandmeandyouhihi.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1456290456910151; path=/; expires=Fri, 25-Mar-16 05:07:36 GMT
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
1d2c..0NogVEVNeZU/g6fcxXpPm8L/TbLACp6qNZeGXV8m6ec/K8dk0/yY5pEI4yS2Vf5K1CwWkZ8xeq2FoHZiTq7fWERGyCAg88jpdmzVknJJbtdhSvgVLNEQZKmNKxPN3kfidqAvpGAcK8j6F9pEdtqS9Sex536OdG3GRmz081BKSA9oYuYavQMUulMlOOaoGH6n1joLbmVgRRZ3BwXZF2ngSUOK Z5fHrCUOqp9VseyX0hHzL9BWyP1MtBRzm/67oLFcqskWJAFah3UcXoxL/tgevJkBW9WnnuT 9gIcBYT1zrRg1l2tKa/8bHEsJYOeYaC3K9XQsaer8s7Pq3h8t1fnHo8osSM8R6YGTZR29q7uZ7RhDbwU7d4FZa1IfJqJ9UuV3ZbDPMSxDweal6myqzke8lZ1ozJXvMIKINi5PFukKj/lRgR2XsLU7v Ty8MC TCtAUk2VC9/qpmyCpQELE5lY/9rpnPQLsnhfQFVFopb6VcYjVo7OGj2EiyC5NN3Wr1KIpgtOLE0SCD78IcX xs5gLfxerfZomd3nDLO/Ca3PXKHcwYxiHVh5RZWqTyeMR5R zJ6GcRe4Gqy5QhCkHNL4whvHVaA5zsuoP2IEUxO0UBjvr2zrwipY KQMpYB9bLUVSahXQfXeNOQnrCQdxmvfn/PX6olddV3EIvMcAUNlO RA1ASq1uuxjX4Bch8TNZie3udkErOKi0eNrDOE46mVhIdiZ8Bk5dWBFpeKmElm0edQLtartcrjmKU3YuM2oMbc3gY8KQ5jDyajNyiCv8CU 5azAVkhgx25I7cKQA2g5Qq4ZJMMbLOsQXsdXH0xCI7OXioha kc3dKt5UVnJhBOqscR9tcXTmzhW86tXYIDRQ4iML/qRV/YBTiEfNOdIQR0ggHIU7EyKMq6hyiFV5pUBWgrPn/YepdPG6QLfhOsKKw/9Zm5E7Jm5NV6kkbJ6cl D lFi3qxK1YQ1/QYvC5LRx85ofCn5v11f3qxYXTPBuFVL7JI3zOu5VRSitMe0v ikJJzNnWJsa0DKOiFsMRzaBJfwhUYRGav3sfWnx oQZKaQDdtoJQ8MthrJvRB1GNu6Ep3jo9nIyQt0kHCnB6KODUnEq1CFhGkf5sKwzpi37kLqzWd4PRGCBbNuKwNZut2L729IErdwp0KOiy3EqTGFntwhTbISLDj47diF03hd Ovu3RhMyRwto0N6/Bt3r5fKhxE3TDCduBYBi3aBXV5z27h1MfBq2cZ0u/oafyAwaehC/ iVfMH4sM6O8cjiLSm0GG5v9cSmlfjUK/Q9RCNHCtYwWa9CRzbBWiaMEiDOph/1NnCWCXCbq96vWIDZHyjS2A6quAHn3vF6fB5xzDS8MzSryAAzwynisms5gDKe2HrSuLlPulAUk2xky6pAybWM5Iv6b6y7gPTcFm Zfyadtqd6c8WF CmBVXSKJDVwc90WPnKk6zjXahqrV60sI2xRvKoFy1tDp0V3mP2atiz6LWjvqet6xid/ofs52uvwFMuAeb67g5R0l6
<<< skipped >>>
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=241818&tag=NO_AMONETIZE_COUNT1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 05:07:39 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Wed, 24 Feb 16 05:07:00 GMT
Set-Cookie: _c4aid=9CE92E46868C4599B020CB21C604A634; expires=Mon, 22 Aug 16 05:07:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=9CE92E46868C4599B020CB21C604A634,1456290459.59003; expires=Mon, 22 Aug 16 05:07:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 241818);......0..
HEAD /download/trasgo/amonetize/no/setup_mbot_no.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.4
Host: dl.tcoupichou.eu
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 05:07:26 GMT
Server: Apache/2.2.16
Last-Modified: Tue, 23 Feb 2016 11:31:37 GMT
ETag: "5680184-4fccd2-52c6e4ad43840"
Accept-Ranges: bytes
Content-Length: 5229778
Keep-Alive: timeout=15, max=200
Connection: Keep-Alive
Content-Type: application/x-msdos-program
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=241818&tag=NO_AMONETIZE_INSTALL_INI HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 05:07:32 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Wed, 24 Feb 16 05:07:00 GMT
Set-Cookie: _c4aid=7D5A31649EDB44CB8BFD2F4DA30F16F0; expires=Mon, 22 Aug 16 05:07:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=7D5A31649EDB44CB8BFD2F4DA30F16F0,1456290452.38778; expires=Mon, 22 Aug 16 05:07:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 241818);......0..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=241818&tag=NO_AMONETIZE_INSTALL_FIN HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 05:07:39 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Wed, 24 Feb 16 05:07:00 GMT
Set-Cookie: _c4aid=FB6A9E34873441DBA6DCED8257E657BA; expires=Mon, 22 Aug 16 05:07:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=FB6A9E34873441DBA6DCED8257E657BA,1456290459.35287; expires=Mon, 22 Aug 16 05:07:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 241818);......0..
GET /cgi-bin/get_protect.cgi?checking=true&version=gmsd_us_233&forceGEO=US HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: prof.eorezo.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 05:07:32 GMT
Server: Apache/2.2.22
x-eorezo-crc32: -1
x-eorezo-crypted: 1
x-eorezo-length: 518
Set-Cookie: conftime=1456290452; expires=Sun, 18 Jun 16 22:54:00 GMT; domain=eorezo.com; path=/;
Set-Cookie: EoRezo=194.242.96.218.1456290452201993; path=/; expires=Fri, 25-Mar-16 05:07:32 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain
2c0..Xg8nssf/4H10OdRv/PBlQCyF9RkAzpy/PPG8paJnu rCw3mAaqFpX2 ZKEgbMMA2htCshaMIPoMPkSppoNIfvqD ZyWxTIl1LyUx8yWjlHHNhn1WF5uF0H6qLM uZMwkTiGldZX5iSj uCsroOrbj/qdFgfbU9hmNOF2lZWiRA4D1nmKWD56o30N03aMe cM TaH0Zt8tkkpVIrV86sjShA2ibI4frmimtvqttCmZq2iOlFsKeYNJxrj/jP12cx2lA7NiBrk4PKXXug7tpKb65atNqDRlvUKKAF9c9zPzn4F2eh8GAfVbPOtZhSf/o/50RLSfemcISdhtiO8gTINReeSoYdUAqhmbrscZPjwnJCjKfgrUbQCV1J0DBwv2J mQsGJZQH4xDticU8Aw3zUoh3vFhu1Wg3CUqlkPjaoTHyfoXpQMPgXLOCXbzPycQALj/NcItWUUrMNRe kdxupcMSmzSHn16GeijVpGI2dQa/juz144orWBgJPBykvLeKhSehNhsiyfmG2qlyYJyaKPpwIP8Ld2hNAd3pKZkUo1sdcsjhiqnu2woViVspCd50MiwLGd 6ZNaVvp7dIz5N800IY2 c8MdBkmCCIjPfN7rJdUfS00HI6F6OyOhf/VuhDRvdbav2FyNg8YiO8SSJTMcHvBPLlr1ctvPqmVZn9cVKSBUaSWwKWNPAKBnmeosYM..0..
GET /download/trasgo/amonetize/no/setup_mbot_no.exe HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.4
Host: dl.tcoupichou.eu
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 05:07:26 GMT
Server: Apache/2.2.16
Last-Modified: Tue, 23 Feb 2016 11:31:37 GMT
ETag: "5680184-4fccd2-52c6e4ad43840"
Accept-Ranges: bytes
Content-Length: 5229778
Keep-Alive: timeout=15, max=200
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..............................P...................................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.............@......................@..P..................................................................................................................................................................string................<.@.....m.@..........)@..(@..(@..)@.....$)@..Free..0)@..InitInstance..L)@..CleanupInstance..h(@..ClassType..l(@..ClassName...(@..ClassNameIs...(@..ClassParent...)@..ClassInfo...(@..InstanceSize...)@..InheritsFrom...)@..Dispatch...)@..MethodAddress..<*@..MethodName..x*@..FieldAddress...)@..DefaultHandler...(@..NewInstance...(@..FreeInstance.TObject.@...@..% .@....%..@....%..@....%..@....%..@....%..@....%..@....%(.@....%..@....%..@....%..@....%..@....%..@....%..@....%..@....%..@.
<<< skipped >>>
GET /cgi-bin/advert/getkws.cgi?did=90068&version=0&key=azJJ.s8MVPsHc HTTP/1.1
User-Agent: mbot_no_014010247-1.10
Host: ads.under-myscreen.be
Accept: */*
Accept-Encoding: gzip, deflate
Referer:
Cookie:
Accept-Language: en,en-US
X-Guuid: 75ed9567-aa58-4c8e-a8ea-3cad7c47ab03
X-OS-Ver: 5.1.2.2600
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 05:07:37 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
X-C4PC-ServerName: ads.under-myscreen.be
Set-Cookie: _c4aid=75ED9567AA584C8EA8EA3CAD7C47AB03; expires=Mon, 22 Aug 16 05:07:00 GMT; domain=under-myscreen.be; path=/;
Set-Cookie: _c4aid2=75ED9567AA584C8EA8EA3CAD7C47AB03,1456290457.20699; expires=Mon, 22 Aug 16 05:07:00 GMT; domain=under-myscreen.be; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
34d..{"dids":{"90077":{"unmatch":["regiedepub.com|directrev.com|under-myscreen.be|eorezo.com|regiedepub.com"],"match":[{"u":0,"m":"xvideos|imbd|instagram|netflix|craigslist|kickass|td|thepiratebay"},{"u":0,"m":"http|fa|go|yah|hot|twit|blog|msn|apple|facebook|google|twitter|youtube"},{"u":0,"m":"youtube|yahoo|live|wikipedia|bing|msn|amazon|tumblr|royalbank|reddit"},{"u":0,"m":"ebay|xvideos|imbd|instagram|netflix|craigslist|kickass|td|thepiratebay"},{"u":0,"m":"yahoo|live|wikipedia|bing|msn|amazon|tumblr|royalbank|reddit|ebay"},{"u":0,"m":"pinterest|apple|ask|microsoft|bmo|wordpress|cibc|paypal|baidu|cbc"},{"u":0,"m":"xhamster"},{"u":0,"m":"xhamster|http|fa|go|yah|hot|twit|blog|msn|apple|facebook|google|twitter"},{"u":0,"m":"pinterest|apple|ask|microsoft|bmo|wordpress|cibc|paypal|baidu|cbc"}]}},"freeze":3600,"refresh":3600,"version":118115}..0..
GET /cgi-bin/advert/settags?x_mode=args&x_format=javascript&x_dp_id=1203&x_pub_id=241818&tag=NO_AMONETIZE_INSTALL_F11 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: ads.regiedepub.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Wed, 24 Feb 2016 05:07:39 GMT
Server: Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
Content-Location: settags.cgi
Vary: negotiate
TCN: choice
Cache-Control: no-store, no-cache, must-revalidate
X-C4PC-ServerName: ads.regiedepub.com
P3P: policyref="hXXp://ads.regiedepub.com/w3c/p3p.xml",CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA"
Expires: Wed, 24 Feb 16 05:07:00 GMT
Set-Cookie: _c4aid=7B919E75043549E9A6AA83B02F3C0DED; expires=Mon, 22 Aug 16 05:07:00 GMT; domain=regiedepub.com; path=/;
Set-Cookie: _c4aid2=7B919E75043549E9A6AA83B02F3C0DED,1456290459.23715; expires=Mon, 22 Aug 16 05:07:00 GMT; domain=regiedepub.com; path=/;
Connection: close
Transfer-Encoding: chunked
Content-Type: text/javascript
41.......if (window.rdp_callback).....rdp_callback(1203, 241818);......0..
Map
The SpyTool connects to the servers at the folowing location(s):
Strings from Dumps
upmbot_no_014010247.exe_1300:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
PSSSSSSh
PSSSSSSh
SSSSh
SSSSh
u$SShe
u$SShe
tWSShW
tWSShW
tl9_ tgSSh
tl9_ tgSSh
t'SShl
t'SShl
j%XtL9E
j%XtL9E
FtPW
FtPW
SSh@B
SSh@B
u.SSh
u.SSh
tsSSh
tsSSh
FTCP
FTCP
t.WWWSP
t.WWWSP
tAHt.HHt
tAHt.HHt
FTPS
FTPS
u)SShF
u)SShF
s%j.Zf
s%j.Zf
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
LookupPrivilegeValue error: %u
LookupPrivilegeValue error: %u
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
ntdll.dll
ntdll.dll
RegSetKeySecurity error! (rc=%lu)
RegSetKeySecurity error! (rc=%lu)
Key not found.
Key not found.
Error opening key.
Error opening key.
%%X
%%X
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N, \U, or \u
PCRE does not support \L, \l, \N, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
(*VERB) with an argument is not supported
(*VERB) with an argument is not supported
!"#$%&'((()* ,-./01
!"#$%&'((()* ,-./01
CNotSupportedException
CNotSupportedException
CCmdTarget
CCmdTarget
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
CFtpFileFind
CFtpFileFind
CHttpConnection
CHttpConnection
CFtpConnection
CFtpConnection
CHttpFile
CHttpFile
RegDeleteKeyExW
RegDeleteKeyExW
TaskDialogIndirect
TaskDialogIndirect
CMDITabProxyWnd
CMDITabProxyWnd
CMDIChildWndEx
CMDIChildWndEx
CMDIFrameWndEx
CMDIFrameWndEx
CMDIChildWnd
CMDIChildWnd
CMDIFrameWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMDIClientAreaWnd
CHotKeyCtrl
CHotKeyCtrl
CMFCToolBarsKeyboardPropertyPage
CMFCToolBarsKeyboardPropertyPage
GetProcessWindowStation
GetProcessWindowStation
operator
operator
portuguese-brazilian
portuguese-brazilian
qR.Rd
qR.Rd
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
Error %d: Could not begin update of %s
Error %d: Could not begin update of %s
Error %d: Updating resource
Error %d: Updating resource
!"#$%&'()* ,-./:;?@[\]^_`{|}~
!"#$%&'()* ,-./:;?@[\]^_`{|}~
C:\Users\Blqck\Desktop\new cbc eop\appbuilder_2.0_multiinstall\Release\temp.pdb
C:\Users\Blqck\Desktop\new cbc eop\appbuilder_2.0_multiinstall\Release\temp.pdb
IPHLPAPI.DLL
IPHLPAPI.DLL
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
GetWindowsDirectoryW
GetWindowsDirectoryW
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
SetWindowsHookExW
SetWindowsHookExW
CreateDialogIndirectParamW
CreateDialogIndirectParamW
UnhookWindowsHookEx
UnhookWindowsHookEx
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjectsEx
GetAsyncKeyState
GetAsyncKeyState
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyNameTextW
GetKeyNameTextW
MapVirtualKeyExW
MapVirtualKeyExW
EnumChildWindows
EnumChildWindows
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
MSIMG32.dll
MSIMG32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegUnLoadKeyW
RegUnLoadKeyW
RegLoadKeyW
RegLoadKeyW
RegSetKeySecurity
RegSetKeySecurity
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyW
RegEnumKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
UrlUnescapeW
UrlUnescapeW
SHLWAPI.dll
SHLWAPI.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
oledlg.dll
oledlg.dll
OLEACC.dll
OLEACC.dll
HttpQueryInfoW
HttpQueryInfoW
HttpSendRequestW
HttpSendRequestW
HttpOpenRequestW
HttpOpenRequestW
InternetCrackUrlW
InternetCrackUrlW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlW
FtpDeleteFileW
FtpDeleteFileW
FtpRenameFileW
FtpRenameFileW
FtpCreateDirectoryW
FtpCreateDirectoryW
FtpRemoveDirectoryW
FtpRemoveDirectoryW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryW
FtpPutFileW
FtpPutFileW
FtpGetFileW
FtpGetFileW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpEndRequestW
HttpEndRequestW
HttpSendRequestExW
HttpSendRequestExW
FtpOpenFileW
FtpOpenFileW
FtpCommandW
FtpCommandW
FtpFindFirstFileW
FtpFindFirstFileW
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
IMM32.dll
IMM32.dll
WINMM.dll
WINMM.dll
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.?AV?$CArray@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@ABV12@@@
.PAVCFileException@@
.PAVCFileException@@
.PAVCInternetException@@
.PAVCInternetException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCException@@
.PAVCException@@
.PAVCObject@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCOleException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCResourceException@@
.?AVCFtpFileFind@@
.?AVCFtpFileFind@@
.?AVCFtpConnection@@
.?AVCFtpConnection@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0EA@@ATL@@
.?AVCToolCmdUI@@
.?AVCToolCmdUI@@
.?AVCMDITabProxyWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCKeyboardManager@@
.?AVCKeyboardManager@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCRibbonCmdUI@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AVCMFCWindowsManagerDialog@@
.?AVCMFCWindowsManagerDialog@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAUHMENU__@@PAU3@@@
.?AVCMFCCmdUsageCount@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCStatusBarCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCAcceleratorKey@@
.?AVCHotKeyCtrl@@
.?AVCHotKeyCtrl@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCRibbonKeyTip@@
.?AVCOleCmdUI@@
.?AVCOleCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCRibbonKeyboardCustomizeDialog@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
zcÃ
zcÃ
X?CCAettVKxxN_ddnFWWvS00M;CCviXXVIooHoIIJaQQfnFFP/mmH(XXewwwsitt8%ttH)jjM)mm4AggA'oo3F66o%wwvZddCemmpello5mmrxNN8%SSp\gg8OCCzZNNI#wwZ:xxroSSxduuRuuuGZooH_nn3~jjaRCCv(992=llvQoo6\bbN-66W'xxG6HH2UggG"FF1Hjjrzgg2~QQNTLLV)QQvvllq;ppGGddV=nn3}uu2dxxpXqqvQmmp!ggjDwwK*ddx*kkeCSSAIWWB,ddPBbb1cddm/ooZVdda}pp1j0060SSA%LLADww2yLLn5xxe/lly&mm1KXXB"SS3sjjg0nndHLLh_wwrgggoWwwKQgg2hbb4nVVH(uu47qqW3ppx7nny9SSp/ee2hXXNuooAikkc}wwACxxdfC-ttv]VVk8mm3vVVptSSG:XXIwwZ>CCpgNNp\pp4-llU&vvJqLL3BQQsYwwHImmx5ddmknnc7llGSooZkjjvyjjHgIIR7ppJl66ZQXXmOxxVHSSc*LLjQoocpllomkkvZRR6qkke?99E2nnpUXXL(SSf.RRI-oocqqecuur[LL5MSSf100qnppN xxV"ttBAEEBahhN#VVkOwwKYXXO{CCK}VVU%SSpFxxl1xxH;NNn/oovXdd3vXXp/NN3]xxe|55BykkBSggyjuuz uu6/mmwKllKyggcGFFN~CCH@nnYrmmfqxxi=bbc;jjwixxH`NNB.ttcFNN6ammruNNVZmmcgqqW5oowfllt_ggw3XXC/ccG5VV3evvzpee6qQQf3xxuUvvxDggginn1pqqb~uudddd1Moo4RuuVjWW1FIIyVCCx0nny~kkwt00Cjxxe?EEN-XXrulltgvvHyIIwrWWNQww6vuu1/jjU`QQAgllTjuufrIILWXXcEjjUYllf"33YASSzxaaAWlleIRR2VppG.VVVBvvG&NNnPggx!llj/SSZ:NN3)oo3.VVfzhhHdIIAzjjfYnnzTggHpRRuqxxvSIIwrccJaXXA uuZ[NNZ$ppeEnnzDwwdDLLA(uuBMww5HQQv'gg4vbbH1nn6SmmwLggoBoo2r00O|XXzSXXJ(QQz"jj6wvvmKnnq6XX3@wwE_mm4kXXv8llJ,xxxMWWw@00Ilxx3$ggluppv$00WbSSG9nnySjjB'LLlwjjxwxxfhhhGbggL ppzExxl6llHqIIG;mmB nnj:WWK9jj2#bbm^llTuSSfCFFV\xxZ.VV58wwv3HHPZmmeSddqdwwHjNNf0XXrqddx-wwz^NNewxx1ASSH6uuf;uuV0kkv,VVZImme3xxwFCCcgttJajje7xxx@WWZ>VVT)ccKgee6^wwcFLLEcll2QNNedxxJxbb3Puu2PbbZFWW4kqqGDllpjllC?nnvFVVRrXXp~XXM/ggx9LLP0ggN#qqz,mm12qqM3oo4HFFHDggwJxxK]XXZVqqE\jjHkqqcTnnphXX5App4 NNkCllGdxxp,QQdxLLlpppv@VVH,jjwLggH/wwJ7llG9jjZgbbZdccKXqqcqXXHaqqzESSrfjjiemm1Sqq2Pmmvk66TollJ;EEHhll37oo6awwHcllmIXXvKFFV\wwrQLL1)ppd&nnxmpp13uuE|SSrDFFJ8xx2x00PIww4"jju/QQHHIItIWWw`IINBhhH(llG`xxN$VVRRXX1(XXPZxx26UU6^CCvT33t|XX4iuuV2bbG2llm*mm2gllYihhJ}ddz SSKVxxt!XXd9HHATSSdiNNxcooJ^dd2oppfrFF3zXXr]xxcrmm3BNNvPWW2^NNcfQQ3qNNG`XXr0NNi5SSJTRRMzQQ1O66j8oorruuHGwwp>jjo-bb34LLAVkkdjjoAnnGiVV3SWWK^nnBqooZCttJ]wwm*ddftggw(IIa#vvJ]nnc2bb2uddRtxxGyddkYggs3ooV|WWr6ddjcXXG8bbHjQQGZjj53nn1#66qjvvxqXX55llKjee5[QQviuuZ>nnz:ddR1vvwt00L;ppr0jjdWXXNsHH1BxxeIXXPnSSz`NNz_jj3^LLtojj1"XXiDuumdwwE&ppA]oo3]SS3B66p@nn2\nnmOxxdRll3*ll3?VV2uggB-ttU ttGsXXsYxx2qttV[uuc5ooV0jj3allIpWWs?ooV:nns4tt8ettNaNNY]ppJ9ggKWmmHZRRN|SSdyNNpUttcQuu1uWWeoof9NNCemmA1ddf5XXpGqqJIwwK0ddPEbbNq66b}wwxLVVZwbb1/jjakccJ ddgqbbGEVV1ittBWEEB;oow9LLc~QQd?LLI*ppJ0RR3WxxHNIIw>QQrgVVd=nnr'ddBTppNAddUqQQB7tt8'ttHyxxU}vvHRNNNFpp4uLLi:WWr%ttJ\llr4LLACxxH%qqTyllB7dd6:oo3^ggwcbbw^556lCCH&ggi%wwzdnnBpjjKMqqB0xxcTXX4bmmJ XXf#xxNGXXzkSSvwxx8VWWvYbbR{ppc!xxPqbbKGVVU8mmv=RRmqxxZ0VVPdxxzKqqz"vvv&SS6ZllcYqqy/nnZ@xxU$ooHZXXz&bbvCVVv^xxcznnR!uur(qqE*nnfI33HwwwdbnnyAxx3fNNvTQQw[00VkmmvoVVg7bbJTNNiJooeSnnzbWWN]XX8 uuG.qqtPhhG@XXvBQQx/ggKkWWdWeeZ~WWwtnnfAnnHTxx4@jjv}IIrJmmZnnnV.SSpnddVkggvcLLy2pp4_jjE^xxp*llk{XX1,66r\WW2]00B{QQf*VVO'pp1Allc[xxw!33mIood3ggO%XXrvggPjwww/00KPCCJyttAxggJBIIViwwwDllgvuux-nnB,mm23ddv[XX3Mggi"QQN[qqGtggp;ttNTSS46LLnQggBJll6GxxxVjjummmKVVN,ppHQggLlll1yXXK{nnw8NNt"oo1`11Ruoo3IaaJ|xxv!XXTlCCesnnZ3jjJ7NNP^jjH}993aggK?xxWQggc.dd1Zlls/nnWYQQd966Ipuup ooR^XXHBXXErmmer00wOSS1Jnns=bbv)RRHullzXooADuuNtllrZttwpXXf0WWN:jj36SSJuxx5.ccHMxxMICCcOVVzWnnd'jjjPvvw>bbBgyysfggu(ppx-XXslllJ1eeZIggvgjjyUbb3oNNEkvvereeV/mmHlXXM>QQw]XXb2bbAPtt84ttNVnnJsmmxIqqapXXpVll1tnn1/LLonoom>xxnGQQpLxxU&ttv3RRuykksKxxaoCCzhxxZ)xxK9SSArggH|qqPKllm?LLaSmmp)ggsYooHoNNAQjjpZFF6.jjfyggg!xxzaVVj@XXvzXXJrWWrKddMkSSs1llq%gge ggAHWWf'llEwhhBQnnxVXXp dd2Zll2|jjx"nnfFgg5iQQ2MIILVmmwCRRJXnnmTxxvnwwHujjcOQQw2jjjUwweZ0032bb3bqq6CCCc4xxf0SSwrggc'jjrBXXE3XXv>VVA%jjve00o~ppH.NN6wuuJbxxq\ooAuttU$ttN)gg4.jjB;nnkqxxfpllM^vvfeIIY]uuN/ggUyggH*66tXXX1LMM6VggKRddEHttGZMMB0SSHLggW5nnHqbbNvnnw`00e-oo3yxxu/xxBZxxWyoox\VVg$pp3F66icCCJQ00vhooH0eeV;nnA0xx3nWWexxajjjxTLLN&xxJ