HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.MSIL.Kryptik (A) (Emsisoft), Trojan.Generic.15951172 (AdAware), Trojan.Win32.Swrort.3.FD (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0a7f951ad89c0b63b4eaaaebc8685beb
SHA1: c09236a89dc1b76926a35c4d42cfc8dcb0485325
SHA256: 50ddfc2c1a3d294f7b3d5cccf4b6f17749f9fbcadbafe11b931e060775e3454f
SSDeep: 24576:QZng/g9fV8RAYibFYbnOUQYDicjvFN8lA9:Q8jOUZZo
Size: 1011184 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PMW1ExecutableImageusingDOSExtender, MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2016-03-09 23:09:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
msdcsc.exe:2344
msdcsc.exe:1160
msdcsc.exe:1980
msdcsc.exe:1472
msdcsc.exe:1500
attrib.exe:616
attrib.exe:1796
%original file name%.exe:868
%original file name%.exe:1432
%original file name%.exe:972
%original file name%.exe:2280
%original file name%.exe:556
%original file name%.exe:1932
%original file name%.exe:1388
%original file name%.exe:2032
%original file name%.exe:544
%original file name%.exe:652
%original file name%.exe:2008
The Trojan injects its code into the following process(es):
msdcsc.exe:2360
notepad.exe:1196
%original file name%.exe:2300
%original file name%.exe:2388
Explorer.EXE:532
Mutexes
The following mutexes were created/opened:
ShimCacheMutex
File activity
The process msdcsc.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp6.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (64 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp6.tmp (0 bytes)
The process msdcsc.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (64 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (0 bytes)
The process notepad.exe:1196 makes changes in the file system.
The Trojan deletes the following file(s):
C:\%original file name%.exe (0 bytes)
The process %original file name%.exe:972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe (7385 bytes)
%System%\drivers\etc\hosts (174 bytes)
The process %original file name%.exe:556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (3 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 (554 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 (312 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (39 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (0 bytes)
The process %original file name%.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)
The process %original file name%.exe:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (0 bytes)
The process %original file name%.exe:2032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (0 bytes)
Registry activity
The process msdcsc.exe:2344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 4C 0E 29 19 5E 6D C8 1C B6 7E 03 9D DB 53 E4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
User account control (UAC) is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Firewall notifications are enabled:
"DisableNotifications" = "0"
The process msdcsc.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 FE 78 48 55 8E 8A 6E B5 DD 76 6C D6 5F 66 61"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
User account control (UAC) is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Firewall notifications are enabled:
"DisableNotifications" = "0"
The process msdcsc.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 E2 4D A5 61 F6 0D 1F C3 DF C2 AE 07 19 70 05"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process msdcsc.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 54 26 BC E9 14 5D E1 A2 04 5A BC E1 34 16 8B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process msdcsc.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 82 A4 42 27 D0 08 93 7F 15 FF 4A 00 06 0B D1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process msdcsc.exe:2360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 AF B4 59 3C 75 4E 54 7F FE 0D 91 49 7F 35 66"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process attrib.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 7A 5E 81 D6 10 FC 3C A5 74 FA FA 29 A7 43 81"
The process attrib.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 42 EF EE 87 19 BD 0A A4 D6 F9 64 67 F5 FE CE"
The process notepad.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 2E 68 C0 D0 B1 2D 91 5E 79 70 93 62 4D 78 D7"
The process %original file name%.exe:868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 A3 4D B2 4D A3 08 FD 21 E4 F1 74 CB ED 00 5A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:1432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A C2 50 41 EF AC 7F 8B 8F 3C 51 F4 A6 7B 54 A8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
User account control (UAC) is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Firewall notifications are enabled:
"DisableNotifications" = "0"
The process %original file name%.exe:972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD BC 0E 3E 75 86 A3 75 1A 15 91 EC 3B 86 45 7B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\MSDCSC]
"msdcsc.exe" = "ÃÂ¥þÑÂÂÑ‚-ÿрþцõÑÂÂѠôÃÂȄʄÂÂûуöñ Windows"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"
The process %original file name%.exe:2280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 7D FF 61 15 65 F0 F0 D7 73 C7 78 13 2A A5 A0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
User account control (UAC) is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Firewall notifications are enabled:
"DisableNotifications" = "0"
The process %original file name%.exe:2300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 47 0A 31 AC 36 9F 1B F0 13 48 1B 44 6D F5 44"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 00 D8 80 16 45 0F B3 06 C9 7F D6 F7 08 38 62"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 5B 3A E3 17 90 BA 08 6C 04 C7 7A 1D 9F B7 A4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 80 BB 71 C0 52 F4 50 80 D0 7C 0D CB 22 C3 2C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:2032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 E2 82 EE 84 6E 57 76 DE 2B 90 5D D7 6A 25 D7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 22 9A B7 05 D7 07 CE 43 40 D8 D5 62 86 A7 8E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:2388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 70 E7 6E 21 18 75 B0 0E 4A D9 91 51 47 BF D7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 28 AB 7D 06 6C FF 02 B4 72 EE 39 31 CC 5B B4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 84 BE 6F 5B C3 67 9D AD 85 05 D9 7D 49 CB 6F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
User account control (UAC) is disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"
A firewall is disabled:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"
Firewall notifications are enabled:
"DisableNotifications" = "0"
Dropped PE files
MD5 | File path |
---|---|
7b78ae35d99b0d3b288457a1dc2f69f4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp1.tmp |
7b78ae35d99b0d3b288457a1dc2f69f4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp2.tmp |
7b78ae35d99b0d3b288457a1dc2f69f4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp3.tmp |
7b78ae35d99b0d3b288457a1dc2f69f4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp4.tmp |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 174 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | store.steampowered.com |
127.0.0.1 | www.store.steampowered.com |
127.0.0.1 | steamcommunity.com |
127.0.0.1 | www.steamcommunity.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
msdcsc.exe:2344
msdcsc.exe:1160
msdcsc.exe:1980
msdcsc.exe:1472
msdcsc.exe:1500
attrib.exe:616
attrib.exe:1796
%original file name%.exe:868
%original file name%.exe:1432
%original file name%.exe:972
%original file name%.exe:2280
%original file name%.exe:556
%original file name%.exe:1932
%original file name%.exe:1388
%original file name%.exe:2032
%original file name%.exe:544
%original file name%.exe:652
%original file name%.exe:2008 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\tmp6.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (67 bytes)
%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe (7385 bytes)
%System%\drivers\etc\hosts (174 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 (554 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 (312 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (67 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: ????-??????? ??? ????? Windows
Product Version: 6.1.7600
Legal Copyright: (c) ?????????? ??????????. ??? ????? ????????.
Legal Trademarks:
Original Filename: ES-Tournament.exe
Internal Name: ES-Tournament.exe
File Version: 6.1.7600
File Description: ????-??????? ??? ????? Windows
Comments: ????-??????? ??? ????? Windows
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: ????-??????? ??? ????? WindowsProduct Version: 6.1.7600Legal Copyright: (c) ?????????? ??????????. ??? ????? ????????.Legal Trademarks: Original Filename: ES-Tournament.exeInternal Name: ES-Tournament.exeFile Version: 6.1.7600File Description: ????-??????? ??? ????? WindowsComments: ????-??????? ??? ????? WindowsLanguage: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 8192 | 970196 | 970752 | 4.18193 | d516d161bc9a14e09a9544c9dc451184 |
.rsrc | 983040 | 13008 | 16384 | 4.66247 | 352ef988fb1565ad1629ec469b2f2169 |
.reloc | 999424 | 12 | 4096 | 0.011373 | c63e864848cafed25e56cacead0b930d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 212.30.134.169 |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 212.30.134.169 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 07 Apr 2016 05:00:53 GMT
Accept-Ranges: bytes
ETag: "6ed085768a90d11:0"
Server: Microsoft-IIS/8.5
VTag: 279473926300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Wed, 11 May 2016 10:07:36 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authority..160406204842Z..160706090841Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U.......0... .....7......160705205841Z0...*.H.............7.....=O...t..t.;,...(..).4..u#..(n...2.....\..}e..Ou._w.V;....\..E ......`...........2....$\.L.......P.o.!|..Z.uA6B@o3.......$...........c..3....gbY.....u...... ..d ...'..Y..K..43h.......-....l....6z.V..{...h[r.&S..`..w..-d.......x8S..:%.MV.....k.(..?..~.!..4.._9..EB.C.....?{U..g..(PT.YL.1...Y...".F.0..OW.<z..rb..m.x.O.M...7..xL...[......2k.{o.7........x|...o.......o....XiF..X..p.j2}..R...~.U...D..Ok.C'..N.s....'.Ag7...y.h*d...$^....w..q|..:..Cow.xJ7.@56.~r.BDD...>r8..}.....`......m...N.7.<..Z...r..R..........
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 28 Apr 2016 05:01:36 GMT
Accept-Ranges: bytes
ETag: "90eba3aba1d11:0"
Server: Microsoft-IIS/8.5
VTag: 791899806300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Wed, 11 May 2016 10:07:37 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..160427163301Z..160727045301Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......_0... .....7......160726164301Z0...*.H.............L)4..k%v..]L.......vW..?.f..Z...p.x......E...@b.E....-M"Xw$_`j.Z.9......)....<..T.......l ...<G;A.CW...!.O..X.7vc..h...S).j......#...7.0/....&x....X..CQ#...^x....n_..X..u.h.=Q_pd`..T{.{.K1z..x.. ..q.......N.......u...=../t...S.`.'.......E}.4...LT&...NN.E....
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
notepad.exe_1196:
.text
.text
`.data
`.data
.rsrc
.rsrc
comdlg32.dll
comdlg32.dll
SHELL32.dll
SHELL32.dll
WINSPOOL.DRV
WINSPOOL.DRV
COMCTL32.dll
COMCTL32.dll
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
notepad.chm
notepad.chm
hhctrl.ocx
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
notepad.pdb
notepad.pdb
t%SSh
t%SSh
_acmdln
_acmdln
RegCloseKey
RegCloseKey
RegCreateKeyW
RegCreateKeyW
RegOpenKeyExA
RegOpenKeyExA
SetViewportExtEx
SetViewportExtEx
GetKeyboardLayout
GetKeyboardLayout
name="Microsoft.Windows.Shell.notepad"
name="Microsoft.Windows.Shell.notepad"
version="5.1.0.0"
version="5.1.0.0"
Windows Shell
Windows Shell
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
&*$#$$#$*
&*$#$$#$*
MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM
MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM
*.txt
*.txt
/.SETUP
/.SETUP
Text Documents (*.txt)
Text Documents (*.txt)
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
NOTEPAD.EXE
NOTEPAD.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
notepad.hlp
notepad.hlp
You cannot quit Windows because the Save As dialog
You cannot quit Windows because the Save As dialog
dialog box, and then try quitting Windows again.
dialog box, and then try quitting Windows again.
Common Dialog error (0xx)
Common Dialog error (0xx)
Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.
Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.
Not a valid file name.MCannot create the %% file.
Not a valid file name.MCannot create the %% file.
Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.
Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.
Page %d
Page %d
Ln %d, Col %d
Ln %d, Col %d
notepad.exe_1196_rwx_000A0000_00001000:
kernel32.dll
kernel32.dll
notepad.exe_1196_rwx_000B0000_00001000:
user32.dll
user32.dll
notepad.exe_1196_rwx_00150000_00001000:
c:\%original file name%.exe
c:\%original file name%.exe
Explorer.EXE_532_rwx_00EE1000_0002C000:
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
\432fggqdd.txt
\432fggqdd.txt
\4fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
gqdd.txU
gqdd.txU
G.BF
G.BF
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
Explorer.EXE_532_rwx_020A1000_0002C000:
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
\432fggqdd.txt
\432fggqdd.txt
\4fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
gqdd.txU
gqdd.txU
G.BF
G.BF
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
Explorer.EXE_532_rwx_02391000_0002C000:
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
\432fggqdd.txt
\432fggqdd.txt
\4fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
gqdd.txU
gqdd.txU
G.BF
G.BF
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
Explorer.EXE_532_rwx_02401000_0002C000:
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
\432fggqdd.txt
\432fggqdd.txt
\4fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
gqdd.txU
gqdd.txU
G.BF
G.BF
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
Explorer.EXE_532_rwx_029B1000_0002C000:
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
\432fggqdd.txt
\432fggqdd.txt
\4fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
gqdd.txU
gqdd.txU
G.BF
G.BF
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
Explorer.EXE_532_rwx_02AF1000_0002C000:
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
\432fggqdd.txt
\432fggqdd.txt
\4fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
gqdd.txU
gqdd.txU
G.BF
G.BF
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
Explorer.EXE_532_rwx_02B61000_0002C000:
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
\432fggqdd.txt
\432fggqdd.txt
\4fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
gqdd.txU
gqdd.txU
G.BF
G.BF
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
Explorer.EXE_532_rwx_02BD1000_0002C000:
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
\432fggqdd.txt
\432fggqdd.txt
\4fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
gqdd.txU
gqdd.txU
G.BF
G.BF
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
Explorer.EXE_532_rwx_02C51000_0002C000:
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
\432fggqdd.txt
\432fggqdd.txt
\4fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
gqdd.txU
gqdd.txU
G.BF
G.BF
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
Explorer.EXE_532_rwx_02CC1000_0002C000:
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
\432fggqdd.txt
\432fggqdd.txt
\4fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
gqdd.txU
gqdd.txU
G.BF
G.BF
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL