Trojan.Generic.15951172_0a7f951ad8

by malwarelabrobot on May 12th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.MSIL.Kryptik (A) (Emsisoft), Trojan.Generic.15951172 (AdAware), Trojan.Win32.Swrort.3.FD (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0a7f951ad89c0b63b4eaaaebc8685beb
SHA1: c09236a89dc1b76926a35c4d42cfc8dcb0485325
SHA256: 50ddfc2c1a3d294f7b3d5cccf4b6f17749f9fbcadbafe11b931e060775e3454f
SSDeep: 24576:QZng/g9fV8RAYibFYbnOUQYDicjvFN8lA9:Q8jOUZZo
Size: 1011184 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PMW1ExecutableImageusingDOSExtender, MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2016-03-09 23:09:33
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

msdcsc.exe:2344
msdcsc.exe:1160
msdcsc.exe:1980
msdcsc.exe:1472
msdcsc.exe:1500
attrib.exe:616
attrib.exe:1796
%original file name%.exe:868
%original file name%.exe:1432
%original file name%.exe:972
%original file name%.exe:2280
%original file name%.exe:556
%original file name%.exe:1932
%original file name%.exe:1388
%original file name%.exe:2032
%original file name%.exe:544
%original file name%.exe:652
%original file name%.exe:2008

The Trojan injects its code into the following process(es):

msdcsc.exe:2360
notepad.exe:1196
%original file name%.exe:2300
%original file name%.exe:2388
Explorer.EXE:532

Mutexes

The following mutexes were created/opened:

ShimCacheMutex

File activity

The process msdcsc.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp6.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (64 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp6.tmp (0 bytes)

The process msdcsc.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (64 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (0 bytes)

The process notepad.exe:1196 makes changes in the file system.
The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process %original file name%.exe:972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe (7385 bytes)
%System%\drivers\etc\hosts (174 bytes)

The process %original file name%.exe:556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (3 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 (554 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 (312 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (39 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (0 bytes)

The process %original file name%.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (0 bytes)

The process %original file name%.exe:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (0 bytes)

The process %original file name%.exe:2032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (0 bytes)

Registry activity

The process msdcsc.exe:2344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 4C 0E 29 19 5E 6D C8 1C B6 7E 03 9D DB 53 E4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

User account control (UAC) is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Firewall notifications are enabled:

"DisableNotifications" = "0"

The process msdcsc.exe:1160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 FE 78 48 55 8E 8A 6E B5 DD 76 6C D6 5F 66 61"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

User account control (UAC) is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Firewall notifications are enabled:

"DisableNotifications" = "0"

The process msdcsc.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 E2 4D A5 61 F6 0D 1F C3 DF C2 AE 07 19 70 05"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process msdcsc.exe:1472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 54 26 BC E9 14 5D E1 A2 04 5A BC E1 34 16 8B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process msdcsc.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 82 A4 42 27 D0 08 93 7F 15 FF 4A 00 06 0B D1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process msdcsc.exe:2360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 AF B4 59 3C 75 4E 54 7F FE 0D 91 49 7F 35 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process attrib.exe:616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 7A 5E 81 D6 10 FC 3C A5 74 FA FA 29 A7 43 81"

The process attrib.exe:1796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 42 EF EE 87 19 BD 0A A4 D6 F9 64 67 F5 FE CE"

The process notepad.exe:1196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 2E 68 C0 D0 B1 2D 91 5E 79 70 93 62 4D 78 D7"

The process %original file name%.exe:868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 A3 4D B2 4D A3 08 FD 21 E4 F1 74 CB ED 00 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A C2 50 41 EF AC 7F 8B 8F 3C 51 F4 A6 7B 54 A8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

User account control (UAC) is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Firewall notifications are enabled:

"DisableNotifications" = "0"

The process %original file name%.exe:972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD BC 0E 3E 75 86 A3 75 1A 15 91 EC 3B 86 45 7B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\MSDCSC]
"msdcsc.exe" = "Хост-процесс для служб Windows"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

The process %original file name%.exe:2280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 7D FF 61 15 65 F0 F0 D7 73 C7 78 13 2A A5 A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

User account control (UAC) is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Firewall notifications are enabled:

"DisableNotifications" = "0"

The process %original file name%.exe:2300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 47 0A 31 AC 36 9F 1B F0 13 48 1B 44 6D F5 44"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 00 D8 80 16 45 0F B3 06 C9 7F D6 F7 08 38 62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 5B 3A E3 17 90 BA 08 6C 04 C7 7A 1D 9F B7 A4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 80 BB 71 C0 52 F4 50 80 D0 7C 0D CB 22 C3 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:2032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 E2 82 EE 84 6E 57 76 DE 2B 90 5D D7 6A 25 D7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 22 9A B7 05 D7 07 CE 43 40 D8 D5 62 86 A7 8E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:2388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 70 E7 6E 21 18 75 B0 0E 4A D9 91 51 47 BF D7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 28 AB 7D 06 6C FF 02 B4 72 EE 39 31 CC 5B B4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 84 BE 6F 5B C3 67 9D AD 85 05 D9 7D 49 CB 6F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

User account control (UAC) is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Firewall notifications are enabled:

"DisableNotifications" = "0"

Dropped PE files

MD5 File path
7b78ae35d99b0d3b288457a1dc2f69f4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp1.tmp
7b78ae35d99b0d3b288457a1dc2f69f4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp2.tmp
7b78ae35d99b0d3b288457a1dc2f69f4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp3.tmp
7b78ae35d99b0d3b288457a1dc2f69f4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp4.tmp

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 174 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 store.steampowered.com
127.0.0.1 www.store.steampowered.com
127.0.0.1 steamcommunity.com
127.0.0.1 www.steamcommunity.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: ????-??????? ??? ????? Windows
Product Version: 6.1.7600
Legal Copyright: (c) ?????????? ??????????. ??? ????? ????????.
Legal Trademarks:
Original Filename: ES-Tournament.exe
Internal Name: ES-Tournament.exe
File Version: 6.1.7600
File Description: ????-??????? ??? ????? Windows
Comments: ????-??????? ??? ????? Windows
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 970196 970752 4.18193 d516d161bc9a14e09a9544c9dc451184
.rsrc 983040 13008 16384 4.66247 352ef988fb1565ad1629ec469b2f2169
.reloc 999424 12 4096 0.011373 c63e864848cafed25e56cacead0b930d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.dscg.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 212.30.134.169
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 212.30.134.169


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 07 Apr 2016 05:00:53 GMT
Accept-Ranges: bytes
ETag: "6ed085768a90d11:0"
Server: Microsoft-IIS/8.5
VTag: 279473926300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Wed, 11 May 2016 10:07:36 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..160406204842Z..
160706090841Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U.......0... .....7......160705205841
Z0...*.H.............7.....=O...t..t.;,...(..).4..u#..(n...2.....\..}e
..Ou._w.V;....\..E ......`...........2....$\.L.......P.o.!|..Z.uA6B@o3
.......$...........c..3....gbY.....u...... ..d ...'..Y..K..43h.......-
....l....6z.V..{...h[r.&S..`..w..-d.......x8S..:%.MV.....k.(..?..~.!..
4.._9..EB.C.....?{U..g..(PT.YL.1...Y...".F.0..OW.<z..rb..m.x.O.M...
7..xL...[......2k.{o.7........x|...o.......o....XiF..X..p.j2}..R...~.U
...D..Ok.C'..N.s....'.Ag7...y.h*d...$^....w..q|..:..Cow.xJ7.@56.~r.BDD
...>r8..}.....`......m...N.7.<..Z...r..R..........


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 28 Apr 2016 05:01:36 GMT
Accept-Ranges: bytes
ETag: "90eba3aba1d11:0"
Server: Microsoft-IIS/8.5
VTag: 791899806300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Wed, 11 May 2016 10:07:37 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..160427163301Z..160727045301Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......_0... .....7......160726164301Z0.
..*.H.............L)4..k%v..][email protected]...
.-M"Xw$_`j.Z.9......)....<..T.......l ...<G;A.CW...!.O..X.7vc..h
...S).j......#...7.0/....&x....X..CQ#...^x....n_..X..u.h.=Q_pd`..T{.{.
K1z..x.. ..q.......N.......u...=../t...S.`.'.......E}.4...LT&...NN.E..
..

The Trojan connects to the servers at the folowing location(s):

notepad.exe_1196:

.text
`.data
.rsrc
comdlg32.dll
SHELL32.dll
WINSPOOL.DRV
COMCTL32.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
notepad.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
notepad.pdb
t%SSh
_acmdln
RegCloseKey
RegCreateKeyW
RegOpenKeyExA
SetViewportExtEx
GetKeyboardLayout
name="Microsoft.Windows.Shell.notepad"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
&*$#$$#$*
MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM
*.txt
/.SETUP
Text Documents (*.txt)
5.1.2600.5512 (xpsp.080413-2105)
NOTEPAD.EXE
Windows
Operating System
5.1.2600.5512
notepad.hlp
You cannot quit Windows because the Save As dialog
dialog box, and then try quitting Windows again.
Common Dialog error (0xx)
Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.
Not a valid file name.MCannot create the %% file.
Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.
Page %d
Ln %d, Col %d

notepad.exe_1196_rwx_000A0000_00001000:

kernel32.dll

notepad.exe_1196_rwx_000B0000_00001000:

user32.dll

notepad.exe_1196_rwx_00150000_00001000:

c:\%original file name%.exe

Explorer.EXE_532_rwx_00EE1000_0002C000:

xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
\432fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÁ
%WinDir%\Explorer.EXE
GetCPInfo
GetProcessHeap
.text
`.rdata
@.data
.rsrc
@.reloc
gqdd.txU
 G.BF
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL

Explorer.EXE_532_rwx_020A1000_0002C000:

xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
\432fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÁ
%WinDir%\Explorer.EXE
GetCPInfo
GetProcessHeap
.text
`.rdata
@.data
.rsrc
@.reloc
gqdd.txU
 G.BF
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL

Explorer.EXE_532_rwx_02391000_0002C000:

xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
\432fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÁ
%WinDir%\Explorer.EXE
GetCPInfo
GetProcessHeap
.text
`.rdata
@.data
.rsrc
@.reloc
gqdd.txU
 G.BF
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL

Explorer.EXE_532_rwx_02401000_0002C000:

xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
\432fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÁ
%WinDir%\Explorer.EXE
GetCPInfo
GetProcessHeap
.text
`.rdata
@.data
.rsrc
@.reloc
gqdd.txU
 G.BF
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL

Explorer.EXE_532_rwx_029B1000_0002C000:

xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
\432fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÁ
%WinDir%\Explorer.EXE
GetCPInfo
GetProcessHeap
.text
`.rdata
@.data
.rsrc
@.reloc
gqdd.txU
 G.BF
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL

Explorer.EXE_532_rwx_02AF1000_0002C000:

xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
\432fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÁ
%WinDir%\Explorer.EXE
GetCPInfo
GetProcessHeap
.text
`.rdata
@.data
.rsrc
@.reloc
gqdd.txU
 G.BF
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL

Explorer.EXE_532_rwx_02B61000_0002C000:

xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
\432fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÁ
%WinDir%\Explorer.EXE
GetCPInfo
GetProcessHeap
.text
`.rdata
@.data
.rsrc
@.reloc
gqdd.txU
 G.BF
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL

Explorer.EXE_532_rwx_02BD1000_0002C000:

xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
\432fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÁ
%WinDir%\Explorer.EXE
GetCPInfo
GetProcessHeap
.text
`.rdata
@.data
.rsrc
@.reloc
gqdd.txU
 G.BF
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL

Explorer.EXE_532_rwx_02C51000_0002C000:

xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
\432fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÁ
%WinDir%\Explorer.EXE
GetCPInfo
GetProcessHeap
.text
`.rdata
@.data
.rsrc
@.reloc
gqdd.txU
 G.BF
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL

Explorer.EXE_532_rwx_02CC1000_0002C000:

xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
\432fggqdd.txt
\4fggqdd.txt
C:\Users\Delirium\Documents\Visual Studio 2015\Projects\Shield\Release\Shield.pdb
zcÁ
%WinDir%\Explorer.EXE
GetCPInfo
GetProcessHeap
.text
`.rdata
@.data
.rsrc
@.reloc
gqdd.txU
 G.BF
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    msdcsc.exe:2344
    msdcsc.exe:1160
    msdcsc.exe:1980
    msdcsc.exe:1472
    msdcsc.exe:1500
    attrib.exe:616
    attrib.exe:1796
    %original file name%.exe:868
    %original file name%.exe:1432
    %original file name%.exe:972
    %original file name%.exe:2280
    %original file name%.exe:556
    %original file name%.exe:1932
    %original file name%.exe:1388
    %original file name%.exe:2032
    %original file name%.exe:544
    %original file name%.exe:652
    %original file name%.exe:2008

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\tmp6.tmp (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\432fggqdd.txt (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\4fggqdd.txt (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (67 bytes)
    %Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe (7385 bytes)
    %System%\drivers\etc\hosts (174 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp1.tmp (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\7396C420A8E1BC1DA97F1AF0D10BAD21 (554 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21 (312 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp2.tmp (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (67 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "MicroUpdate" = "%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

  5. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "%System%\userinit.exe,%Documents and Settings%\%current user%\Application Data\MSDCSC\msdcsc.exe"

  6. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  7. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  8. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now