Trojan.Win32.Generic!BT (VIPRE), Trojan.Msil!IK (Emsisoft), BackdoorFynloski.YR, GenericDownloader.YR, GenericInjector.YR, TrojanDownloaderAndromeda.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 80fb944153a08ff2b8537b80dc6d27a7
SHA1: 625177b6db81b46c0e6e8c109dae15612555acdd
SHA256: c617e13cb3321463106475af0c9142d4749565f995f0c863ac664f9039621dca
SSDeep: 12288:FXXehFrO/meBsi6jDQFM DkRf0Dpfn6vdzrwEQy:FXOhFTQsi6QehR5twE
Size: 487936 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2014-02-06 00:24:33
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
msdcsc.exe:2712
msdcsc.exe:2964
msdcsc.exe:3920
msdcsc.exe:3716
msdcsc.exe:3016
msdcsc.exe:1144
msdcsc.exe:2652
msdcsc.exe:2844
msdcsc.exe:1308
msdcsc.exe:3328
msdcsc.exe:3040
msdcsc.exe:3044
msdcsc.exe:3808
msdcsc.exe:3128
msdcsc.exe:2320
msdcsc.exe:696
msdcsc.exe:2488
msdcsc.exe:3796
msdcsc.exe:2664
msdcsc.exe:2480
msdcsc.exe:2156
msdcsc.exe:2400
msdcsc.exe:2240
msdcsc.exe:1672
msdcsc.exe:3836
msdcsc.exe:2460
msdcsc.exe:3768
msdcsc.exe:1796
msdcsc.exe:3932
msdcsc.exe:3648
msdcsc.exe:128
msdcsc.exe:3408
msdcsc.exe:3756
msdcsc.exe:1068
msdcsc.exe:3248
msdcsc.exe:1824
msdcsc.exe:2492
msdcsc.exe:416
msdcsc.exe:2412
msdcsc.exe:2792
msdcsc.exe:3848
msdcsc.exe:1128
msdcsc.exe:2908
msdcsc.exe:3140
msdcsc.exe:3676
msdcsc.exe:3300
msdcsc.exe:2308
msdcsc.exe:4040
msdcsc.exe:3380
msdcsc.exe:2544
msdcsc.exe:2300
msdcsc.exe:300
msdcsc.exe:2268
msdcsc.exe:1252
msdcsc.exe:368
msdcsc.exe:2072
msdcsc.exe:3452
msdcsc.exe:2440
msdcsc.exe:2280
msdcsc.exe:1132
msdcsc.exe:2932
msdcsc.exe:444
msdcsc.exe:3260
msdcsc.exe:2764
msdcsc.exe:2832
msdcsc.exe:4052
msdcsc.exe:904
msdcsc.exe:840
msdcsc.exe:2572
msdcsc.exe:644
msdcsc.exe:2372
msdcsc.exe:2612
msdcsc.exe:2452
msdcsc.exe:3004
msdcsc.exe:3168
msdcsc.exe:2804
msdcsc.exe:2200
msdcsc.exe:3368
msdcsc.exe:2884
msdcsc.exe:2868
msdcsc.exe:180
msdcsc.exe:3088
msdcsc.exe:3892
msdcsc.exe:188
msdcsc.exe:2360
msdcsc.exe:2428
msdcsc.exe:2584
msdcsc.exe:2624
msdcsc.exe:3604
msdcsc.exe:560
msdcsc.exe:3876
msdcsc.exe:3072
msdcsc.exe:3728
msdcsc.exe:3288
msdcsc.exe:552
msdcsc.exe:2936
msdcsc.exe:2952
msdcsc.exe:3688
msdcsc.exe:3208
msdcsc.exe:2752
msdcsc.exe:3960
msdcsc.exe:3116
msdcsc.exe:2696
msdcsc.exe:2516
msdcsc.exe:4080
msdcsc.exe:744
msdcsc.exe:3636
msdcsc.exe:1204
msdcsc.exe:1604
msdcsc.exe:3060
msdcsc.exe:1896
msdcsc.exe:2228
msdcsc.exe:4000
msdcsc.exe:3340
msdcsc.exe:3100
msdcsc.exe:2348
msdcsc.exe:2220
msdcsc.exe:956
msdcsc.exe:3972
msdcsc.exe:3180
msdcsc.exe:2504
msdcsc.exe:4092
msdcsc.exe:2724
msdcsc.exe:2876
msdcsc.exe:208
msdcsc.exe:2976
msdcsc.exe:2332
msdcsc.exe:1804
msdcsc.exe:2124
msdcsc.exe:4012
msdcsc.exe:3220
msdcsc.exe:3424
msdcsc.exe:1680
msdcsc.exe:2532
msdcsc.exe:1764
ntvdm.exe:1804
Reader_sl.exe:1064
wuauclt.exe:344
%original file name%.exe:680
reg.exe:420
reg.exe:488
jusched.exe:1056
The Backdoor injects its code into the following process(es):
msdcsc.exe:480
%original file name%.exe:1240
%original file name%.exe:1864
File activity
The process msdcsc.exe:480 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\1vCxLP6w\cLles1IQqjIBgjhsmkBCJRdjiyjMPhjzj (62700 bytes)
%Documents and Settings%\%current user%\Application Data\1vCxLP6w\h2ZSebC.exe.lnk (873 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\1vCxLP6w\cLles1IQqjIBgjhsmkBCJRdjiyjMPhjzj (0 bytes)
The process ntvdm.exe:1804 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
C:\ (4 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (8 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
%Documents and Settings%\%current user%\Application Data\1vCxLP6w\cLles1IQqjIBgjhsmkBCJRdjiyjMPhjzj (224 bytes)
%Documents and Settings%\%current user%\Application Data (4 bytes)
C:\$Directory (12 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%System% (6024 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (15933 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
The Backdoor deletes the following file(s):
%WinDir%\Temp\scs1.tmp (0 bytes)
%WinDir%\Temp\scs2.tmp (0 bytes)
The process wuauclt.exe:344 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Backdoor deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process %original file name%.exe:1864 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\1vCxLP6w\1y6revUi5 (62700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2021810.exe (196 bytes)
%Documents and Settings%\%current user%\Application Data\1vCxLP6w\h2ZSebC.exe.lnk (873 bytes)
The process %original file name%.exe:680 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\MSDCSC\msdcsc.exe (3073 bytes)
%System%\drivers\etc\hosts (29 bytes)
The process jusched.exe:1056 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process msdcsc.exe:2712 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 95 B6 E2 EE 00 2C AF DF D4 E9 92 BE 4A 80 4D"
The process msdcsc.exe:2964 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 42 5A B1 8F 35 3E 26 39 60 6F B0 53 C4 CA 02"
The process msdcsc.exe:3920 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 32 59 8D B7 87 B1 97 59 40 32 66 B2 E6 DE C8"
The process msdcsc.exe:3716 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 4E AB DC A6 92 89 37 8D BB DA 79 7B 84 A7 F6"
The process msdcsc.exe:3016 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 03 FE 2D 6E 20 0B 0E 20 A8 9A 8A CB 78 DB CD"
The process msdcsc.exe:1144 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 E4 74 22 82 7B 57 55 2B 67 3A 6A B6 7B EB B7"
The process msdcsc.exe:2652 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 E4 41 C4 1A B8 B5 1A 39 47 4D FB A4 A1 70 2C"
The process msdcsc.exe:2844 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 9F 3D A2 4A C8 F7 7D 51 FA 70 6B F0 C4 D2 77"
The process msdcsc.exe:1308 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 77 EA 03 8A C5 D4 5B E9 C8 4C D9 DE E2 54 57"
The process msdcsc.exe:3328 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 13 EE 64 03 B8 24 66 45 E6 57 BE 7A 5B 8E 22"
The process msdcsc.exe:3040 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 CA 59 64 08 3B 01 36 CC 44 E7 0C 74 9F 1C A8"
The process msdcsc.exe:3044 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 BB 99 03 3D 32 9A 2A 83 0B 15 8D 76 05 5C 2C"
The process msdcsc.exe:3808 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 ED 2D A2 C2 46 9B A7 18 40 7B AD 35 1F C6 AD"
The process msdcsc.exe:3128 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE C8 DB C0 DB D8 15 1A 76 F0 24 C5 76 B8 90 D5"
The process msdcsc.exe:2320 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 79 D7 C9 14 2F 2B 93 AA 24 30 49 41 BC FA 33"
The process msdcsc.exe:696 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 30 8B D9 17 B4 6E 85 8A 30 E6 0F F0 41 DF EF"
The process msdcsc.exe:2488 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 23 93 F9 0C 4B 82 E1 18 FA 5A 87 FF 10 36 74"
The process msdcsc.exe:3796 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 3F 1B 6B 45 8A 6E 28 C1 8E D4 3D 6E AA 9A E0"
The process msdcsc.exe:2664 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 23 F8 28 7F 6B D2 D1 35 60 D7 97 DB 2C 54 80"
The process msdcsc.exe:2480 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 5D 6E D9 FA FD 12 D1 64 9B 3A 8F 2A E0 E1 E2"
The process msdcsc.exe:2156 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 83 0B 75 8C A6 8F C2 EA 4B 5C D4 28 BC 16 73"
The process msdcsc.exe:2400 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 BA D0 BD B3 60 D1 A5 C1 DC 0D 37 A4 86 30 2B"
The process msdcsc.exe:2240 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 96 39 F5 72 77 56 2D A9 F0 CC EA FB EF 63 8C"
The process msdcsc.exe:1672 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 AC 4D 7C B7 1C 7F EF 6B A9 67 3A F5 8A 2A F7"
The process msdcsc.exe:3836 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 94 04 E9 01 F0 03 CF EA 83 5D AF 78 61 A7 3C"
The process msdcsc.exe:2460 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 DF C0 D8 60 D7 BF EB EE EB 3B 7A 2B 21 4D 1E"
The process msdcsc.exe:3768 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 C7 CF E5 EB 35 39 21 E4 4F 6C 30 84 AD 51 00"
The process msdcsc.exe:1796 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 72 2C A7 A7 C8 CF 95 4D 0C F1 F4 96 3B 11 F9"
The process msdcsc.exe:3932 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 5B 7C B0 AE FF 2C E5 D5 22 72 37 38 3D BA E8"
The process msdcsc.exe:3648 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 78 76 FA 2F D1 B4 D3 0C 98 54 7A F3 9E ED 87"
The process msdcsc.exe:128 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 22 E8 75 07 34 C9 D8 8D A7 2E 34 6B C4 CB B2"
The process msdcsc.exe:3408 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 0C DC 5D 0A AB DD 0E 95 A6 8D B5 02 7B 53 3C"
The process msdcsc.exe:3756 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 8D 2D 2B AD B2 64 5E 25 E8 9B E5 4A 66 3A 42"
The process msdcsc.exe:1068 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 64 1E B2 D0 DB 35 B0 0A 77 A4 B3 29 D7 06 DC"
The process msdcsc.exe:3248 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 38 AC A5 0A 6B 01 45 45 86 1D 14 1A 72 D3 FE"
The process msdcsc.exe:1824 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 25 83 CA C8 3A 63 6C 26 1E 94 99 2D A8 A1 DB"
The process msdcsc.exe:2492 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 D2 93 01 A1 C8 91 52 F6 D9 BC 87 FC 51 FD BA"
The process msdcsc.exe:416 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 07 AC 85 9B CE 46 8E 9A 0E 34 FC 5D 16 16 D1"
The process msdcsc.exe:2412 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 0D 97 50 38 4A C6 09 13 74 9C 76 17 6F 66 88"
The process msdcsc.exe:2792 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 42 BB 01 8E 43 7E 1E F9 C6 11 2B 6B D3 DF DF"
The process msdcsc.exe:3848 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 EC F6 6C 6A A8 CF 94 36 6A 37 B6 F1 25 91 34"
The process msdcsc.exe:1128 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 8A 0A 3B F4 59 89 92 92 8A EB 00 C5 CA 3B 3D"
The process msdcsc.exe:2908 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 8D 6A 81 54 A2 55 4D 34 26 DD 84 59 58 75 9A"
The process msdcsc.exe:3140 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 3C 1F 92 51 1B 97 7C C0 2F 32 7C 74 AA 93 64"
The process msdcsc.exe:3676 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 CC FD 33 B2 DC F9 04 BD FD D0 9B B6 CC F8 85"
The process msdcsc.exe:3300 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 DC 1B 75 BA F2 17 A0 B8 A9 25 5C 5B 35 A2 D4"
The process msdcsc.exe:2308 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 7E E0 3E 35 93 49 83 7F 22 74 60 FB 6D 14 C0"
The process msdcsc.exe:4040 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 2E 25 84 B8 FF 87 41 67 2A CB C6 2B BB CE FA"
The process msdcsc.exe:3380 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 1A 25 4D A8 BB 49 76 8B 8B 9D 7F 23 DD E8 02"
The process msdcsc.exe:2544 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 11 0E 64 29 8F 59 76 7D A0 85 35 D7 84 1A F7"
The process msdcsc.exe:2300 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 08 46 84 09 C7 08 D5 0B 01 21 16 40 5C 09 99"
The process msdcsc.exe:300 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 6A 6F 5D 2B F9 AD DE E7 57 21 53 A6 9C C6 98"
The process msdcsc.exe:2268 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 66 DE 58 8B 35 90 DF FE 6D AF 39 AB B4 C2 08"
The process msdcsc.exe:1252 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 44 8E 70 2F 13 C2 00 DE 94 34 29 7A 5E F7 A2"
The process msdcsc.exe:368 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 8A A8 CD 11 CB 59 AF 0A E1 C5 50 95 FF 20 82"
The process msdcsc.exe:2072 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F E9 1F 07 58 4B DC FE 32 CD B8 02 73 63 37 BF"
The process msdcsc.exe:3452 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 DB CF F8 E1 A2 8C 52 D7 75 D4 DC 78 3A AF 47"
The process msdcsc.exe:2440 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 E9 C5 73 8E 82 5E 0F FA 28 C9 FB C0 C2 AB CD"
The process msdcsc.exe:2280 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 11 61 2D 71 42 7E 36 4F C2 C1 82 5A 52 48 1D"
The process msdcsc.exe:1132 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 5E 3A 2A 3B 30 5A 2E E0 68 86 BB EE DE B8 19"
The process msdcsc.exe:2932 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 5B 88 01 06 97 EB 00 88 34 EE D6 C7 17 97 A9"
The process msdcsc.exe:444 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 52 C6 9C B0 77 3B 09 38 17 00 69 38 5D 4C 21"
The process msdcsc.exe:3260 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A EF 68 3F 9C CB 14 63 41 90 5C C6 D1 84 6A EB"
The process msdcsc.exe:2764 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 1D 40 1A 23 09 DC 02 E1 CC 96 77 EE 3A 1F 9C"
The process msdcsc.exe:2832 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 E7 51 2B 48 9C 43 D1 2F B3 08 C5 1C A3 A0 9C"
The process msdcsc.exe:4052 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 8E 76 5B D0 5C 16 83 B5 82 A7 6A A0 7D 46 CB"
The process msdcsc.exe:904 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 60 00 82 15 E8 B9 B4 B8 3F 99 10 6D E2 BA A0"
The process msdcsc.exe:840 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 77 B9 49 1F 18 C1 64 AC 8A 98 D7 3A 3F E6 43"
The process msdcsc.exe:2572 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 94 7D 3D 2C 50 B4 97 9F A4 DC B1 2E E1 61 47"
The process msdcsc.exe:644 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 31 E0 99 D5 5C 5D 4D 8D D5 4E 1E 7A E5 D6 3A"
The process msdcsc.exe:2372 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 43 A3 BF 0F D1 2F 55 EC A3 9F C7 59 09 AF FA"
The process msdcsc.exe:2612 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 C9 05 4B 12 EA 09 A8 C6 81 7D 18 EA 9D C0 02"
The process msdcsc.exe:2452 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 CE B9 BD C6 3B 89 CC 45 51 7F D3 CA 70 D8 6C"
The process msdcsc.exe:3004 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 18 11 23 94 9D 2F 45 13 01 5E C2 3F 53 CE 5A"
The process msdcsc.exe:3168 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 85 25 8A 08 04 FF 66 4E 7B 4C 46 E4 51 E4 FB"
The process msdcsc.exe:2804 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 62 DF 99 A0 4A EC 9A 4D C4 A9 C7 44 CE 02 C7"
The process msdcsc.exe:2200 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 9C EE 9A C2 88 0E 76 58 13 02 4B 03 3C 4C 44"
The process msdcsc.exe:3368 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 84 9C 66 01 1C 94 72 1D C2 B0 0C 8C 3D AA F8"
The process msdcsc.exe:2884 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C F7 24 8E 95 5E 49 0B 80 DD E9 4E B5 4B CC E5"
The process msdcsc.exe:2868 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 2D 03 BB F9 C6 70 D7 19 0D 62 87 A1 C9 8C F8"
The process msdcsc.exe:180 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 4E AC 57 78 A2 B1 3A E2 E6 B6 43 5C 00 E3 A0"
The process msdcsc.exe:3088 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 13 8F 96 F0 CD E0 37 4C 7B A2 AE 59 B8 67 29"
The process msdcsc.exe:3892 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B B8 BD F6 79 86 F7 4E FC FD 3D 9E C7 A6 AC 51"
The process msdcsc.exe:188 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 A0 8A F8 FB D3 9F 18 E4 CB 85 28 DB C0 1A 8C"
The process msdcsc.exe:2360 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 8B 2B EC 63 81 CD C9 51 06 33 BD 19 BF C4 1C"
The process msdcsc.exe:2428 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 AA 70 41 19 09 AE BB 49 95 EE DC 58 6C 7D 0A"
The process msdcsc.exe:2584 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 6F 82 D1 BA 27 B4 7F 2E DE 81 A6 98 D3 F4 E2"
The process msdcsc.exe:2624 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 E6 5A E4 4E F9 24 DA 9E 58 1E 00 D8 80 DB 1A"
The process msdcsc.exe:3604 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 C6 FB AF B1 E9 4B 82 DD 63 98 04 87 F2 D9 AF"
The process msdcsc.exe:560 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 AF 0F D7 5B C0 BC A2 B2 DA DE 4A 6B 8B DD 93"
The process msdcsc.exe:3876 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED CB AF 07 B7 F7 70 6D B6 48 4C 77 72 12 03 D2"
The process msdcsc.exe:3072 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 21 06 26 B4 24 7D 6A 25 DF CA 7E 9C DB 82 81"
The process msdcsc.exe:3728 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 3E E3 F0 87 02 DF BF FB 8B 98 62 67 7F 22 67"
The process msdcsc.exe:3288 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 E9 C6 A9 19 87 64 A0 13 A3 87 C5 56 6F 71 5C"
The process msdcsc.exe:552 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 C0 93 40 8A DF 58 6B 6A EB D5 36 BE 38 AA D1"
The process msdcsc.exe:2936 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 9A E8 D3 42 BC B6 87 A6 DC 04 3D 1C 2E B8 49"
The process msdcsc.exe:2952 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 E4 E1 A7 4F 0B 2F D2 19 D2 4B 54 B6 11 91 1B"
The process msdcsc.exe:3688 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 FC CB 54 A1 D2 38 E1 06 F7 A2 14 2A 86 B9 62"
The process msdcsc.exe:3208 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 07 F6 64 AB 8D 66 79 E5 69 AC 39 50 3C C1 87"
The process msdcsc.exe:2752 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 56 14 A4 75 1F 5A 61 0F EC D5 8C 78 0A F6 98"
The process msdcsc.exe:3960 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 54 64 23 4F EA 10 75 5E F3 36 7B 60 81 F2 5E"
The process msdcsc.exe:3116 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 23 DE A9 59 CB 00 02 72 1E 7D E4 83 3B 8B C0"
The process msdcsc.exe:2696 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 7A 3C 10 C0 2E AE EF 3E 66 5A A6 E3 8A 20 A3"
The process msdcsc.exe:2516 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 5C E0 9C 41 68 74 45 98 5C D4 E3 F8 18 44 D0"
The process msdcsc.exe:4080 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 17 59 81 4A FD 7F AD 40 6C B6 D7 B7 18 8E 36"
The process msdcsc.exe:744 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 7E FF 20 53 86 77 CF 29 6E B4 DA 2A BD 97 71"
The process msdcsc.exe:3636 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 11 94 00 5D FC 54 A5 ED 80 92 A0 1F B4 25 A5"
The process msdcsc.exe:1204 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 F7 3B EC 14 0E D9 D7 90 A8 01 60 BC 4A D8 C4"
The process msdcsc.exe:1604 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 1E 88 89 7E 22 26 5A 7A 39 CA 83 E8 B9 1C 6A"
The process msdcsc.exe:3060 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC E1 2A 7E D2 3B 12 46 58 98 2B 4E 06 55 75 79"
The process msdcsc.exe:1896 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 31 E8 B2 4C 6D C6 D9 47 CE 9F 0E 04 E6 1F 7D"
The process msdcsc.exe:2228 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 F8 27 BB 1B 39 15 BC CE 48 82 42 16 E1 80 35"
The process msdcsc.exe:4000 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 A2 9A 55 AC 22 B7 79 58 CC 0C F6 F9 CD FE D7"
The process msdcsc.exe:3340 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 86 63 0B 18 FD D8 4E C9 0A AA 23 E9 9A F6 5B"
The process msdcsc.exe:3100 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 6D FA CC 7E 3E DC 34 5C F0 7C C3 1C 2B CC 72"
The process msdcsc.exe:2348 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD B2 19 7D F8 A0 E9 32 A8 0A 32 8F 48 9D B6 15"
The process msdcsc.exe:2220 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 7A F8 9F 3B 31 DA C9 B2 99 10 FD AB D0 C3 83"
The process msdcsc.exe:956 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 FB 19 70 73 9D A6 1D 2E A2 0C 93 96 95 C3 F6"
The process msdcsc.exe:3972 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE F0 A2 98 E5 3E 3A C1 B6 1F 85 6A 1C E2 B4 81"
The process msdcsc.exe:3180 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 ED FE 5A 50 0D 75 B4 9D B2 3C FC 73 C8 3F D3"
The process msdcsc.exe:2504 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 CF 63 C0 D2 D7 0F 9D 85 64 BF 8A 6A AE 73 0B"
The process msdcsc.exe:4092 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A CC 49 98 E6 37 9A 43 29 78 5B 82 8E A2 5D 52"
The process msdcsc.exe:2724 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D E4 32 96 46 F6 20 2E 01 AC 73 47 3E BA D5 9D"
The process msdcsc.exe:2876 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B D1 78 E1 B7 24 29 E1 2A C2 EF 20 F1 1B 4C A3"
The process msdcsc.exe:208 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 1E E8 7E F3 40 D8 FD AF FB 62 27 E7 A6 35 B4"
The process msdcsc.exe:2976 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 27 0C F6 6B EC 4A 7F 32 23 75 D8 BF 46 F0 45"
The process msdcsc.exe:480 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 62 9F 8D 63 05 6A CF D3 E7 BC 32 D3 2B FB DA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process msdcsc.exe:2332 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 AC B9 11 B0 DC AE E9 1D B9 99 F7 E8 CA C8 D3"
The process msdcsc.exe:1804 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 1F 5B FC 42 FC 10 19 DF 56 B0 AE 97 2F 23 D6"
The process msdcsc.exe:2124 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 15 B5 0B 46 CE 0B F4 0A 02 4D FE C7 AF C9 17"
The process msdcsc.exe:4012 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 47 32 A7 C2 BA E9 07 99 4E 64 E5 96 DF 28 0E"
The process msdcsc.exe:3220 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 FE E4 9D D8 57 8D C1 4D 34 38 17 5F 35 2B C7"
The process msdcsc.exe:3424 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 23 BF 9A 8C 26 E9 49 EE 94 D7 09 EA D6 93 E8"
The process msdcsc.exe:1680 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 6C 6D B0 2B 04 2E 01 69 2C BD 7C A9 10 A4 B2"
The process msdcsc.exe:2532 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 6E 40 A0 2C 40 D3 7A 2F 15 5A A7 D2 E0 09 49"
The process msdcsc.exe:1764 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 64 D1 B0 F2 76 F3 63 2C 38 59 22 C4 B1 34 7B"
The process Reader_sl.exe:1064 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1240 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 1D 65 E8 9D E1 56 2C 10 A0 B4 83 05 3E 1A 05"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1864 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"2021810.exe" = "2021810"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 CA A3 66 03 01 61 8F 18 59 F9 88 D4 E0 0F 9A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process %original file name%.exe:680 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 C1 FA 7D 33 9B A4 9B BC 8E 81 3B 65 40 D4 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MSDCSC]
"msdcsc.exe" = "gjytfddy"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MSDCSC\msdcsc.exe"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MSDCSC\msdcsc.exe"
The process reg.exe:420 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 D2 40 61 07 BE 33 3E BE 7D 76 9A 31 13 E3 EB"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"shell" = "%Documents and Settings%\%current user%\Application Data\1vCxLP6w\h2ZSebC.exe,explorer.exe"
The process reg.exe:488 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 AE 74 64 8C 00 C3 97 1C 04 B2 E0 E2 04 EE 7F"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"shell" = "%Documents and Settings%\%current user%\Application Data\1vCxLP6w\h2ZSebC.exe,explorer.exe"
Network activity (URLs)
URL | IP |
---|---|
hxxp://rghost.net/52232184 | 89.248.225.50 |
chraxan.no-ip.biz | 5.42.192.147 |
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 29 bytes in size. The following strings are added to the hosts file listed below:
chraxan.no-ip.biz | localhost |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
msdcsc.exe:2712
msdcsc.exe:2964
msdcsc.exe:3920
msdcsc.exe:3716
msdcsc.exe:3016
msdcsc.exe:1144
msdcsc.exe:2652
msdcsc.exe:2844
msdcsc.exe:1308
msdcsc.exe:3328
msdcsc.exe:3040
msdcsc.exe:3044
msdcsc.exe:3808
msdcsc.exe:3128
msdcsc.exe:2320
msdcsc.exe:696
msdcsc.exe:2488
msdcsc.exe:3796
msdcsc.exe:2664
msdcsc.exe:2480
msdcsc.exe:2156
msdcsc.exe:2400
msdcsc.exe:2240
msdcsc.exe:1672
msdcsc.exe:3836
msdcsc.exe:2460
msdcsc.exe:3768
msdcsc.exe:1796
msdcsc.exe:3932
msdcsc.exe:3648
msdcsc.exe:128
msdcsc.exe:3408
msdcsc.exe:3756
msdcsc.exe:1068
msdcsc.exe:3248
msdcsc.exe:1824
msdcsc.exe:2492
msdcsc.exe:416
msdcsc.exe:2412
msdcsc.exe:2792
msdcsc.exe:3848
msdcsc.exe:1128
msdcsc.exe:2908
msdcsc.exe:3140
msdcsc.exe:3676
msdcsc.exe:3300
msdcsc.exe:2308
msdcsc.exe:4040
msdcsc.exe:3380
msdcsc.exe:2544
msdcsc.exe:2300
msdcsc.exe:300
msdcsc.exe:2268
msdcsc.exe:1252
msdcsc.exe:368
msdcsc.exe:2072
msdcsc.exe:3452
msdcsc.exe:2440
msdcsc.exe:2280
msdcsc.exe:1132
msdcsc.exe:2932
msdcsc.exe:444
msdcsc.exe:3260
msdcsc.exe:2764
msdcsc.exe:2832
msdcsc.exe:4052
msdcsc.exe:904
msdcsc.exe:840
msdcsc.exe:2572
msdcsc.exe:644
msdcsc.exe:2372
msdcsc.exe:2612
msdcsc.exe:2452
msdcsc.exe:3004
msdcsc.exe:3168
msdcsc.exe:2804
msdcsc.exe:2200
msdcsc.exe:3368
msdcsc.exe:2884
msdcsc.exe:2868
msdcsc.exe:180
msdcsc.exe:3088
msdcsc.exe:3892
msdcsc.exe:188
msdcsc.exe:2360
msdcsc.exe:2428
msdcsc.exe:2584
msdcsc.exe:2624
msdcsc.exe:3604
msdcsc.exe:560
msdcsc.exe:3876
msdcsc.exe:3072
msdcsc.exe:3728
msdcsc.exe:3288
msdcsc.exe:552
msdcsc.exe:2936
msdcsc.exe:2952
msdcsc.exe:3688
msdcsc.exe:3208
msdcsc.exe:2752
msdcsc.exe:3960
msdcsc.exe:3116
msdcsc.exe:2696
msdcsc.exe:2516
msdcsc.exe:4080
msdcsc.exe:744
msdcsc.exe:3636
msdcsc.exe:1204
msdcsc.exe:1604
msdcsc.exe:3060
msdcsc.exe:1896
msdcsc.exe:2228
msdcsc.exe:4000
msdcsc.exe:3340
msdcsc.exe:3100
msdcsc.exe:2348
msdcsc.exe:2220
msdcsc.exe:956
msdcsc.exe:3972
msdcsc.exe:3180
msdcsc.exe:2504
msdcsc.exe:4092
msdcsc.exe:2724
msdcsc.exe:2876
msdcsc.exe:208
msdcsc.exe:2976
msdcsc.exe:2332
msdcsc.exe:1804
msdcsc.exe:2124
msdcsc.exe:4012
msdcsc.exe:3220
msdcsc.exe:3424
msdcsc.exe:1680
msdcsc.exe:2532
msdcsc.exe:1764
ntvdm.exe:1804
wuauclt.exe:344
%original file name%.exe:680
reg.exe:420
reg.exe:488 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Application Data\1vCxLP6w\cLles1IQqjIBgjhsmkBCJRdjiyjMPhjzj (62700 bytes)
%Documents and Settings%\%current user%\Application Data\1vCxLP6w\h2ZSebC.exe.lnk (873 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (8 bytes)
%WinDir%\Temp\Perflib_Perfdata_7b0.dat (4 bytes)
C:\$Directory (12 bytes)
%WinDir%\Temp\scs2.tmp (10145 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (15933 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%WinDir%\Temp\scs1.tmp (33880 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Application Data\1vCxLP6w\1y6revUi5 (62700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2021810.exe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSDCSC\msdcsc.exe (3073 bytes)
%System%\drivers\etc\hosts (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MSDCSC\msdcsc.exe" - Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MSDCSC\msdcsc.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.