Examples of Troj/MSIL-QO include:
Example 1
File Information
- Size
- 328K
- SHA-1
- 01c61cfc4293e058131bd86a66262347be580e5c
- MD5
- 09fe0ec0fd66e5f71db6ccbc8f602b54
- CRC-32
- e0d1f202
- File type
- Windows executable
- First seen
- 2014-04-15
Runtime Analysis
Copies Itself To
- C:\WINDOWS\system32\Microsoft.com
- c:\Documents and Settings\test user\Local Settings\Temp\5117
Registry Keys Created
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- WindowsUpdate
- "C:\Program Files\Windows Manager\winmgr.exe"
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCFManager.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCFService.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swc_service.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr.exe
- DisableExceptionChainValidation
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKCU\Software\VB and VBA Program Settings\Microsoft\Sysinternals
- 3243
- C:\Program Files\Windows Manager\winmgr.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SavService.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAVAdminService.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKCU\Software\Microsoft\Windows\CurrentVersion\IME
- WindowsUpdate
- "C:\Program Files\Windows Manager\winmgr.exe"
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe
- Debugger
- C:\WINDOWS\system32\Microsoft.com
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
- Load
- C:\WINDOWS\system32\Microsoft.com
Processes Created
- c:\program files\windows manager\winmgr.exe
DNS Requests
Example 2
File Information
- Size
- 324K
- SHA-1
- 4cc8469efe12f8dbf01223f90060996a6b653194
- MD5
- 35b34abf16db3a9e2b294a2027f597de
- CRC-32
- b1d35c7c
- File type
- Windows executable
- First seen
- 2014-03-25
Runtime Analysis
Copies Itself To
- c:\Documents and Settings\test user\Application Data\Microsoft FxCop\SamSs.exe
Dropped Files
- c:\Documents and Settings\test user\Local Settings\Temp\PowerAutobuyer.exe
- c:\Documents and Settings\test user\Local Settings\Temp\Error Log
- Size
- 103
- SHA-1
- 55d860e9a795304e6df999b1c06f9b942d445392
- MD5
- 9ba00b5191a0ae9a9c9df723a21e5c53
- CRC-32
- e4c9a9db
- File type
- application/octet-stream
- First seen
- 2014-03-25
- c:\Documents and Settings\test user\Application Data\Microsoft FxCop\wmiApSrv.exe
Registry Keys Created
- HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
- AXS5WRMYJR
- March 25, 2014
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- WMI Performance Adapter
- c:\Documents and Settings\test user\Application Data\Microsoft FxCop\wmiApSrv.exe
- HKCU\Software\VB and VBA Program Settings\SrvID\ID
- AXS5WRMYJR
- PowerAutobuyer
Registry Keys Modified
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- DoNotAllowExceptions
- 0x00000000
Processes Created
- c:\Documents and Settings\test user\application data\microsoft fxcop\samss.exe
- c:\Documents and Settings\test user\application data\microsoft fxcop\wmiapsrv.exe
- c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
- c:\windows\system32\cmd.exe
- c:\windows\system32\reg.exe
DNS Requests
- 11mathieucg.no-ip.biz
- 1mathieucg.no-ip.biz
- 21mathieucg.no-ip.biz
- 31mathieucg.no-ip.biz
- 41mathieucg.no-ip.biz
- 51mathieucg.no-ip.biz
- 61mathieucg.no-ip.biz
- 71mathieucg.no-ip.biz
- 81mathieucg.no-ip.biz
Example 3
File Information
- Size
- 514K
- SHA-1
- 53bff93b231ad4c2ab4e7063de0362832b2bbf82
- MD5
- c0dd915cb65b134e3e4c68482d96782f
- CRC-32
- fa484be5
- File type
- Windows executable
- First seen
- 2014-03-25
Runtime Analysis
Copies Itself To
- c:\Documents and Settings\test user\Application Data\Microsoft FxCop\SamSs.exe
Dropped Files
- c:\Documents and Settings\test user\My Documents\MSDCSC\msdcsc.exe
- c:\Documents and Settings\test user\Application Data\Microsoft FxCop\wmiApSrv.exe
Modified Files
- %WINDOWS%\Microsoft.NET\Framework\v2.0.50727
- Set the hidden and system flags
Registry Keys Created
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- MicroUpdate
- c:\Documents and Settings\test user\My Documents\MSDCSC\msdcsc.exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- WMI Performance Adapter
- c:\Documents and Settings\test user\Application Data\Microsoft FxCop\wmiApSrv.exe
Registry Keys Modified
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Userinit
- C:\WINDOWS\system32\userinit.exe,c:\Documents and Settings\test user\My Documents\MSDCSC\msdcsc.exe
Processes Created
- c:\Documents and Settings\test user\application data\microsoft fxcop\samss.exe
- c:\Documents and Settings\test user\application data\microsoft fxcop\wmiapsrv.exe
- c:\Documents and Settings\test user\my documents\msdcsc\msdcsc.exe
- c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
- c:\windows\system32\attrib.exe
- c:\windows\system32\cmd.exe
- c:\windows\system32\notepad.exe
DNS Requests