ThreatExpert Report: Trojan-Downloader.Win32.Agent.bqeq, Hacktool.Rootkit, Troj/Rootkit-FI..

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 16 April 2009, 19:29:15
Processing time: 8 min 38 sec
Submitted sample:

File MD5: 0x214C6A1B962656D2357ED5027508B589
File SHA-1: 0xD95C5BE65F67AD1CE3DEEAEE37AD1DA6FA49B132
Filesize: 28,160 bytes
Alias:

Hacktool.Rootkit [Symantec]
Trojan-Downloader.Win32.Agent.bqeq [Kaspersky Lab]
Troj/Rootkit-FI [Sophos]
Backdoor.Win32.Farfli [Ikarus]
Win-Trojan/Farfli.28160 [AhnLab]

Summary of the findings:

What's been found	Severity Level
Downloads/requests other files from Internet.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! The following threat categories were identified:

Threat Category	Description
	A program that downloads files to the local computer that may represent security risk
	A hacktool that could be used by attackers to break into a system

File System Modifications

The following file was created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	[file and pathname of the sample #1]	28,160 bytes	MD5: 0x214C6A1B962656D2357ED5027508B589 SHA-1: 0xD95C5BE65F67AD1CE3DEEAEE37AD1DA6FA49B132	Hacktool.Rootkit [Symantec] Trojan-Downloader.Win32.Agent.bqeq [Kaspersky Lab] Troj/Rootkit-FI [Sophos] Backdoor.Win32.Farfli [Ikarus] Win-Trojan/Farfli.28160 [AhnLab]

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	57,344 bytes

The following system service was modified:

Service Name	Display Name	New Status	Service Filename
wscsvc	Security Center	"Stopped"	%System%\svchost.exe -k netsvcs

Note:

%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx\Enum

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]

Debugger = "services.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "zx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX\0000]

Service = "zx"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "zx"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZX]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx\Enum]

0 = "Root\LEGACY_ZX\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\zx]

Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "\??\%Temp%\~4c537.tmp"
DisplayName = "zx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX\0000\Control]

*NewlyCreated* = 0x00000000
ActiveService = "zx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX\0000]

Service = "zx"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "zx"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZX]

NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx\Enum]

0 = "Root\LEGACY_ZX\0000"
Count = 0x00000001
NextInstance = 0x00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx\Security]

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zx]

Type = 0x00000001
Start = 0x00000003
ErrorControl = 0x00000001
ImagePath = "\??\%Temp%\~4c537.tmp"
DisplayName = "zx"

Other details

Analysis of the file resources indicate the following possible country of origin:

China

To mark the presence in the system, the following Mutex object was created:

abcf

The following HTTP URLs were started reading:

http://wangluo110.net/mtv/xp1.exe
http://wangluo110.net/mtv/xp3.exe
http://wangluo110.net/mtv/xp4.exe
http://wangluo110.net/mtv/xp5.exe
http://wangluo110.net/mtv/xp6.exe
http://wangluo110.net/mtv/xp7.exe
http://wangluo110.net/mtv/xp8.exe
http://wangluo110.net/mtv/xp9.exe
http://wangluo110.net/mtv/xp10.exe
http://wangluo110.net/mtv/xp11.exe
http://wangluo110.net/mtv/xp12.exe
http://wangluo110.net/mtv/xp13.exe
http://wangluo110.net/mtv/xp14.exe
http://wangluo110.net/mtv/xp15.exe
http://wangluo110.net/mtv/xp16.exe
http://wangluo110.net/mtv/xp17.exe
http://wangluo110.net/mtv/xp18.exe
http://wangluo110.net/mtv/xp19.exe
http://wangluo110.net/mtv/xp20.exe
http://wangluo110.net/mtv/xp21.exe

The data identified by the following URL was then requested from the remote web server:

http://tongji.shenlong168.com/go/getmac.asp?x=&y=f5&z=b59c67

The following Internet downloads were started (the retrieved bits are saved into the local file):

URL to be downloaded	Filename for the downloaded bits
http://8is2.com/xia/sl.txt	%Temp%\~4cdeb.tmp
http://8is2.com/xia/ad.jpg	%System%\drivers\etc\hosts

Notes:

%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

Downloaded File Summary:

Download details:

Download retrieved: 16 April 2009 19:37:57
Processing time: 9 min 2 sec
Downloaded sample #1:

File MD5: 0x5E87F8956C98E5B7F3D921185B1B1F2E
File SHA-1: 0xF962FA89ECAEAD6130FBBEA5B6DF7552F281D9BE
Filesize: 24,681 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afar [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Mal/Generic-A [Sophos]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #2:

File MD5: 0x70EC592BA61ACB582CBB8B57CBA5B992
File SHA-1: 0x13AF43C193D895578583CF07D5A11E3F9AB9E6E6
Filesize: 22,654 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Mal/Generic-A [Sophos]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #3:

File MD5: 0xF90A33725EA9CA0CD5618585F0DDF44B
File SHA-1: 0x2A3840A2D62ACB261C8E0D28FE18C5053528836A
Filesize: 24,191 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-GameThief.Win32.Magania.ayrx [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Mal/Generic-A [Sophos]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #4:

File MD5: 0x00018CC6902219D80A054540374AD257
File SHA-1: 0xBB80940FCBC9B2935140980B4C501DFAEB966C89
Filesize: 23,140 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #5:

File MD5: 0xC8FBC4B6B3793AD38B94CFCDDBEEBA09
File SHA-1: 0xD732B2ADF154DBE743C46ADA6942E4B4A97AB80E
Filesize: 23,166 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #6:

File MD5: 0x1CA9FDA4FA6ADB9898AD55F0E290D361
File SHA-1: 0xAFF9FC6C66C703F43E33BC164ECE430D29619AE9
Filesize: 24,169 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #7:

File MD5: 0x712117FB3FFD2AC22B7DF000CAFFFAF8
File SHA-1: 0x778BF131197088C2764C1F95F39705790BFD59C6
Filesize: 23,658 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afar [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #8:

File MD5: 0x8363C698B97C8BCF6A1DB7701C121DC4
File SHA-1: 0x4BC80880E147F10BDA42AA79A6048BB5FCE9D053
Filesize: 22,644 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afco [Kaspersky Lab]
Generic Dropper.eb [McAfee]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #9:

File MD5: 0xB48A33722A656F9973218D8262F070FE
File SHA-1: 0xA82A88BB04BE4373A7A3E98F0D2CC2CB3A0D6929
Filesize: 22,118 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afar [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #10:

File MD5: 0x056B5EAB52637138828A6192D1C64570
File SHA-1: 0x2EF7F155705BA26C0881A79A7C722A3C8E3B2768
Filesize: 22,120 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afar [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Mal/Generic-A [Sophos]
Trojan-PWS.Win32.LdPinch [Ikarus]
Win-Trojan/LdPinch.22120.I [AhnLab]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #11:

File MD5: 0x0147AA6DB73B91D988CC90E3125F79C5
File SHA-1: 0xF1512A79C26F7DCBB71AADEFC28C30F088B2102E
Filesize: 23,652 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #12:

File MD5: 0x74D8A6682C6B0573FE34EBA66F9B6ADE
File SHA-1: 0x37F3637FBC48FDBE73DEB83612C1C1D07495F6F8
Filesize: 21,622 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afar [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Mal/Generic-A [Sophos]
Trojan-PWS.Win32.LdPinch [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #13:

File MD5: 0xA73DAC61218C99EC21CED595CBD8A96D
File SHA-1: 0xD9F20B4B616F41BCB1991CE763E0901C788E185C
Filesize: 22,635 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.aeyx [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Mal/Generic-A [Sophos]
Trojan-PWS.Win32.LdPinch [Ikarus]
Win-Trojan/OnlineGameHack.22632.B [AhnLab]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #14:

File MD5: 0x735322286D3E487AE35A5D8724AA723E
File SHA-1: 0x885389E3896D2C2170B6B5D68998CCB96EA941C0
Filesize: 24,172 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #15:

File MD5: 0x82E54979239944CD61040C76C2FEA7DB
File SHA-1: 0xC27FA510B0BD37D0DCC77F53955EBB4BCE7538E0
Filesize: 23,661 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afco [Kaspersky Lab]
Generic Dropper.eb [McAfee]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #16:

File MD5: 0x622E7DE1699D422EB41DCA0E527CC711
File SHA-1: 0xB840D9C35A3215245298C68E704D027709B9AB91
Filesize: 23,649 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afco [Kaspersky Lab]
Generic Dropper.eb [McAfee]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #17:

File MD5: 0xC21D31A7FEFB329B789623665837E5B9
File SHA-1: 0x7F1F10518C463CA817FDB946336F62763679A19F
Filesize: 23,155 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #18:

File MD5: 0x6E40365F1ED4782E78F1C2683246748C
File SHA-1: 0x7F851DFE70DA081A78541CE602EC06DD35D5AC4E
Filesize: 23,671 bytes
Alias & packer info:

Trojan-Spy.Gampass!sd6 [PCTools]
Infostealer.Gampass [Symantec]
Trojan-GameThief.Win32.Magania.aydy [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Mal/Generic-A [Sophos]
Trojan-PWS.Win32.LdPinch [Ikarus]
Win-Trojan/OnlineGameHack.23671.B [AhnLab]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #19:

File MD5: 0x80EC01749D6D2C1524B1C512712887B1
File SHA-1: 0x9F57C3CC55E0F4F2E4BA5A39EE6358C76B878132
Filesize: 23,658 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Mal/Generic-A [Sophos]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Downloaded sample #20:

File MD5: 0x676B6FFE62FDE57AF0120A50995DA792
File SHA-1: 0x44CEF3D3054443F10FE21591DDB2A266A5C00B69
Filesize: 23,152 bytes
Alias & packer info:

Infostealer.Gampass [Symantec]
Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab]
Generic Dropper.eb [McAfee]
Generic.Onlinegames [Ikarus]
packed with: PE_Patch.UPX [Kaspersky Lab]

Summary of the findings:

What's been found	Severity Level
Registers a 32-bit in-process server DLL.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Trojan-PWS.OnLineGames.GEN	Trojan-PWS.OnLineGames.GEN is a trojan that drops a dll and tries to steal vital information from the infected machine with regards to various online games and then tries to send that information to the author of the trojan.
Trojan-PWS.Magania	Trojan.PSW.Magania steals online gaming login information.
Trojan-Spy.Gampass!sd6	Trojan-Spy.Gampass!sd6 is a malicious application that attempts to steal passwords, login details, and other confidential information.

Attention! The following threat category was identified:

Threat Category	Description
	A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%FontsDir%\6e6EUdxVeWUYJynN.ttf	164 bytes	MD5: 0xB2B0FEA1D60EBBD9B33E803E07AE46F6 SHA-1: 0x279EF1208296C01994BF2B0E734BAE2E4531872D	(not available)
2	%FontsDir%\bKkCsU7Z6YntjH4G.ttf	160 bytes	MD5: 0x970EB39AC2A03A95D554DEF235C0F0EE SHA-1: 0x3C105CECCF6D2FCDA4E82BE57B4ADC71D91E44C9	(not available)
3	%FontsDir%\cD9KArZZUHxCqnyM.ttf	158 bytes	MD5: 0x47D6E588826798682B4997DCEC1B213B SHA-1: 0xA5952E62A21D8264D6350A964636609EA4D97533	(not available)
4	%FontsDir%\d2MP6z9zUaFDsyqu.ttf	200 bytes	MD5: 0x04E79D473776905CDF08FF23F632E315 SHA-1: 0x8950209C190463278CD035F7B49E8792971FA9E5	(not available)
5	%FontsDir%\D9PjvuvCAeWudqwq.ttf	158 bytes	MD5: 0x67FF138E0C98F87982AB6066BEA4FDC7 SHA-1: 0xE954CA4C950047E3DFF001F9DE7532014F28CC57	(not available)
6	%FontsDir%\eCgMhGRkPUcdutd0.ttf	172 bytes	MD5: 0x0E74EE50CCBF0A4EE25C9418991E4601 SHA-1: 0xC8CA7F886084C68E982EA473B763590C04143128	(not available)
7	%FontsDir%\EEUJgNKN6xmNqKr6.ttf	156 bytes	MD5: 0x467B75CC20F2CC35B8A4F462999EBB58 SHA-1: 0x859EB3D0CFAE5A99A42CDACC472D194C35421C63	(not available)
8	%FontsDir%\fKzf9wP6bhq6Bcxa.ttf	184 bytes	MD5: 0x0F6ED7043E2A8BFEB0A13607F6111D12 SHA-1: 0xF41DB6B996A6DF0CFCB1F32DD5DE1BB264F1C970	(not available)
9	%FontsDir%\JNwybEjgUVaxBU5d.ttf	180 bytes	MD5: 0xB8EBCDF0F0935E7AEC027FF274402D2B SHA-1: 0xB188B0AD832D9FD8019DF985133F3885F9A638D6	(not available)
10	%FontsDir%\KXBqRpa2mrNPeXKb.ttf	202 bytes	MD5: 0x39189276F6DA7BA8A511B7BC2C6B0202 SHA-1: 0x794951D693D307630CDE72031039F7C2B7B31FAA	(not available)
11	%FontsDir%\MhaUKGazkr3fZZKp.ttf	162 bytes	MD5: 0x3C7760EA7672250FE3582DE763C4C9E0 SHA-1: 0xA306055449A00A821BB2E43064991044DC64BBF0	(not available)
12	%FontsDir%\PACNkAWTwg4Cyb3e.ttf	178 bytes	MD5: 0xC2F1DE2DF5459013CB9A582D1F41ABB9 SHA-1: 0x2F7152F7B13B0E009727FC88E093326294E83840	(not available)
13	%FontsDir%\pDuuqr4BgFn65AeW.ttf	186 bytes	MD5: 0xA9B80211EB79CFEAEF3285B097B7232F SHA-1: 0x7F808253CE948CBD4F156488E61FBF7231E3E4C3	(not available)
14	%FontsDir%\PrZWDcWgjaE3SQyr.ttf	148 bytes	MD5: 0x9F847F472DE9C06AE1D8E72B71EAC3AB SHA-1: 0xC54B920DBE11134C17B16097AAA0272A6D5E13D2	(not available)
15	%FontsDir%\Qq3qg7RGSp9raxWW.ttf	142 bytes	MD5: 0x1AB355D6FFEA701776D1B8BF014865C1 SHA-1: 0xA5D920ADCAEB7ADA5910D896A5577290EE594B1D	(not available)
16	%FontsDir%\S8a8cnEuaydPJGg8.ttf	148 bytes	MD5: 0x5305D0496B5C259877008E54EEEF7CC5 SHA-1: 0x5152664F4374F519AA423982F6311BE42575D464	(not available)
17	%FontsDir%\ubZJmeB3bJjsGEbf.ttf	166 bytes	MD5: 0x4B4FDDBA731FBCB3DBB8C8F8779D04F9 SHA-1: 0xE8D2D4D837F3F1D6D6A171669C231BF6CD7A49BA	(not available)
18	%FontsDir%\Xgv7TbnvD3yvn.fon	17,511 bytes	MD5: 0x4D36F0313CD07BE8E9144E73E9401FF7 SHA-1: 0x08879BDE1E2214644AF63557F433E811C1EBB180	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayqy [Kaspersky Lab] Mal/Generic-A [Sophos]
19	%FontsDir%\yKY54UdeQT3pEaq2.ttf	160 bytes	MD5: 0x66FC99EA72DA68201FF752B8C31ECB89 SHA-1: 0xF5A285D3604EB1EF50D0A7A4DBB6A46A9C02006E	(not available)
20	%FontsDir%\YywxhF7TSnkktrJw.ttf	200 bytes	MD5: 0xD4A3FCF24A5E00333F42508D8B06093C SHA-1: 0x3CF3141F7EA53C79364435A3388B197937460F6D	(not available)
21	%FontsDir%\zZ5kDff9es3wZ9YZ.ttf	152 bytes	MD5: 0x0BF7AB97E804FCD65513CCF9CE6AC362 SHA-1: 0x2A677BD98A004BFE102DBD2D5E0A301968345E70	(not available)
22	%System%\08223B03.dll	16,472 bytes	MD5: 0x8C98F9C2722798F2CD62D28F330B6FC9 SHA-1: 0x83B07FDC2F9C560983EA95AA3B38C3515A2E5975	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayxo [Kaspersky Lab] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
23	%System%\2EF0D734.dll	219,721 bytes	MD5: 0x47058979EB18CD0EA057E8C99B5C1D9C SHA-1: 0x3F4E409A88921BA8793CB705CFD2514D89AF0ABC	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayxo [Kaspersky Lab] Troj/LdPinch-SE [Sophos] packed with PE_Patch.UPX [Kaspersky Lab]
24	%System%\56BC86C7.dll	16,475 bytes	MD5: 0xEF321BDC73624E00C71B32B3C17C7B79 SHA-1: 0x34A4DE7DC81A49C42D398A530A7902366A29D8DA	Infostealer.Gampass [Symantec] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
25	%System%\704C3595.dll	16,972 bytes	MD5: 0x506B912975E01CA750890D841486CB41 SHA-1: 0x982198807053AD6911CAC11E15072DEC77C2C538	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayxp [Kaspersky Lab] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
26	%System%\76B9BA7A.dll	219,743 bytes	MD5: 0xC632BE5C5AEE363238E0CD3686454D4B SHA-1: 0x8C1F6F695B41F55FDB2321F047EF92C0235C78A1	Trojan-Spy.Gampass!sd6 [PCTools] Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayfd [Kaspersky Lab] PWS-Mmorpg.gen [McAfee] Troj/LdPinch-SE [Sophos] Win-Trojan/OnlineGameHack.219743 [AhnLab] packed with PE_Patch.UPX [Kaspersky Lab]
27	%System%\A0C86020.dll	15,444 bytes	MD5: 0x44225C37736754411A75271468155DE1 SHA-1: 0x71B47359675ABF7BADDC4EA361784A204485991E	Infostealer.Gampass [Symantec] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
28	%System%\A1A6BC2E.dll	220,764 bytes	MD5: 0x5F7DE368FEDB059148EAB1AA50F254FC SHA-1: 0x5C2D6DA5C27A68E875BE653C0FB694462C1B8897	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayxo [Kaspersky Lab] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
29	%System%\BMsg6pdMD4ht.dll	13,907 bytes	MD5: 0x36895AE6477A45290E50116BB090DAEE SHA-1: 0x94C2576A8F726869C8BCC8F22A5E40D4586295EB	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.aypu [Kaspersky Lab] Mal_OLGM-6 [Trend Micro] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus] Win-Trojan/Magania.13904.C [AhnLab]
30	%System%\dhDhwS7fFW.dll	15,441 bytes	MD5: 0x09F27468A3910249C722BC5A8879F5D6 SHA-1: 0x219DA36C0BCC2DAE5EC1767DF392D139562B6729	Infostealer.Gampass [Symantec] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
31	%System%\E4814792.dll	13,392 bytes	MD5: 0x1AAF9D8E747B43BFE228D6E6F65102F3 SHA-1: 0x063123D6504307391DA1B9A38F8BA1D13B1A8138	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayri [Kaspersky Lab] Mal/Generic-A [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
32	%System%\efc0c52cc1.dll	16,460 bytes	MD5: 0x264FE16464732BD2D661AD49D59D0190 SHA-1: 0x5FD5BA727C538AA7766CA52285FB7FF755AF2B72	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayxo [Kaspersky Lab] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
33	%System%\erdznUfbK0ZF.dll	18,001 bytes	MD5: 0xED60201CD1D04D05E199C34D7958CD53 SHA-1: 0xE6F3C06B3E4123F26391A4DCFB9D03822817CD20	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayww [Kaspersky Lab] Mal/Generic-A [Sophos]
34	%System%\gggg6sZAbKcD.dll	221,781 bytes	MD5: 0xC04C3763A1A28BF854933CCB25FF5960 SHA-1: 0xC6125063DB53620BA53FB4E5633E2ECA5209E42D	Infostealer.Gampass [Symantec] Troj/LdPinch-SE [Sophos] packed with PE_Patch.UPX [Kaspersky Lab]
35	%System%\J9mfQxkJ.dll	15,974 bytes	MD5: 0xFF1F87840ECA6B946ECA3520D9FC30F5 SHA-1: 0x437D150C94CC8415A000A876A3992776DADE98DB	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayxq [Kaspersky Lab] Mal/Generic-A [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
36	%System%\mP5NywQewTxx.dll	16,978 bytes	MD5: 0xA7AF11590926A734377E6FCCE16DC449 SHA-1: 0xE1692D57F0A85BE5FB95EF98C96798926CF379CD	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.aywt [Kaspersky Lab] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
37	[file and pathname of the sample #1]	24,681 bytes	MD5: 0x5E87F8956C98E5B7F3D921185B1B1F2E SHA-1: 0xF962FA89ECAEAD6130FBBEA5B6DF7552F281D9BE	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afar [Kaspersky Lab] Generic Dropper.eb [McAfee] Mal/Generic-A [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
38	[file and pathname of the sample #10]	22,120 bytes	MD5: 0x056B5EAB52637138828A6192D1C64570 SHA-1: 0x2EF7F155705BA26C0881A79A7C722A3C8E3B2768	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afar [Kaspersky Lab] Generic Dropper.eb [McAfee] Mal/Generic-A [Sophos] Trojan-PWS.Win32.LdPinch [Ikarus] Win-Trojan/LdPinch.22120.I [AhnLab] packed with PE_Patch.UPX [Kaspersky Lab]
39	[file and pathname of the sample #11]	23,652 bytes	MD5: 0x0147AA6DB73B91D988CC90E3125F79C5 SHA-1: 0xF1512A79C26F7DCBB71AADEFC28C30F088B2102E	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab] Generic Dropper.eb [McAfee] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
40	[file and pathname of the sample #12]	21,622 bytes	MD5: 0x74D8A6682C6B0573FE34EBA66F9B6ADE SHA-1: 0x37F3637FBC48FDBE73DEB83612C1C1D07495F6F8	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afar [Kaspersky Lab] Generic Dropper.eb [McAfee] Mal/Generic-A [Sophos] Trojan-PWS.Win32.LdPinch [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
41	[file and pathname of the sample #13]	22,635 bytes	MD5: 0xA73DAC61218C99EC21CED595CBD8A96D SHA-1: 0xD9F20B4B616F41BCB1991CE763E0901C788E185C	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.aeyx [Kaspersky Lab] Generic Dropper.eb [McAfee] Mal/Generic-A [Sophos] Trojan-PWS.Win32.LdPinch [Ikarus] Win-Trojan/OnlineGameHack.22632.B [AhnLab] packed with PE_Patch.UPX [Kaspersky Lab]
42	[file and pathname of the sample #14]	24,172 bytes	MD5: 0x735322286D3E487AE35A5D8724AA723E SHA-1: 0x885389E3896D2C2170B6B5D68998CCB96EA941C0	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab] Generic Dropper.eb [McAfee] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
43	[file and pathname of the sample #15]	23,661 bytes	MD5: 0x82E54979239944CD61040C76C2FEA7DB SHA-1: 0xC27FA510B0BD37D0DCC77F53955EBB4BCE7538E0	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afco [Kaspersky Lab] Generic Dropper.eb [McAfee] packed with PE_Patch.UPX [Kaspersky Lab]
44	[file and pathname of the sample #16]	23,649 bytes	MD5: 0x622E7DE1699D422EB41DCA0E527CC711 SHA-1: 0xB840D9C35A3215245298C68E704D027709B9AB91	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afco [Kaspersky Lab] Generic Dropper.eb [McAfee] packed with PE_Patch.UPX [Kaspersky Lab]
45	[file and pathname of the sample #17]	23,155 bytes	MD5: 0xC21D31A7FEFB329B789623665837E5B9 SHA-1: 0x7F1F10518C463CA817FDB946336F62763679A19F	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab] Generic Dropper.eb [McAfee] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
46	[file and pathname of the sample #18]	23,671 bytes	MD5: 0x6E40365F1ED4782E78F1C2683246748C SHA-1: 0x7F851DFE70DA081A78541CE602EC06DD35D5AC4E	Trojan-Spy.Gampass!sd6 [PCTools] Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.aydy [Kaspersky Lab] Generic Dropper.eb [McAfee] Mal/Generic-A [Sophos] Trojan-PWS.Win32.LdPinch [Ikarus] Win-Trojan/OnlineGameHack.23671.B [AhnLab] packed with PE_Patch.UPX [Kaspersky Lab]
47	[file and pathname of the sample #19]	23,658 bytes	MD5: 0x80EC01749D6D2C1524B1C512712887B1 SHA-1: 0x9F57C3CC55E0F4F2E4BA5A39EE6358C76B878132	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab] Generic Dropper.eb [McAfee] Mal/Generic-A [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
48	[file and pathname of the sample #2]	22,654 bytes	MD5: 0x70EC592BA61ACB582CBB8B57CBA5B992 SHA-1: 0x13AF43C193D895578583CF07D5A11E3F9AB9E6E6	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab] Generic Dropper.eb [McAfee] Mal/Generic-A [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
49	[file and pathname of the sample #20]	23,152 bytes	MD5: 0x676B6FFE62FDE57AF0120A50995DA792 SHA-1: 0x44CEF3D3054443F10FE21591DDB2A266A5C00B69	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab] Generic Dropper.eb [McAfee] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
50	[file and pathname of the sample #3]	24,191 bytes	MD5: 0xF90A33725EA9CA0CD5618585F0DDF44B SHA-1: 0x2A3840A2D62ACB261C8E0D28FE18C5053528836A	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayrx [Kaspersky Lab] Generic Dropper.eb [McAfee] Mal/Generic-A [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
51	[file and pathname of the sample #4]	23,140 bytes	MD5: 0x00018CC6902219D80A054540374AD257 SHA-1: 0xBB80940FCBC9B2935140980B4C501DFAEB966C89	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab] Generic Dropper.eb [McAfee] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
52	[file and pathname of the sample #5]	23,166 bytes	MD5: 0xC8FBC4B6B3793AD38B94CFCDDBEEBA09 SHA-1: 0xD732B2ADF154DBE743C46ADA6942E4B4A97AB80E	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab] Generic Dropper.eb [McAfee] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
53	[file and pathname of the sample #6]	24,169 bytes	MD5: 0x1CA9FDA4FA6ADB9898AD55F0E290D361 SHA-1: 0xAFF9FC6C66C703F43E33BC164ECE430D29619AE9	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afcm [Kaspersky Lab] Generic Dropper.eb [McAfee] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
54	[file and pathname of the sample #7]	23,658 bytes	MD5: 0x712117FB3FFD2AC22B7DF000CAFFFAF8 SHA-1: 0x778BF131197088C2764C1F95F39705790BFD59C6	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afar [Kaspersky Lab] Generic Dropper.eb [McAfee] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
55	[file and pathname of the sample #8]	22,644 bytes	MD5: 0x8363C698B97C8BCF6A1DB7701C121DC4 SHA-1: 0x4BC80880E147F10BDA42AA79A6048BB5FCE9D053	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afco [Kaspersky Lab] Generic Dropper.eb [McAfee] packed with PE_Patch.UPX [Kaspersky Lab]
56	[file and pathname of the sample #9]	22,118 bytes	MD5: 0xB48A33722A656F9973218D8262F070FE SHA-1: 0xA82A88BB04BE4373A7A3E98F0D2CC2CB3A0D6929	Infostealer.Gampass [Symantec] Trojan-PSW.Win32.LdPinch.afar [Kaspersky Lab] Generic Dropper.eb [McAfee] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
57	%System%\skcfujQ5EDN.dll	16,486 bytes	MD5: 0x1C82EF3CC252A1A78B5162F1352F677B SHA-1: 0xAEA9C892EA3B4E2DDA56BC64CB7B1F6216D7990B	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayxo [Kaspersky Lab] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus]
58	%System%\STG4WdmetW2FP.dll	14,930 bytes	MD5: 0x2A2783BDD9BDA9E13C903318A38AB345 SHA-1: 0x5145355A6B72CE9C9FA41ED1C33EF03DFB72A930	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayxo [Kaspersky Lab] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
59	%System%\ufQCU5.dll	15,438 bytes	MD5: 0x23CAF5715EF24E9CBE57748EE30FEF6F SHA-1: 0x76C47C63E40C93461081DDB5ABBD58232431D4B3	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.aynk [Kaspersky Lab] Troj/LdPinch-SE [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]
60	%System%\wBJk3Fs8ghs.dll	14,942 bytes	MD5: 0xEF131CCD67FA9283C598DCC6195CBD02 SHA-1: 0xE7D7658C2F599885FDB6EC909C7C19D63D39BA1F	Infostealer.Gampass [Symantec] Trojan-GameThief.Win32.Magania.ayrj [Kaspersky Lab] Mal/Generic-A [Sophos] Generic.Onlinegames [Ikarus] packed with PE_Patch.UPX [Kaspersky Lab]

Notes:

%FontsDir% is a variable that refers to a virtual folder containing fonts. A typical path is C:\Windows\Fonts.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #4]	[file and pathname of the sample #4]	36,864 bytes
[filename of the sample #6]	[file and pathname of the sample #6]	36,864 bytes
[filename of the sample #3]	[file and pathname of the sample #3]	36,864 bytes
[filename of the sample #2]	[file and pathname of the sample #2]	36,864 bytes
[filename of the sample #5]	[file and pathname of the sample #5]	36,864 bytes
[filename of the sample #7]	[file and pathname of the sample #7]	36,864 bytes
[filename of the sample #8]	[file and pathname of the sample #8]	36,864 bytes
[filename of the sample #10]	[file and pathname of the sample #10]	36,864 bytes
[filename of the sample #11]	[file and pathname of the sample #11]	36,864 bytes
[filename of the sample #12]	[file and pathname of the sample #12]	36,864 bytes
[filename of the sample #15]	[file and pathname of the sample #15]	36,864 bytes
[filename of the sample #16]	[file and pathname of the sample #16]	36,864 bytes
[filename of the sample #17]	[file and pathname of the sample #17]	36,864 bytes
[filename of the sample #18]	[file and pathname of the sample #18]	36,864 bytes
[filename of the sample #19]	[file and pathname of the sample #19]	36,864 bytes
[filename of the sample #20]	[file and pathname of the sample #20]	36,864 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	36,864 bytes
[filename of the sample #9]	[file and pathname of the sample #9]	36,864 bytes
[filename of the sample #14]	[file and pathname of the sample #14]	36,864 bytes
[filename of the sample #13]	[file and pathname of the sample #13]	36,864 bytes

The following modules were loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
J9mfQxkJ.dll	%System%\J9mfQxkJ.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x18D0000 - 0x18DF000
ufQCU5.dll	%System%\ufQCU5.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1A00000 - 0x1A0F000
BMsg6pdMD4ht.dll	%System%\BMsg6pdMD4ht.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x1D90000 - 0x1D9F000
erdznUfbK0ZF.dll	%System%\erdznUfbK0ZF.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x20B0000 - 0x20C1000
08223B03.dll	%System%\08223B03.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2150000 - 0x2160000
efc0c52cc1.dll	%System%\efc0c52cc1.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x21E0000 - 0x21F0000
E4814792.dll	%System%\E4814792.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2270000 - 0x227E000
Xgv7TbnvD3yvn.fon	%FontsDir%\Xgv7TbnvD3yvn.fon	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2300000 - 0x2311000
704C3595.dll	%System%\704C3595.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x23A0000 - 0x23B0000
A0C86020.dll	%System%\A0C86020.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2430000 - 0x243F000
dhDhwS7fFW.dll	%System%\dhDhwS7fFW.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x24C0000 - 0x24CF000
2EF0D734.dll	%System%\2EF0D734.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2550000 - 0x255F000
gggg6sZAbKcD.dll	%System%\gggg6sZAbKcD.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x25E0000 - 0x25F1000
skcfujQ5EDN.dll	%System%\skcfujQ5EDN.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2680000 - 0x2690000
STG4WdmetW2FP.dll	%System%\STG4WdmetW2FP.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2710000 - 0x271F000
A1A6BC2E.dll	%System%\A1A6BC2E.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x27A0000 - 0x27B0000
76B9BA7A.dll	%System%\76B9BA7A.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2830000 - 0x283F000
wBJk3Fs8ghs.dll	%System%\wBJk3Fs8ghs.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x28C0000 - 0x28CF000
56BC86C7.dll	%System%\56BC86C7.dll	Process name: explorer.exe Process filename: %Windir%\explorer.exe Address space: 0x2950000 - 0x2960000
J9mfQxkJ.dll	%System%\J9mfQxkJ.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xBA0000 - 0xBAF000
ufQCU5.dll	%System%\ufQCU5.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xBB0000 - 0xBBF000
BMsg6pdMD4ht.dll	%System%\BMsg6pdMD4ht.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xBC0000 - 0xBCF000
erdznUfbK0ZF.dll	%System%\erdznUfbK0ZF.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xCC0000 - 0xCD1000
08223B03.dll	%System%\08223B03.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xCE0000 - 0xCF0000
efc0c52cc1.dll	%System%\efc0c52cc1.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xCF0000 - 0xD00000
A1A6BC2E.dll	%System%\A1A6BC2E.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xD10000 - 0xD20000
76B9BA7A.dll	%System%\76B9BA7A.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xD20000 - 0xD2F000
skcfujQ5EDN.dll	%System%\skcfujQ5EDN.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xD30000 - 0xD40000
gggg6sZAbKcD.dll	%System%\gggg6sZAbKcD.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xF60000 - 0xF71000
2EF0D734.dll	%System%\2EF0D734.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xD40000 - 0xD4F000
wBJk3Fs8ghs.dll	%System%\wBJk3Fs8ghs.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xF80000 - 0xF8F000
56BC86C7.dll	%System%\56BC86C7.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xF90000 - 0xFA0000
Xgv7TbnvD3yvn.fon	%FontsDir%\Xgv7TbnvD3yvn.fon	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xFA0000 - 0xFB1000
704C3595.dll	%System%\704C3595.dll	Process name: msmsgs.exe Process filename: %ProgramFiles%\messenger\msmsgs.exe Address space: 0xFC0000 - 0xFD0000
56BC86C7.dll	%System%\56BC86C7.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x2530000 - 0x2540000
wBJk3Fs8ghs.dll	%System%\wBJk3Fs8ghs.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x2540000 - 0x254F000
76B9BA7A.dll	%System%\76B9BA7A.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x2550000 - 0x255F000
A1A6BC2E.dll	%System%\A1A6BC2E.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x2560000 - 0x2570000
skcfujQ5EDN.dll	%System%\skcfujQ5EDN.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x2570000 - 0x2580000
gggg6sZAbKcD.dll	%System%\gggg6sZAbKcD.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x4790000 - 0x47A1000
2EF0D734.dll	%System%\2EF0D734.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x47B0000 - 0x47BF000
Xgv7TbnvD3yvn.fon	%FontsDir%\Xgv7TbnvD3yvn.fon	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x47C0000 - 0x47D1000
704C3595.dll	%System%\704C3595.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x47E0000 - 0x47F0000
dhDhwS7fFW.dll	%System%\dhDhwS7fFW.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x47F0000 - 0x47FF000
STG4WdmetW2FP.dll	%System%\STG4WdmetW2FP.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x4800000 - 0x480F000
efc0c52cc1.dll	%System%\efc0c52cc1.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x4810000 - 0x4820000
A0C86020.dll	%System%\A0C86020.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x4820000 - 0x482F000
E4814792.dll	%System%\E4814792.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x4830000 - 0x483E000
08223B03.dll	%System%\08223B03.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x4840000 - 0x4850000
erdznUfbK0ZF.dll	%System%\erdznUfbK0ZF.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x4850000 - 0x4861000
BMsg6pdMD4ht.dll	%System%\BMsg6pdMD4ht.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x4870000 - 0x487F000
ufQCU5.dll	%System%\ufQCU5.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x4880000 - 0x488F000
J9mfQxkJ.dll	%System%\J9mfQxkJ.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x4890000 - 0x489F000
mP5NywQewTxx.dll	%System%\mP5NywQewTxx.dll	Process name: dllhost.exe Process filename: %System%\dllhost.exe Address space: 0x48A0000 - 0x48B0000
erdznUfbK0ZF.dll	%System%\erdznUfbK0ZF.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1620000 - 0x1631000
BMsg6pdMD4ht.dll	%System%\BMsg6pdMD4ht.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1640000 - 0x164F000
ufQCU5.dll	%System%\ufQCU5.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1650000 - 0x165F000
J9mfQxkJ.dll	%System%\J9mfQxkJ.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1660000 - 0x166F000
08223B03.dll	%System%\08223B03.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1670000 - 0x1680000
efc0c52cc1.dll	%System%\efc0c52cc1.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1680000 - 0x1690000
Xgv7TbnvD3yvn.fon	%FontsDir%\Xgv7TbnvD3yvn.fon	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x16A0000 - 0x16B1000
704C3595.dll	%System%\704C3595.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x16C0000 - 0x16D0000
2EF0D734.dll	%System%\2EF0D734.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x16F0000 - 0x16FF000
gggg6sZAbKcD.dll	%System%\gggg6sZAbKcD.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1700000 - 0x1711000
skcfujQ5EDN.dll	%System%\skcfujQ5EDN.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1A60000 - 0x1A70000
A1A6BC2E.dll	%System%\A1A6BC2E.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1A80000 - 0x1A90000
76B9BA7A.dll	%System%\76B9BA7A.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1A90000 - 0x1A9F000
wBJk3Fs8ghs.dll	%System%\wBJk3Fs8ghs.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1AA0000 - 0x1AAF000
56BC86C7.dll	%System%\56BC86C7.dll	Process name: sdnsmain.exe Process filename: %Windir%\dns\sdnsmain.exe Address space: 0x1AB0000 - 0x1AC0000
56BC86C7.dll	%System%\56BC86C7.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1B00000 - 0x1B10000
wBJk3Fs8ghs.dll	%System%\wBJk3Fs8ghs.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1B10000 - 0x1B1F000
76B9BA7A.dll	%System%\76B9BA7A.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1C20000 - 0x1C2F000
A1A6BC2E.dll	%System%\A1A6BC2E.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1C30000 - 0x1C40000
skcfujQ5EDN.dll	%System%\skcfujQ5EDN.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1C40000 - 0x1C50000
gggg6sZAbKcD.dll	%System%\gggg6sZAbKcD.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1C50000 - 0x1C61000
2EF0D734.dll	%System%\2EF0D734.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1C70000 - 0x1C7F000
Xgv7TbnvD3yvn.fon	%FontsDir%\Xgv7TbnvD3yvn.fon	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1C80000 - 0x1C91000
704C3595.dll	%System%\704C3595.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1CA0000 - 0x1CB0000
efc0c52cc1.dll	%System%\efc0c52cc1.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1CD0000 - 0x1CE0000
08223B03.dll	%System%\08223B03.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1D00000 - 0x1D10000
erdznUfbK0ZF.dll	%System%\erdznUfbK0ZF.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1D10000 - 0x1D21000
BMsg6pdMD4ht.dll	%System%\BMsg6pdMD4ht.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1D30000 - 0x1D3F000
ufQCU5.dll	%System%\ufQCU5.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1D40000 - 0x1D4F000
J9mfQxkJ.dll	%System%\J9mfQxkJ.dll	Process name: IEXPLORE.EXE Process filename: %ProgramFiles%\internet explorer\iexplore.exe Address space: 0x1D50000 - 0x1D5F000

Notes:

%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{028A997C-4262-4107-BD46-2ABBC6143E8C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{028A997C-4262-4107-BD46-2ABBC6143E8C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08223B03-1B38-4A33-A83A-A4D3CC1D6E4E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08223B03-1B38-4A33-A83A-A4D3CC1D6E4E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1381B721-B066-44A0-8D9A-AD02A8C29783}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1381B721-B066-44A0-8D9A-AD02A8C29783}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36AC68E6-0C26-4D39-B98E-54B49DAB6BAA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36AC68E6-0C26-4D39-B98E-54B49DAB6BAA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FA3CAD1-C5D8-48B9-800A-A7B2D2A23044}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FA3CAD1-C5D8-48B9-800A-A7B2D2A23044}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56BC86C7-0692-4F94-A2C1-6CF1DBF8096C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56BC86C7-0692-4F94-A2C1-6CF1DBF8096C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{669029EE-81FB-496F-9AC4-FE838B16F231}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{669029EE-81FB-496F-9AC4-FE838B16F231}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{704C3595-DB85-40F6-A601-8D6F346907BD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{704C3595-DB85-40F6-A601-8D6F346907BD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{737858A9-9AEA-4838-9B49-54DA731F7F37}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{737858A9-9AEA-4838-9B49-54DA731F7F37}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76B9BA7A-81D0-4979-8598-8471F2AB5186}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76B9BA7A-81D0-4979-8598-8471F2AB5186}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76CBCF38-0583-44C7-A1AE-D463DFE625EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76CBCF38-0583-44C7-A1AE-D463DFE625EC}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0C86020-5935-4B87-B20E-0B656D450264}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0C86020-5935-4B87-B20E-0B656D450264}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B2106E92-8F18-496C-BCA3-DA17DCE5713E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B2106E92-8F18-496C-BCA3-DA17DCE5713E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B5CB70CB-3DEE-4E2E-9911-4870175EAB78}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B5CB70CB-3DEE-4E2E-9911-4870175EAB78}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C722AD57-35DA-4460-8353-328372F32AB2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C722AD57-35DA-4460-8353-328372F32AB2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE00760F-DC9F-46C2-9D4E-61B5BB810C51}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE00760F-DC9F-46C2-9D4E-61B5BB810C51}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E4814792-EFA3-4C20-93D0-8B130A59F9A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E4814792-EFA3-4C20-93D0-8B130A59F9A8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F7B34FFC-2353-443B-B5FF-42F06417330D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F7B34FFC-2353-443B-B5FF-42F06417330D}\InprocServer32

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{028A997C-4262-4107-BD46-2ABBC6143E8C}\InprocServer32]

(Default) = "%System%\efc0c52cc1.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08223B03-1B38-4A33-A83A-A4D3CC1D6E4E}\InprocServer32]

(Default) = "%System%\08223B03.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1381B721-B066-44A0-8D9A-AD02A8C29783}\InprocServer32]

(Default) = "%System%\mP5NywQewTxx.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2EF0D734-21FD-4225-A1A2-BCD296182AAF}\InprocServer32]

(Default) = "%System%\2EF0D734.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36AC68E6-0C26-4D39-B98E-54B49DAB6BAA}\InprocServer32]

(Default) = "%System%\dhDhwS7fFW.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3FA3CAD1-C5D8-48B9-800A-A7B2D2A23044}\InprocServer32]

(Default) = "%System%\J9mfQxkJ.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56BC86C7-0692-4F94-A2C1-6CF1DBF8096C}\InprocServer32]

(Default) = "%System%\56BC86C7.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{669029EE-81FB-496F-9AC4-FE838B16F231}\InprocServer32]

(Default) = "%System%\erdznUfbK0ZF.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{704C3595-DB85-40F6-A601-8D6F346907BD}\InprocServer32]

(Default) = "%System%\704C3595.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{737858A9-9AEA-4838-9B49-54DA731F7F37}\InprocServer32]

(Default) = "%System%\BMsg6pdMD4ht.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76B9BA7A-81D0-4979-8598-8471F2AB5186}\InprocServer32]

(Default) = "%System%\76B9BA7A.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76CBCF38-0583-44C7-A1AE-D463DFE625EC}\InprocServer32]

(Default) = "%System%\skcfujQ5EDN.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0C86020-5935-4B87-B20E-0B656D450264}\InprocServer32]

(Default) = "%System%\A0C86020.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8}\InprocServer32]

(Default) = "%System%\A1A6BC2E.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B2106E92-8F18-496C-BCA3-DA17DCE5713E}\InprocServer32]

(Default) = "%FontsDir%\Xgv7TbnvD3yvn.fon"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B5CB70CB-3DEE-4E2E-9911-4870175EAB78}\InprocServer32]

(Default) = "%System%\gggg6sZAbKcD.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C722AD57-35DA-4460-8353-328372F32AB2}\InprocServer32]

(Default) = "%System%\ufQCU5.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DE00760F-DC9F-46C2-9D4E-61B5BB810C51}\InprocServer32]

(Default) = "%System%\STG4WdmetW2FP.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E4814792-EFA3-4C20-93D0-8B130A59F9A8}\InprocServer32]

(Default) = "%System%\E4814792.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F7B34FFC-2353-443B-B5FF-42F06417330D}\InprocServer32]

(Default) = "%System%\wBJk3Fs8ghs.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

{3FA3CAD1-C5D8-48B9-800A-A7B2D2A23044} = ""
{C722AD57-35DA-4460-8353-328372F32AB2} = ""
{737858A9-9AEA-4838-9B49-54DA731F7F37} = ""
{669029EE-81FB-496F-9AC4-FE838B16F231} = ""
{08223B03-1B38-4A33-A83A-A4D3CC1D6E4E} = ""
{028A997C-4262-4107-BD46-2ABBC6143E8C} = ""
{A0C86020-5935-4B87-B20E-0B656D450264} = ""
{E4814792-EFA3-4C20-93D0-8B130A59F9A8} = ""
{704C3595-DB85-40F6-A601-8D6F346907BD} = ""
{76CBCF38-0583-44C7-A1AE-D463DFE625EC} = ""
{B2106E92-8F18-496C-BCA3-DA17DCE5713E} = ""
{1381B721-B066-44A0-8D9A-AD02A8C29783} = ""
{DE00760F-DC9F-46C2-9D4E-61B5BB810C51} = ""
{2EF0D734-21FD-4225-A1A2-BCD296182AAF} = ""
{B5CB70CB-3DEE-4E2E-9911-4870175EAB78} = ""
{36AC68E6-0C26-4D39-B98E-54B49DAB6BAA} = ""
{56BC86C7-0692-4F94-A2C1-6CF1DBF8096C} = ""
{76B9BA7A-81D0-4979-8598-8471F2AB5186} = ""
{F7B34FFC-2353-443B-B5FF-42F06417330D} = ""
{A1A6BC2E-C6A1-43C1-8884-A31D772F42B8} = ""

Other details

There were application-defined hook procedures installed into the hook chain (e.g. to monitor keystrokes). The installed hooks are handled by the following modules:

%System%\efc0c52cc1.dll
%System%\dhDhwS7fFW.dll
%FontsDir%\Xgv7TbnvD3yvn.fon
%System%\J9mfQxkJ.dll
%System%\skcfujQ5EDN.dll
%System%\mP5NywQewTxx.dll
%System%\A1A6BC2E.dll
%System%\E4814792.dll
%System%\704C3595.dll
%System%\wBJk3Fs8ghs.dll
%System%\gggg6sZAbKcD.dll
%System%\2EF0D734.dll
%System%\56BC86C7.dll
%System%\76B9BA7A.dll
%System%\STG4WdmetW2FP.dll
%System%\08223B03.dll
%System%\erdznUfbK0ZF.dll
%System%\ufQCU5.dll
%System%\A0C86020.dll
%System%\BMsg6pdMD4ht.dll

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.