HEUR_PDFEXP.E

HEUR_PDFEXP.E is a generic detection that some anti-malware programs use to refer to malicious PDF files that use a known vulnerability in Adobe Reader to install other malware on the infected computer. Due to their nature, HEUR_PDFEXP.E malicious files are typically used in social engineering scams. They will often be disguised as some kind of interesting document related to a top news item. Opening them will often open an actual PDF file that contains some kind of related document. However, in the background, HEUR_PDFEXP.E will exploit a known vulnerability in Adobe Reader that allows criminals to execute malicious code. This means that HEUR_PDFEXP.E files can be used to install malware in the background, often used to install a backdoor on the infected computer without the victim's knowledge. These kinds of covert malware infections are ideal for the installation of spy and banking Trojans that operate in the background undetected.

HEUR_PDFEXP.E and the United States Presidential Campaign

As mentioned before, HEUR_PDFEXP.E attacks will typically use a social engineering approach that takes advantage of top news stories in a particular news cycle. Of course, in October of 2012, few things top the United States Presidential election race in the news. Because of this, HEUR_PDFEXP.E attacks using malicious PDF files claiming to be everything from Mitt Romney's tax returns to facts about Barack Obama and fake news stories from top media outlets. Malware attacks using the 2012 presidential campaigns as a way to reach inexperienced computer users are likely to go on for the next two months. Because of this, ESG malware analysts strongly advise computer users to get their news from a trusted news source and never from unsolicited email messages containing embedded links or attached files.

While most computer users have been educated to avoid opening compressed file attachments (such as those with RAR or ZIP extensions) or executable file attachments (especially those with the EXE extension), many are not aware that malware can be distributed using PDF and even DOC documents. Using known flaws in Adobe Reader and Microsoft Word, criminals can create innocuous documents that actually install malware on the victim's computer. The best way to avoid these attacks is to never open or download unsolicited email attachments, regardless of their extension (which can be easily disguised).

Analysis Report

General information

Family Name:	HEUR.Malware.Crunch.Generic
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: bacc9eef6e05616e8105fc9bfc2a3a22 SHA1: 39e5b1e059e6c7c2c2ec914699e188ef2b66d4fa SHA256: 3BF50006139E99D32480A106F82699EFEEB6921353C5164223E9F881DCD18083 File Size: 200.70 KB, 200704 bytes

MD5: 4b2f16b3985d6dd1d09817581ec7503a SHA1: d30f9a6bfdcce7b1ced61460a69c7815fc2eb751 SHA256: 62C41AF537C7E3AF9E911679956291C33FA456EAD68F336D5642A8FB5EE5BFF9 File Size: 2.85 MB, 2854912 bytes

MD5: b037f6b81ca1d4245c016a03d1082ed5 SHA1: 67593448b3dd43de5652355214f4929def336450 SHA256: 8E47D54ABF32884AC26D9BAB25406E541194747F526D8A0D0712C7C944BC3002 File Size: 1.14 MB, 1137152 bytes

MD5: 39abd6972c499e2d987c102225d027cb SHA1: 0adfabc3f91d9dd4a2551f63c2ef8e12d16b75a9 SHA256: 3C7E89170DD3451067C342EB32EF7F4F03FFA2356D9E4171B490157CB19C99C5 File Size: 2.18 MB, 2181632 bytes

MD5: c20c4ea6ca056eaa85ca10167d074713 SHA1: f146c1732f410cc91dfdcf3fc0eb4305b0c4cf86 SHA256: 5C59494A19D3E44BDE4C94B8334605C39C742A249428EF745D1C162660C8DBB3 File Size: 8.55 MB, 8553984 bytes

Show More

MD5: 58e2ab7415dc8ae8db0105e25df52552 SHA1: db19796025145733d020642920871cddeb689e8f SHA256: 254405E61BCA79A9F402D2D4B52552B64195D9B052C63B68F6B0DD49C777CD6D File Size: 962.56 KB, 962560 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have security information
• File has TLS information
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)

Show More

• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Comments	AutoPatcher 5.0 Share your Music!
Company Name	Antonis Kaladis lone wolf OptiSoft, S.L. Publysoft Wolf
File Description	Blubster servent main executable Tutor mecanográfico
File Version	5.00.0021 1.02.0003 1.00.0048 1.00.0010 1.00.0007
Internal Name	AutoPatcher Blubster iTPV Mecanografiax WinBallit
Legal Copyright	Copyright (C) 2001 Optisoft, S.L. Programmed by Pablo Soto. Copyright (c) 2004-2005 Antonis Kaladis José Parra
Legal Trademarks	Blubster is a registered trademark of Optisoft, S.L. MicroSoft Visual Basic
Original Filename	AutoPatcher.exe Blubster.exe iTPV.exe Mecanografiax.exe WinBallit.exe
Product Name	AutoPatcher Blubster Servent iTPV Mecanografiax WinBallit
Product Version	5.00.0021 1.02.0003 1.00.0048 1.00.0010 1.00.0007

File Traits

• 2+ executable sections
• HighEntropy
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	9
Potentially Malicious Blocks:	0
Whitelisted Blocks:	0
Unknown Blocks:	9

Visual Map

? ? ? ? ? ? ? ? ?

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_16.db	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\explorer\iconcache_idx.db	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-gcv9i.tmp\is-6duce.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\is-o543i.tmp\_shfoldr.dll	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\~df92ca4b8603dd6d9c.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\~dfa8a85a2945e9baf2.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\syswow64\comdlg32.ocx	Generic Write,Read Attributes
c:\windows\syswow64\dbgrid32.ocx	Generic Write,Read Attributes
c:\windows\syswow64\ebcrypt.dll	Generic Write,Read Attributes

Show More

c:\windows\syswow64\hookmenu.ocx	Generic Write,Read Attributes
c:\windows\syswow64\impulsemp3.dll	Generic Write,Read Attributes
c:\windows\syswow64\impulsemp3.ocx	Generic Write,Read Attributes
c:\windows\syswow64\kewlbuttonz.ocx	Generic Write,Read Attributes
c:\windows\syswow64\mscal.ocx	Generic Write,Read Attributes
c:\windows\syswow64\mscomctl.ocx	Generic Write,Read Attributes
c:\windows\syswow64\msflxgrd.ocx	Generic Write,Read Attributes
c:\windows\syswow64\msinet.ocx	Generic Write,Read Attributes
c:\windows\syswow64\msmapi32.ocx	Generic Write,Read Attributes
c:\windows\syswow64\msvbvm50.dll	Generic Write,Read Attributes
c:\windows\syswow64\msvbvm60.dll	Generic Write,Read Attributes
c:\windows\syswow64\msvcrt.dll	Generic Write,Read Attributes
c:\windows\syswow64\mswinsck.ocx	Generic Write,Read Attributes
c:\windows\syswow64\psbtryicon.ocx	Generic Write,Read Attributes
c:\windows\syswow64\richtx32.ocx	Generic Write,Read Attributes
c:\windows\syswow64\shdocvw.dll	Generic Write,Read Attributes
c:\windows\syswow64\ssmaxmin.ocx	Generic Write,Read Attributes
c:\windows\syswow64\stkit432.dll	Generic Write,Read Attributes
c:\windows\syswow64\tabctl32.ocx	Generic Write,Read Attributes
c:\windows\syswow64\wininet.dll	Generic Write,Read Attributes
c:\windows\syswow64\wsock32.dll	Generic Write,Read Attributes

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKLM\software\classes\ebcrypt.eb_c_library.1::	eb_c_Library Class	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_library.1\clsid::	{B8A079DF-CA9D-478D-89AB-B75E185E60F4}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_library::	eb_c_Library Class	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_library\clsid::	{B8A079DF-CA9D-478D-89AB-B75E185E60F4}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_library\curver::	EbCrypt.eb_c_Library.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b8a079df-ca9d-478d-89ab-b75e185e60f4}::	eb_c_Library Class	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b8a079df-ca9d-478d-89ab-b75e185e60f4}\progid::	EbCrypt.eb_c_Library.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b8a079df-ca9d-478d-89ab-b75e185e60f4}\versionindependentprogid::	EbCrypt.eb_c_Library	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b8a079df-ca9d-478d-89ab-b75e185e60f4}\inprocserver32::	C:\WINDOWS\SysWow64\EBCRYPT.DLL	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{b8a079df-ca9d-478d-89ab-b75e185e60f4}\inprocserver32::threadingmodel	Apartment	RegNtPreCreateKey

Show More

HKLM\software\classes\wow6432node\clsid\{b8a079df-ca9d-478d-89ab-b75e185e60f4}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_hash.1::	eb_c_Hash Class	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_hash.1\clsid::	{1DA6245D-58CA-49ED-9F68-11A3A4250622}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_hash::	eb_c_Hash Class	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_hash\clsid::	{1DA6245D-58CA-49ED-9F68-11A3A4250622}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_hash\curver::	EbCrypt.eb_c_Hash.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{1da6245d-58ca-49ed-9f68-11a3a4250622}::	eb_c_Hash Class	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{1da6245d-58ca-49ed-9f68-11a3a4250622}\progid::	EbCrypt.eb_c_Hash.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{1da6245d-58ca-49ed-9f68-11a3a4250622}\versionindependentprogid::	EbCrypt.eb_c_Hash	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{1da6245d-58ca-49ed-9f68-11a3a4250622}\inprocserver32::	C:\WINDOWS\SysWow64\EBCRYPT.DLL	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{1da6245d-58ca-49ed-9f68-11a3a4250622}\inprocserver32::threadingmodel	Apartment	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{1da6245d-58ca-49ed-9f68-11a3a4250622}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_cipher.1::	eb_c_Cipher Class	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_cipher.1\clsid::	{0A34A626-F478-4DC0-B26F-9DBB0C9CA751}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_cipher::	eb_c_Cipher Class	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_cipher\clsid::	{0A34A626-F478-4DC0-B26F-9DBB0C9CA751}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_cipher\curver::	EbCrypt.eb_c_Cipher.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{0a34a626-f478-4dc0-b26f-9dbb0c9ca751}::	eb_c_Cipher Class	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{0a34a626-f478-4dc0-b26f-9dbb0c9ca751}\progid::	EbCrypt.eb_c_Cipher.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{0a34a626-f478-4dc0-b26f-9dbb0c9ca751}\versionindependentprogid::	EbCrypt.eb_c_Cipher	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{0a34a626-f478-4dc0-b26f-9dbb0c9ca751}\inprocserver32::	C:\WINDOWS\SysWow64\EBCRYPT.DLL	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{0a34a626-f478-4dc0-b26f-9dbb0c9ca751}\inprocserver32::threadingmodel	Apartment	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{0a34a626-f478-4dc0-b26f-9dbb0c9ca751}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_incrementalcipher.1::	eb_c_IncrementalCipher Class	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_incrementalcipher.1\clsid::	{5F755531-47EE-401D-B39A-15C121E17C48}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_incrementalcipher::	eb_c_IncrementalCipher Class	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_incrementalcipher\clsid::	{5F755531-47EE-401D-B39A-15C121E17C48}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_incrementalcipher\curver::	EbCrypt.eb_c_IncrementalCipher.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{5f755531-47ee-401d-b39a-15c121e17c48}::	eb_c_IncrementalCipher Class	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{5f755531-47ee-401d-b39a-15c121e17c48}\progid::	EbCrypt.eb_c_IncrementalCipher.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{5f755531-47ee-401d-b39a-15c121e17c48}\versionindependentprogid::	EbCrypt.eb_c_IncrementalCipher	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{5f755531-47ee-401d-b39a-15c121e17c48}\inprocserver32::	C:\WINDOWS\SysWow64\EBCRYPT.DLL	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{5f755531-47ee-401d-b39a-15c121e17c48}\inprocserver32::threadingmodel	Apartment	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{5f755531-47ee-401d-b39a-15c121e17c48}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_incrementalhash.1::	eb_c_IncrementalHash Class	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_incrementalhash.1\clsid::	{3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_incrementalhash::	eb_c_IncrementalHash Class	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_incrementalhash\clsid::	{3C34EAC7-9904-4415-BBE4-82AA8C0C0BE8}	RegNtPreCreateKey
HKLM\software\classes\ebcrypt.eb_c_incrementalhash\curver::	EbCrypt.eb_c_IncrementalHash.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3c34eac7-9904-4415-bbe4-82aa8c0c0be8}::	eb_c_IncrementalHash Class	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3c34eac7-9904-4415-bbe4-82aa8c0c0be8}\progid::	EbCrypt.eb_c_IncrementalHash.1	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3c34eac7-9904-4415-bbe4-82aa8c0c0be8}\versionindependentprogid::	EbCrypt.eb_c_IncrementalHash	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3c34eac7-9904-4415-bbe4-82aa8c0c0be8}\inprocserver32::	C:\WINDOWS\SysWow64\EBCRYPT.DLL	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3c34eac7-9904-4415-bbe4-82aa8c0c0be8}\inprocserver32::threadingmodel	Apartment	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{3c34eac7-9904-4415-bbe4-82aa8c0c0be8}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\typelib\{84341299-5345-45f8-ac59-ef04ecc59623}\1.0::	ebCrypt 1.0 Type Library	RegNtPreCreateKey
HKLM\software\classes\typelib\{84341299-5345-45f8-ac59-ef04ecc59623}\1.0\flags::	0	RegNtPreCreateKey
HKLM\software\classes\typelib\{84341299-5345-45f8-ac59-ef04ecc59623}\1.0\0\win32::	C:\WINDOWS\SysWow64\EBCRYPT.DLL	RegNtPreCreateKey
HKLM\software\classes\typelib\{84341299-5345-45f8-ac59-ef04ecc59623}\1.0\helpdir::	C:\WINDOWS\system32\	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{dceee9a3-bceb-4eaf-af13-b896e8b9883b}::	_Ieb_c_LibraryEvents	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{dceee9a3-bceb-4eaf-af13-b896e8b9883b}\proxystubclsid32::	{00020420-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{dceee9a3-bceb-4eaf-af13-b896e8b9883b}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{dceee9a3-bceb-4eaf-af13-b896e8b9883b}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\interface\{dceee9a3-bceb-4eaf-af13-b896e8b9883b}::	_Ieb_c_LibraryEvents	RegNtPreCreateKey
HKLM\software\classes\interface\{dceee9a3-bceb-4eaf-af13-b896e8b9883b}\proxystubclsid32::	{00020420-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{dceee9a3-bceb-4eaf-af13-b896e8b9883b}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\interface\{dceee9a3-bceb-4eaf-af13-b896e8b9883b}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{2e8a0b09-7ed2-46e8-8521-339f8d3606e4}::	Ieb_c_Hash	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{2e8a0b09-7ed2-46e8-8521-339f8d3606e4}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{2e8a0b09-7ed2-46e8-8521-339f8d3606e4}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{2e8a0b09-7ed2-46e8-8521-339f8d3606e4}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\interface\{2e8a0b09-7ed2-46e8-8521-339f8d3606e4}::	Ieb_c_Hash	RegNtPreCreateKey
HKLM\software\classes\interface\{2e8a0b09-7ed2-46e8-8521-339f8d3606e4}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{2e8a0b09-7ed2-46e8-8521-339f8d3606e4}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\interface\{2e8a0b09-7ed2-46e8-8521-339f8d3606e4}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{214ddeab-1b42-47f3-958c-0ec3b720cb64}::	Ieb_c_IncrementalHash	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{214ddeab-1b42-47f3-958c-0ec3b720cb64}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{214ddeab-1b42-47f3-958c-0ec3b720cb64}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{214ddeab-1b42-47f3-958c-0ec3b720cb64}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\interface\{214ddeab-1b42-47f3-958c-0ec3b720cb64}::	Ieb_c_IncrementalHash	RegNtPreCreateKey
HKLM\software\classes\interface\{214ddeab-1b42-47f3-958c-0ec3b720cb64}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{214ddeab-1b42-47f3-958c-0ec3b720cb64}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\interface\{214ddeab-1b42-47f3-958c-0ec3b720cb64}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{66ba18a8-a8bf-45fb-a650-9d84dbe59920}::	Ieb_c_Cipher	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{66ba18a8-a8bf-45fb-a650-9d84dbe59920}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{66ba18a8-a8bf-45fb-a650-9d84dbe59920}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{66ba18a8-a8bf-45fb-a650-9d84dbe59920}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\interface\{66ba18a8-a8bf-45fb-a650-9d84dbe59920}::	Ieb_c_Cipher	RegNtPreCreateKey
HKLM\software\classes\interface\{66ba18a8-a8bf-45fb-a650-9d84dbe59920}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{66ba18a8-a8bf-45fb-a650-9d84dbe59920}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\interface\{66ba18a8-a8bf-45fb-a650-9d84dbe59920}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{1520a7ac-ab8f-4cc4-bc3d-211b82735f06}::	Ieb_c_IncrementalCipher	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{1520a7ac-ab8f-4cc4-bc3d-211b82735f06}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{1520a7ac-ab8f-4cc4-bc3d-211b82735f06}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{1520a7ac-ab8f-4cc4-bc3d-211b82735f06}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\interface\{1520a7ac-ab8f-4cc4-bc3d-211b82735f06}::	Ieb_c_IncrementalCipher	RegNtPreCreateKey
HKLM\software\classes\interface\{1520a7ac-ab8f-4cc4-bc3d-211b82735f06}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{1520a7ac-ab8f-4cc4-bc3d-211b82735f06}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\interface\{1520a7ac-ab8f-4cc4-bc3d-211b82735f06}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{8180a126-70b9-4851-b940-ff7e50d71c19}::	Ieb_c_Library	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{8180a126-70b9-4851-b940-ff7e50d71c19}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{8180a126-70b9-4851-b940-ff7e50d71c19}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{8180a126-70b9-4851-b940-ff7e50d71c19}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\interface\{8180a126-70b9-4851-b940-ff7e50d71c19}::	Ieb_c_Library	RegNtPreCreateKey
HKLM\software\classes\interface\{8180a126-70b9-4851-b940-ff7e50d71c19}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{8180a126-70b9-4851-b940-ff7e50d71c19}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\interface\{8180a126-70b9-4851-b940-ff7e50d71c19}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{70281e5f-c789-497f-9d7f-4bbbfa3764c3}::	_Ieb_c_IncrementalCipherEvents	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{70281e5f-c789-497f-9d7f-4bbbfa3764c3}\proxystubclsid32::	{00020420-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{70281e5f-c789-497f-9d7f-4bbbfa3764c3}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{70281e5f-c789-497f-9d7f-4bbbfa3764c3}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\interface\{70281e5f-c789-497f-9d7f-4bbbfa3764c3}::	_Ieb_c_IncrementalCipherEvents	RegNtPreCreateKey
HKLM\software\classes\interface\{70281e5f-c789-497f-9d7f-4bbbfa3764c3}\proxystubclsid32::	{00020420-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{70281e5f-c789-497f-9d7f-4bbbfa3764c3}\typelib::	{84341299-5345-45F8-AC59-EF04ECC59623}	RegNtPreCreateKey
HKLM\software\classes\interface\{70281e5f-c789-497f-9d7f-4bbbfa3764c3}\typelib::version	1.0	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{057eee47-2572-4aa1-88d7-60ce2149e33c}\inprocserver32::	C:\WINDOWS\SysWow64\WININET.DLL	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{057eee47-2572-4aa1-88d7-60ce2149e33c}\inprocserver32::threadingmodel	Both	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{057eee47-2572-4aa1-88d7-60ce2149e33c}::	PSFactoryBuffer	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{b06b0ce5-689b-4afd-b326-0a08a1a647af}\proxystubclsid32::	{057EEE47-2572-4AA1-88D7-60CE2149E33C}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{b06b0ce5-689b-4afd-b326-0a08a1a647af}::	IWininetBroker	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{b06b0ce5-689b-4afd-b326-0a08a1a647af}\nummethods::		RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{a168aadc-1674-49da-ad4f-4f27df8760d0}\proxystubclsid32::	{057EEE47-2572-4AA1-88D7-60CE2149E33C}	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{a168aadc-1674-49da-ad4f-4f27df8760d0}::	IUrlCacheManager	RegNtPreCreateKey
HKLM\software\classes\wow6432node\interface\{a168aadc-1674-49da-ad4f-4f27df8760d0}\nummethods::	4	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{d5de8d20-5bb8-11d1-a1e3-00a0c90f2731}::	VBPropertyBag	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{d5de8d20-5bb8-11d1-a1e3-00a0c90f2731}\inprocserver32::	C:\WINDOWS\SysWow64\MSVBVM60.DLL	RegNtPreCreateKey
HKLM\software\classes\wow6432node\clsid\{d5de8d20-5bb8-11d1-a1e3-00a0c90f2731}\inprocserver32::threadingmodel	Apartment	RegNtPreCreateKey
HKLM\software\classes\typelib\{000204ef-0000-0000-c000-000000000046}\6.0\9\win32::	C:\WINDOWS\SysWow64\MSVBVM60.DLL	RegNtPreCreateKey
HKLM\software\classes\interface\{a4c466b8-499f-101b-bb78-00aa00383cbb}::	_ErrObject	RegNtPreCreateKey
HKLM\software\classes\interface\{a4c466b8-499f-101b-bb78-00aa00383cbb}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{a4c466b8-499f-101b-bb78-00aa00383cbb}\typelib::	{000204EF-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{a4c466b8-499f-101b-bb78-00aa00383cbb}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{a4c46780-499f-101b-bb78-00aa00383cbb}::	_Collection	RegNtPreCreateKey
HKLM\software\classes\interface\{a4c46780-499f-101b-bb78-00aa00383cbb}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{a4c46780-499f-101b-bb78-00aa00383cbb}\typelib::	{000204EF-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{a4c46780-499f-101b-bb78-00aa00383cbb}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\typelib\{ea544a21-c82d-11d1-a3e4-00a0c90aea82}\6.0\9\win32::	C:\WINDOWS\SysWow64\MSVBVM60.DLL\3	RegNtPreCreateKey
HKLM\software\classes\interface\{45046d60-08ca-11cf-a90f-00aa0062bb4c}::	PropertyBag_VB5	RegNtPreCreateKey
HKLM\software\classes\interface\{45046d60-08ca-11cf-a90f-00aa0062bb4c}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{45046d60-08ca-11cf-a90f-00aa0062bb4c}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{45046d60-08ca-11cf-a90f-00aa0062bb4c}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{4495ad01-c993-11d1-a3e4-00a0c90aea82}::	_PropertyBag	RegNtPreCreateKey
HKLM\software\classes\interface\{4495ad01-c993-11d1-a3e4-00a0c90aea82}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{4495ad01-c993-11d1-a3e4-00a0c90aea82}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{4495ad01-c993-11d1-a3e4-00a0c90aea82}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{41a7d761-6018-11cf-9016-00aa0068841e}::	DataObjectFiles	RegNtPreCreateKey
HKLM\software\classes\interface\{41a7d761-6018-11cf-9016-00aa0068841e}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{41a7d761-6018-11cf-9016-00aa0068841e}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{41a7d761-6018-11cf-9016-00aa0068841e}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{41a7d760-6018-11cf-9016-00aa0068841e}::	DataObject	RegNtPreCreateKey
HKLM\software\classes\interface\{41a7d760-6018-11cf-9016-00aa0068841e}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{41a7d760-6018-11cf-9016-00aa0068841e}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{41a7d760-6018-11cf-9016-00aa0068841e}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{b28fa150-0ff0-11cf-a911-00aa0062bb4c}::	AmbientProperties	RegNtPreCreateKey
HKLM\software\classes\interface\{b28fa150-0ff0-11cf-a911-00aa0062bb4c}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{b28fa150-0ff0-11cf-a911-00aa0062bb4c}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{b28fa150-0ff0-11cf-a911-00aa0062bb4c}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{2ce46480-1a08-11cf-ad63-00aa00614f3e}::	SelectedControls	RegNtPreCreateKey
HKLM\software\classes\interface\{2ce46480-1a08-11cf-ad63-00aa00614f3e}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{2ce46480-1a08-11cf-ad63-00aa00614f3e}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{2ce46480-1a08-11cf-ad63-00aa00614f3e}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{be8f9800-2aaa-11cf-ad67-00aa00614f3e}::	ParentControls	RegNtPreCreateKey
HKLM\software\classes\interface\{be8f9800-2aaa-11cf-ad67-00aa00614f3e}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{be8f9800-2aaa-11cf-ad67-00aa00614f3e}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{be8f9800-2aaa-11cf-ad67-00aa00614f3e}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{c0324960-2aaa-11cf-ad67-00aa00614f3e}::	ContainedControls	RegNtPreCreateKey
HKLM\software\classes\interface\{c0324960-2aaa-11cf-ad67-00aa00614f3e}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{c0324960-2aaa-11cf-ad67-00aa00614f3e}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{c0324960-2aaa-11cf-ad67-00aa00614f3e}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{d4e0f020-720a-11cf-8136-00aa00c14959}::	DataBindings	RegNtPreCreateKey
HKLM\software\classes\interface\{d4e0f020-720a-11cf-8136-00aa00c14959}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{d4e0f020-720a-11cf-8136-00aa00c14959}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{d4e0f020-720a-11cf-8136-00aa00c14959}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{7500a6ba-eb65-11d1-938d-0000f87557c9}::	DataBinding	RegNtPreCreateKey
HKLM\software\classes\interface\{7500a6ba-eb65-11d1-938d-0000f87557c9}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{7500a6ba-eb65-11d1-938d-0000f87557c9}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{7500a6ba-eb65-11d1-938d-0000f87557c9}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f0-7697-11d1-a1e9-00a0c90f2731}::	EventParameter	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f0-7697-11d1-a1e9-00a0c90f2731}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f0-7697-11d1-a1e9-00a0c90f2731}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f0-7697-11d1-a1e9-00a0c90f2731}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f1-7697-11d1-a1e9-00a0c90f2731}::	EventParameters	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f1-7697-11d1-a1e9-00a0c90f2731}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f1-7697-11d1-a1e9-00a0c90f2731}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f1-7697-11d1-a1e9-00a0c90f2731}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f2-7697-11d1-a1e9-00a0c90f2731}::	EventInfo	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f2-7697-11d1-a1e9-00a0c90f2731}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f2-7697-11d1-a1e9-00a0c90f2731}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{c4d651f2-7697-11d1-a1e9-00a0c90f2731}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{888a5a60-b283-11cf-8ad5-00a0c90aea82}::	Hyperlink	RegNtPreCreateKey
HKLM\software\classes\interface\{888a5a60-b283-11cf-8ad5-00a0c90aea82}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{888a5a60-b283-11cf-8ad5-00a0c90aea82}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{888a5a60-b283-11cf-8ad5-00a0c90aea82}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{14e469e0-bf61-11cf-8385-8f69d8f1350b}::	AsyncProperty_VB5	RegNtPreCreateKey
HKLM\software\classes\interface\{14e469e0-bf61-11cf-8385-8f69d8f1350b}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{14e469e0-bf61-11cf-8385-8f69d8f1350b}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey
HKLM\software\classes\interface\{14e469e0-bf61-11cf-8385-8f69d8f1350b}\typelib::version	6.0	RegNtPreCreateKey
HKLM\software\classes\interface\{cbb76011-c508-11d1-a3e3-00a0c90aea82}::	AsyncProperty	RegNtPreCreateKey
HKLM\software\classes\interface\{cbb76011-c508-11d1-a3e3-00a0c90aea82}\proxystubclsid32::	{00020424-0000-0000-C000-000000000046}	RegNtPreCreateKey
HKLM\software\classes\interface\{cbb76011-c508-11d1-a3e3-00a0c90aea82}\typelib::	{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}	RegNtPreCreateKey

1327 additional registry modifications are not displayed above.

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Anti Debug	IsDebuggerPresent
User Data Access	GetUserObjectInformation
Other Suspicious	SetWindowsHookEx
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

C:\Users\Uwjebxak\AppData\Local\Temp\is-GCV9I.tmp\is-6DUCE.tmp /SL4 $702B8 c:\users\user\downloads\f146c1732f410cc91dfdcf3fc0eb4305b0c4cf86_0008553984 8503063 68096