Trojan.Downloader.Delf.B
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Downloader.Delf.B |
|---|---|
| Packers: | UPX! |
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
624f7fb36952e9f3026201469c9d92ee
SHA1:
e5814dfb465768ce11c107390e5fb282d8c3862a
SHA256:
84E0666156185ECD6ECC3C05B5B60E66557D18FF7E59CBCF494F2026FF5F3768
File Size:
1.22 MB, 1218566 bytes
|
|
MD5:
4016eae97ba9c593931441ecea10f4a1
SHA1:
73d9e24776b0ed70fd4522019bfdc2ec987b4403
SHA256:
FC167EFB772D9069522A126DDB029B26C4CB9A90BB7B48753BEBAD22F4A59A3D
File Size:
698.44 KB, 698444 bytes
|
|
MD5:
046cb0acd77e0e484abf513d42964d88
SHA1:
4983c0daa40c154f80442f6618d2e9e40a987647
SHA256:
12F1F60C4D2B7B3A01400DEE04C498D6576B70032D38477D94E53455F34AD1EF
File Size:
308.20 KB, 308197 bytes
|
|
MD5:
220b1f6c0ecc341b8b7caad209599b80
SHA1:
87867593b1263b9790643551a1aed16214a58ccc
SHA256:
30089F669EF0995B71EE53B20FB095851954CE760E53497F35C8EF8E32894E20
File Size:
414.34 KB, 414341 bytes
|
|
MD5:
5485d4e2fa2fe3c9593f67d24237adb6
SHA1:
8a653f0cb63bedbaf93a665e8728e78c1a64f6a8
SHA256:
7525DB8E283A246103B5D5AE437FBC5A29FB80E1CBA7F6A31278C630673B385A
File Size:
360.47 KB, 360471 bytes
|
Show More
|
MD5:
e6f4a2ad07810c893318234a105e5b72
SHA1:
39f055add0f50ac429fc0e107cb265c423b5c70d
SHA256:
7EE1D8D26DE9447AF3B90AB91BD316772D6DFB70BC4C68D8EFE702D3E1A43728
File Size:
509.77 KB, 509770 bytes
|
|
MD5:
979d000433c4e937b65745687dba3c5c
SHA1:
f42bb2ea9d89085849e1ad0f56190b05405c58fa
SHA256:
CE7F3E19748A55A8148F3998FE820A8C7CCCB0DED40A2687E06BDE119EC44EE3
File Size:
317.55 KB, 317551 bytes
|
|
MD5:
0cea72f4a81f443cd3fe3c6b9d9f8a3b
SHA1:
32505a349bf35d1005750062956875386cd10ea2
SHA256:
36F30C301DE05E176BA9F116F75DC710ED0D22C411722BE3FA77C52A2C24FBCF
File Size:
278.83 KB, 278828 bytes
|
|
MD5:
645aff5725b6c98c8215a42334b31835
SHA1:
6acdd9b447d083559811ee8cd66222ce933715e3
SHA256:
2486EB18B42904A99A3FFF5A7E8E2994CDF0C57AF08D1AF3D341F37723EFBB5A
File Size:
942.40 KB, 942402 bytes
|
|
MD5:
11b6203b625c2836d912ecfbc088007d
SHA1:
dcb28c8eb45bff3eb07f2a3c5213f9929e36db4b
SHA256:
848A7DB7A5535C85E1532818AD6DAD821678CFFEEFAB2C66C233D15265ED00BB
File Size:
847.00 KB, 846998 bytes
|
|
MD5:
c02757ecf2978cb68363bcfcfb2b290e
SHA1:
7a320b51259dcf58f91d7fbbd096ec94797dff90
SHA256:
978E3DDE2ABA46EA9C264498C540EC0A990701A5C84152EC5BEC7336EC37F93D
File Size:
7.34 MB, 7341423 bytes
|
|
MD5:
f5f8e39fb3c1bd9b1a8c2c55f8a18893
SHA1:
9fa89a48951b0dee9544ad2024dff9bbd858e2b1
SHA256:
C03F6622CD242986B17315FC15D3A05E1AECBCD39935236E71B05D3ECB802088
File Size:
4.25 MB, 4250258 bytes
|
|
MD5:
f55fedc6629aeb38d6cc7e8c3889a1d6
SHA1:
fcc906510468d1faa6c56316cb8efb2cef5e1d5e
SHA256:
621E02B651B53B6927CCFECD15B0351A8B8A288104C9FBBFBDD249AE2964D608
File Size:
2.81 MB, 2808001 bytes
|
|
MD5:
360125faa29cd31b54f3dd462b58968d
SHA1:
3977b6431d26a87f0808c8725153b922c925ca58
SHA256:
9718F006171A19C6F3C2C2D11CDD3E2CB2E13B2DF908AC0B221C61576D73A14A
File Size:
790.68 KB, 790684 bytes
|
|
MD5:
f14e63beeb0667c074e105c98cb29df5
SHA1:
7394a4875d026bac80e5aca79e51b7d678bcddac
SHA256:
A8ACAF7C5BD80DC4E2DB047F55F3933980E145DB8218C1171DC2464730D2A2F2
File Size:
772.65 KB, 772649 bytes
|
|
MD5:
06c06352f5617de0f50d54f3910af888
SHA1:
a36657efe8863e049e2d7c24c0a9bf587f7e945e
SHA256:
6E75AAED5462CA8765F8F0CA437ED327DC7B0B2B59EEDFA06E66B1376E7D9352
File Size:
421.82 KB, 421820 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File has TLS information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
File Traits
- .adata
- .aspack
- ASPack v2.1
- ASPack v2.12
- big overlay
- HighEntropy
- No Version Info
- packed
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 3,196 |
|---|---|
| Potentially Malicious Blocks: | 110 |
| Whitelisted Blocks: | 3,086 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.EDA
- Delf.VG
- Ekstak.AN
- FormBook.E
- IEHelper.B
Show More
- Kryptik.GSJ
- Kryptik.RA
- Lamer.CF
- NetZone.A
- QQPass.AK
- Stealer.BBA
- Trojan.Downloader.Gen.MD
- Trojan.Kryptik.Gen.FZ
- Wapomi.F
- Webalta.A
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\program files (x86)\saleheen | Synchronize,Write Attributes |
| c:\program files (x86)\saleheen\saleheen.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\program files (x86)\saleheen\saleheen.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\for islam | Synchronize,Write Attributes |
| c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\for islam\saleheen.lnk | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\winrar sfx::c%%program files (x86)%saleheen | C:\Program Files (x86)\saleheen | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\users\user\downloads\4983c0daa40c154f80442f6618d2e9e40a987647_0000308197 | RegNtPreCreateKey |
| HKLM\software\classes\4983c0daa40c154f80442f6618d2e9e40a987647_0000308197.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\4983c0daa40c154f80442f6618d2e9e40a987647_0000308197.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | 4983c0daa40c154f80442f6618d2e9e40a987647_0000308197.eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\users\user\downloads\87867593b1263b9790643551a1aed16214a58ccc_0000414341 | RegNtPreCreateKey |
| HKLM\software\classes\87867593b1263b9790643551a1aed16214a58ccc_0000414341.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\87867593b1263b9790643551a1aed16214a58ccc_0000414341.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | 87867593b1263b9790643551a1aed16214a58ccc_0000414341.eBookNSHandler | RegNtPreCreateKey |
Show More
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\users\user\downloads\8a653f0cb63bedbaf93a665e8728e78c1a64f6a8_0000360471 | RegNtPreCreateKey |
| HKLM\software\classes\8a653f0cb63bedbaf93a665e8728e78c1a64f6a8_0000360471.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\8a653f0cb63bedbaf93a665e8728e78c1a64f6a8_0000360471.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | 8a653f0cb63bedbaf93a665e8728e78c1a64f6a8_0000360471.eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\users\user\downloads\39f055add0f50ac429fc0e107cb265c423b5c70d_0000509770 | RegNtPreCreateKey |
| HKLM\software\classes\39f055add0f50ac429fc0e107cb265c423b5c70d_0000509770.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\39f055add0f50ac429fc0e107cb265c423b5c70d_0000509770.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | 39f055add0f50ac429fc0e107cb265c423b5c70d_0000509770.eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\users\user\downloads\f42bb2ea9d89085849e1ad0f56190b05405c58fa_0000317551 | RegNtPreCreateKey |
| HKLM\software\classes\f42bb2ea9d89085849e1ad0f56190b05405c58fa_0000317551.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\f42bb2ea9d89085849e1ad0f56190b05405c58fa_0000317551.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | f42bb2ea9d89085849e1ad0f56190b05405c58fa_0000317551.eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\users\user\downloads\6acdd9b447d083559811ee8cd66222ce933715e3_0000942402 | RegNtPreCreateKey |
| HKLM\software\classes\6acdd9b447d083559811ee8cd66222ce933715e3_0000942402.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\6acdd9b447d083559811ee8cd66222ce933715e3_0000942402.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | 6acdd9b447d083559811ee8cd66222ce933715e3_0000942402.eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{d173e10a-001d-4318-9822-8c97a8418482}:: | ExternalNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{d173e10a-001d-4318-9822-8c97a8418482}\localserver32:: | c:\Users\user\downloads\dcb28c8eb45bff3eb07f2a3c5213f9929e36db4b_0000846998 | RegNtPreCreateKey |
| HKLM\software\classes\dcb28c8eb45bff3eb07f2a3c5213f9929e36db4b_0000846998.externalnshandler:: | ExternalNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\dcb28c8eb45bff3eb07f2a3c5213f9929e36db4b_0000846998.externalnshandler\clsid:: | {D173E10A-001D-4318-9822-8C97A8418482} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{d173e10a-001d-4318-9822-8c97a8418482}\progid:: | dcb28c8eb45bff3eb07f2a3c5213f9929e36db4b_0000846998.ExternalNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\Users\user\downloads\dcb28c8eb45bff3eb07f2a3c5213f9929e36db4b_0000846998 | RegNtPreCreateKey |
| HKLM\software\classes\dcb28c8eb45bff3eb07f2a3c5213f9929e36db4b_0000846998.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\dcb28c8eb45bff3eb07f2a3c5213f9929e36db4b_0000846998.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | dcb28c8eb45bff3eb07f2a3c5213f9929e36db4b_0000846998.eBookNSHandler | RegNtPreCreateKey |
| HKCU\software\microsoft\internet explorer\pagesetup::header | RegNtPreCreateKey | |
| HKCU\software\microsoft\internet explorer\pagesetup::footer | RegNtPreCreateKey | |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\users\user\downloads\7a320b51259dcf58f91d7fbbd096ec94797dff90_0007341423 | RegNtPreCreateKey |
| HKLM\software\classes\7a320b51259dcf58f91d7fbbd096ec94797dff90_0007341423.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\7a320b51259dcf58f91d7fbbd096ec94797dff90_0007341423.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | 7a320b51259dcf58f91d7fbbd096ec94797dff90_0007341423.eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\users\user\downloads\9fa89a48951b0dee9544ad2024dff9bbd858e2b1_0004250258 | RegNtPreCreateKey |
| HKLM\software\classes\9fa89a48951b0dee9544ad2024dff9bbd858e2b1_0004250258.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\9fa89a48951b0dee9544ad2024dff9bbd858e2b1_0004250258.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | 9fa89a48951b0dee9544ad2024dff9bbd858e2b1_0004250258.eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\users\user\downloads\fcc906510468d1faa6c56316cb8efb2cef5e1d5e_0002808001 | RegNtPreCreateKey |
| HKLM\software\classes\fcc906510468d1faa6c56316cb8efb2cef5e1d5e_0002808001.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\fcc906510468d1faa6c56316cb8efb2cef5e1d5e_0002808001.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | fcc906510468d1faa6c56316cb8efb2cef5e1d5e_0002808001.eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\users\user\downloads\3977b6431d26a87f0808c8725153b922c925ca58_0000790684 | RegNtPreCreateKey |
| HKLM\software\classes\3977b6431d26a87f0808c8725153b922c925ca58_0000790684.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\3977b6431d26a87f0808c8725153b922c925ca58_0000790684.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | 3977b6431d26a87f0808c8725153b922c925ca58_0000790684.eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{d173e10a-001d-4318-9822-8c97a8418482}\localserver32:: | c:\Users\user\downloads\a36657efe8863e049e2d7c24c0a9bf587f7e945e_0000421820 | RegNtPreCreateKey |
| HKLM\software\classes\a36657efe8863e049e2d7c24c0a9bf587f7e945e_0000421820.externalnshandler:: | ExternalNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\a36657efe8863e049e2d7c24c0a9bf587f7e945e_0000421820.externalnshandler\clsid:: | {D173E10A-001D-4318-9822-8C97A8418482} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{d173e10a-001d-4318-9822-8c97a8418482}\progid:: | a36657efe8863e049e2d7c24c0a9bf587f7e945e_0000421820.ExternalNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\localserver32:: | c:\Users\user\downloads\a36657efe8863e049e2d7c24c0a9bf587f7e945e_0000421820 | RegNtPreCreateKey |
| HKLM\software\classes\a36657efe8863e049e2d7c24c0a9bf587f7e945e_0000421820.ebooknshandler:: | eBookNSHandler | RegNtPreCreateKey |
| HKLM\software\classes\a36657efe8863e049e2d7c24c0a9bf587f7e945e_0000421820.ebooknshandler\clsid:: | {9C453F21-396D-11D5-9734-70E252C10127} | RegNtPreCreateKey |
| HKLM\software\classes\wow6432node\clsid\{9c453f21-396d-11d5-9734-70e252c10127}\progid:: | a36657efe8863e049e2d7c24c0a9bf587f7e945e_0000421820.eBookNSHandler | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Anti Debug |
|
| User Data Access |
|
| Keyboard Access |
|
| Other Suspicious |
|
