Virus.Win32.Sality.aa

Sality è un virus informatico sofisticato, complesso ed estremamente pericoloso. Se hai qualche indizio che il tuo PC è stato infettato da Sality, dovresti agire con cautela e affrontare Sality il più rapidamente umanamente possibile. Sality può essere dannoso per il tuo computer e per te in una sorprendente varietà di modi, perché Sality include funzionalità o componenti di tutti i principali tipi di malware e si modifica regolarmente, diventando continuamente più dannoso e più difficile da rilevare rispetto a prima.

Storia di Salta

Il virus Sality è apparso per la prima volta in Russia nel 2003. Da allora, Sality ha continuato a essere una minaccia e Sality si è diffuso in tutto il mondo, storicamente con una presenza particolarmente forte in Brasile. Sality è stato uno dei virus più diffusi del 2010 e si è registrato un forte aumento del numero di infezioni alla fine dell'anno, quando è apparsa una nuova mutazione del virus. Alcuni ricercatori hanno affermato che Sality è attualmente una delle cinque minacce più comuni rilevate sui computer.

A rigor di termini, Sality è nato come una backdoor come un modo per aggirare le normali misure di sicurezza informatica. Sebbene Sality abbia ancora questa caratteristica e l'infezione inizi ancora con una backdoor, Sality è cresciuta e si è evoluta nel corso degli anni per includere nel suo funzionamento praticamente ogni varietà nota di malware. Non è un'esagerazione: oltre alla backdoor, le funzionalità di Sality includono virus, keylogger, rootkit, worm, trojan, downloader, botnet, adware ed exploit zero-hour di Windows. Sality ha le caratteristiche comuni di un virus classico, oltre ad alcune capacità molto moderne e molto pericolose.

Come funziona la salsedine

Al momento, un'infezione da Sality potrebbe iniziare con l'uso di una chiavetta USB infetta che infetterà il tuo computer a partire da un worm o Sality può infettare il tuo computer a partire da un Trojan, dopo aver fatto clic su un'e-mail di spam infetta o aver scaricato un file infetto. In un modo o nell'altro, una volta che Sality è presente, Sality apre una backdoor e può scaricare altri malware; o comunicare segretamente con un controller di botnet o chiunque abbia propagato il virus in primo luogo.

Quindi Sality si prepara a fare il suo danno. Sality esamina cosa c'è nel tuo sistema, infetta i file .exe e .scr locali, disabilita o elimina software di sicurezza e firewall e scrive file dannosi. Sality può persino alterare il tuo computer per impedire l'avvio di Windows in modalità provvisoria. Può quindi installare un keylogger per acquisire sequenze di tasti e rubare nomi utente e password, numeri di carte di credito o altre informazioni sensibili. Sality può anche creare un worm che infetterà tutti i supporti rimovibili, in particolare le chiavette USB, e farà sì che il virus si installi automaticamente sul computer a cui si collega l'unità USB successiva.

Nuovi sviluppi della salubrità

Di recente, Sality è stato utilizzato per creare "computer zombi" e per aggiungere computer infetti alle botnet. In altre parole, Sality viene utilizzato per fornire agli hacker l'accesso remoto ai sistemi infetti e per utilizzare tali sistemi per diffondere spam, creare clic Web fraudolenti o lanciare attacchi Denial Of Service contro siti Web mirati, il tutto all'insaputa dei proprietari di i computer infetti. Una recente stima delle dimensioni della botnet Sality mette il numero di computer collegati tramite Sality a 100.000.

A partire dall'estate del 2010, è stato riferito che Sality stava infettando i computer tramite un Trojan che sfrutta quella che era una cosiddetta vulnerabilità "ora zero" in Windows, sfruttando il modo in cui Windows gestiva le scorciatoie. In questo modo, Sality è simile al virus Stuxnet . Fondamentalmente, il Trojan infetta il computer e crea un file .dll e un file .lnk da qualche parte, e non appena si accede alla directory in cui è archiviato il file .lnk, il .dll viene attivato e Sality passa all'azione. Dal momento che la vulnerabilità è stata scoperta, Microsoft ha rilasciato aggiornamenti di Windows per riparare la vulnerabilità. Tuttavia, recentemente, questa vulnerabilità è stata una delle principali cause dell'aumento dei tassi di infezione di Sality, perché molte persone semplicemente non aggiornano Windows abbastanza frequentemente o per niente.

Sality continua ad essere una minaccia significativa in gran parte a causa della sua natura polimorfa. Può alterare il proprio codice crittografandosi in modo diverso per ogni diverso file o computer che Sality infetta, il che ha lo scopo di rendere difficile il rilevamento di Sality attraverso le scansioni. In ogni caso, gli esperti ritengono che i creatori di Sality abbiano l'obiettivo finale di utilizzare Sality per raccogliere e incorporare quanto più codice dannoso e dannoso possibile. Pertanto, nel prossimo futuro sarà probabilmente necessaria una continua vigilanza contro Sality.

SpyHunter rileva e rimuove Virus.Win32.Sality.aa

Rapporto di analisi

Informazione Generale

Family Name:	Virus.Sality
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: de738ab0e456a4fc7a15462d2f442755 SHA1: b3cbc2a422889211b42469434ae53b42968411bc Dimensione del file: 136.99 KB, 136992 bytes

MD5: dfcf08b8ed815850e6933187cea6d039 SHA1: 5b63fab6ab6a9d9efa9df45fa8f867b3d0878908 Dimensione del file: 103.14 KB, 103140 bytes

MD5: 6a6807cf3039b85a8e9a77be7b801e6d SHA1: 6aeb7b7c20d664e237b2af5cd175bdc1342b758d Dimensione del file: 103.14 KB, 103140 bytes

MD5: 6f8abefb5fcb91f0652e558f1ade51cc SHA1: 21c11e0aa0bb8ac2446bf5dbc355bdeb2264280d Dimensione del file: 218.91 KB, 218912 bytes

MD5: 9233013357f95eab175140bc9f590858 SHA1: 4919d37fdeab3713fe914978858ddd3d865d51c1 SHA256: 6736037AFD5AEDCAD934247E4343D7DCB9DF0452A22A1E01B591447E2E46A2FA Dimensione del file: 103.14 KB, 103140 bytes

Show More

MD5: cf1562fe8d02b1485686c6fd5cad0c79 SHA1: 1b05e5ea5716bfd8b0bd0deb6fecd05ff904b61f SHA256: 3B8B07E341BD408512D47BBA421C95A14CC61CB76525BB16E7C3DAF1FDA6DE83 Dimensione del file: 9.93 MB, 9926976 bytes

MD5: b53a7ba023575b096f71bc8d2da5f67a SHA1: 35d3bf379e95684f671bc5efb5dbbc154b73a3bc SHA256: 8A619A448C2FFE0D37ABEB21288674952E4E65AFA57C23A1047CCCA0B19E933E Dimensione del file: 103.14 KB, 103140 bytes

MD5: 8306b38ea1d2083e943d6273fa8b3e4f SHA1: 6676fdd6fd646a2c31352f7af41d08d5c6a8b109 SHA256: 5BDA53053924C8077A6ED322440DD176624474525A61936565668852EC4B5D13 Dimensione del file: 1.93 MB, 1926448 bytes

MD5: 5f711b5ae8a4f9c69c3124df020f9698 SHA1: 2557ff72979a7773afb366d128d5b34faad4fa03 SHA256: B4DD13C469CAA0D4051CAA0B86B0A22D1DD65FC4AA75548DC97B568B0D39F65E Dimensione del file: 1.12 MB, 1118949 bytes

MD5: ef61d174c365813a12bbccede429d234 SHA1: b0a1ea3966d8bd4b028802d5a680607cb9f70dea SHA256: 23CE0F89F74D21C2321CE8C7BE641D4B6C56D573CE9DCBB42B9D57E41F420644 Dimensione del file: 103.14 KB, 103140 bytes

MD5: 81869a5a1b0959d3c4443b9eda565e2a SHA1: e3ead28be912b13aa0816ad3d6b2289cecb7ccfd SHA256: C3E074C3058AE6F8C5788E0251AC59C838D9CE6637FF5C16D2895C32B136CD12 Dimensione del file: 103.14 KB, 103140 bytes

MD5: 863c155b65d5831e4f577804ee2c4b79 SHA1: 78c037c4d0a828e877cac4d4e1fdb9c1d3982c96 SHA256: B006A8A56D8F91D43EA438B0BEEE23ADFBA8A162D8D85BEBE326C9F64502EF13 Dimensione del file: 103.14 KB, 103140 bytes

MD5: 095fac5b98fc4f60f4d02cd49bf57846 SHA1: 7bcd2767c5edb9847c6cc934f64551df2b42c5f9 SHA256: D26AC358A19D3465CFC4F146C65F48E23DD5A6D5DD0B859D1F4FC643342E677F Dimensione del file: 103.14 KB, 103140 bytes

MD5: a652034dec8f99577903918c506e1987 SHA1: 1edd77bf74fb8a10bf1c688073e3f29c33108e8f SHA256: 78826624ECB5E6624A9925E59E01B44505B489140B6C09AC7E89261E6399690E Dimensione del file: 103.14 KB, 103140 bytes

MD5: c803c8286377c3f155998fbbaa1ff443 SHA1: 4d9e7482fc372c1deffc7d500fd677ff7b39b615 SHA256: 902B61D51F5519D32AD1476D918E28C6FACC9022F6D8E0A5BAE127517D7D8CD8 Dimensione del file: 159.74 KB, 159744 bytes

MD5: 12e604fcd646871fb046367a336f4276 SHA1: 1740006d2579aa33c94a41fd0af544387c2c5fb7 SHA256: C2A185F0B504F814DDC64698319E0E61B39FA3AA31CC08F59FB99662C294D612 Dimensione del file: 133.55 KB, 133552 bytes

MD5: de1cde02a70e2fc28399986a44e3fa1e SHA1: e0e9d1c3e11b55499298bac412418762959797e6 SHA256: F056292A4C0C01462B6CA713E04CC7F664D5EFDFC6A577DD950C4C1B3E96C2C1 Dimensione del file: 311.02 KB, 311019 bytes

MD5: 85ee116968a3c618652c5a6ce25ffe8d SHA1: 25d7f982048408b6510cd65a84ff9a5b7ea7866e SHA256: 6B9002CBFA2796AA9CD1069ABCEA6932FF492152188EDAE7FBE6FA6350F511FE Dimensione del file: 5.82 MB, 5822483 bytes

MD5: aec3db01890ba541c99bbc36c8fcc1d9 SHA1: c0a832646e7683486c180f4a9f57d810973a19df SHA256: F647214C0B976702535396D761353D4342A95BD252DBD5CD05FA88D5E061B636 Dimensione del file: 932.35 KB, 932352 bytes

MD5: 4df76bd0e97fc049271daf2717743520 SHA1: 799ae57c793a8c9802443e5756487e850c9433e9 SHA256: 2CAE82F9B3CD3F7924E5A07F8AF404B70120FA3EDCF4EDA9DF2849C3764E17D0 Dimensione del file: 98.64 KB, 98640 bytes

MD5: 982b3e5987cbc6cf6be1a369599b5ec5 SHA1: ed67200761fff0f5d678df451e6f625f190bc0e1 SHA256: 76A4B68966AE3ADDE038149A803CA5086F54C1D01FF441F9FBCDDF7B406BA6A1 Dimensione del file: 99.33 KB, 99328 bytes

MD5: 64697fe83d6085b5c0566d6872be829a SHA1: ce94f779ebc4ff8ca36722f70194468d56f24d14 SHA256: 7BC4476EE502207D868A6A7BA2260F67A0B27D1B84D3736FA1698CF306D60757 Dimensione del file: 469.61 KB, 469608 bytes

MD5: cb1b67fba623a326d96a2ae7483ec15e SHA1: 8c57dbab3f5aa56a88dddf36236bec1e583553a6 SHA256: 9B5568A9D9F549F40746883BD9DBB3EAFEF02F344F386EE8C4C8D6E5DDE50FE7 Dimensione del file: 99.33 KB, 99328 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have resources
• File doesn't have security information
• File has TLS information
• File is 32-bit executable
• File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
• File is either console or GUI application

Show More

• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Nome	Valore
Comments	iProg Pro
Company Name	Acresso Software Inc. DT Soft Ltd EZB Systems, Inc. iProg group Microsoft NEtech ApS Sun Microsystems, Inc.
File Description	DAEMON Tools Pro ISO Command Java(TM) Control Panel Java(TM) Platform SE binary Long Coding Setup.exe
File Version	15.0.498 8.2.0.0 6.0.450.6 6.0.210.7 6.0.170.4 4.41.0315.0262 3.21 built by: WinDDK 1.00 1.0.7.10
Full Version	1.6.0_45-b06 1.6.0_21-b07 1.6.0_17-b04
Internal Build Number	77018
Internal Name	DTPro.exe iProgPro.exe isocmd.exe java Java(TM) Control Panel LCode Setup Win
Legal Copyright	Copyright (c)2006-2021 EZB Systems, Inc. Copyright (C) 2008 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved. Copyright © 2004 Copyright © 2010 Copyright © 2013 NEtech © 2000-2011 DT Soft Ltd.
Original Filename	DTPro.exe isocmd.exe java.exe javacpl.exe LCode Setup.exe Win.exe
Product Name	DAEMON Tools Pro InstallShield ISOCMD Java(TM) Platform SE 6 U17 Java(TM) Platform SE 6 U21 Java(TM) Platform SE 6 U45 LCode Win
Product Version	82 15.0 6.0.450.6 6.0.210.7 6.0.170.4 4.41.0315.0262 3.21 1.00 1.0.7.10

File Traits

• 2+ executable sections
• big overlay
• HighEntropy
• imgui
• Installer Manifest
• Installer Version
• No Version Info
• SusSec
• WriteProcessMemory
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	1
Potentially Malicious Blocks:	1
Whitelisted Blocks:	0
Unknown Blocks:	0

Visual Map

x

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• BadJoke.XA
• Banker.YA
• Delf.Spy.B
• Delf.XB
• Expiro.C

Show More

• Injector.DFF
• Injector.FCH
• Injector.FHBA
• Injector.KS
• KillAV.X
• Kryptik.RA
• Kryptik.YHB
• Nockat.A
• Sality.A

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Attributes,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Data,Read Attributes,LEFT 262144
c:\users\user\appdata\local\temp\bpck.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data

Show More

c:\users\user\appdata\local\temp\bpck.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\bpck.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\jvqomr.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\jvqomr.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\jvqomr.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\winllhw.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\winllhw.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\winllhw.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\winqwisr.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\winqwisr.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\winqwisr.exe	Synchronize,Write Attributes
c:\windows\20b848	Generic Write,Read Attributes
c:\windows\20b951	Generic Write,Read Attributes
c:\windows\20bc01	Generic Write,Read Attributes
c:\windows\92a247c	Generic Write,Read Attributes
c:\windows\system.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Dati	API Name
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\policies\system::disabletaskmgr		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\policies\system::disableregistrytools		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride		RegNtPreCreateKey

Show More

HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline		RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications		RegNtPreCreateKey
HKCU\software\apcr\1214104697::1919251317	y	RegNtPreCreateKey
HKCU\software\apcr\1214104697::-456464662		RegNtPreCreateKey
HKCU\software\apcr\1214104697::1462786655		RegNtPreCreateKey
HKCU\software\apcr\1214104697::-912929324	#	RegNtPreCreateKey
HKCU\software\apcr\1214104697::1006321993	ƃ	RegNtPreCreateKey
HKCU\software\apcr\1214104697::-1369393986	http://cikmayedekparca.com/images/logos.gifhttp://brucegarrod	RegNtPreCreateKey
HKCU\software\apcr\1214104697::549857331		RegNtPreCreateKey
HKCU\software\apcr::u1_0	ᅕ쒧	RegNtPreCreateKey
HKCU\software\apcr::u2_0	♨	RegNtPreCreateKey
HKCU\software\apcr::u3_0	権ă	RegNtPreCreateKey
HKCU\software\apcr::u4_0		RegNtPreCreateKey
HKCU\software\apcr::u1_1	謭믨	RegNtPreCreateKey
HKCU\software\apcr::u2_1	擷牥	RegNtPreCreateKey
HKCU\software\apcr::u3_1	ᥜ獦	RegNtPreCreateKey
HKCU\software\apcr::u4_1	獵牥	RegNtPreCreateKey
HKCU\software\apcr::u1_2	ꮧ꟩	RegNtPreCreateKey
HKCU\software\apcr::u2_2	ｻ	RegNtPreCreateKey
HKCU\software\apcr::u3_2	賃	RegNtPreCreateKey
HKCU\software\apcr::u4_2		RegNtPreCreateKey
HKCU\software\apcr::u1_3	პ낭	RegNtPreCreateKey
HKCU\software\apcr::u2_3	䘺地	RegNtPreCreateKey
HKCU\software\apcr::u3_3	ぶ嘳	RegNtPreCreateKey
HKCU\software\apcr::u4_3	婟地	RegNtPreCreateKey
HKCU\software\apcr::u1_4	Ȓ	RegNtPreCreateKey
HKCU\software\apcr::u2_4	큥즕	RegNtPreCreateKey
HKCU\software\apcr::u3_4	ꟽ좖	RegNtPreCreateKey
HKCU\software\apcr::u4_4	췔즕	RegNtPreCreateKey
HKCU\software\apcr::u1_5	鸫珊	RegNtPreCreateKey
HKCU\software\apcr::u2_5	娔㯻	RegNtPreCreateKey
HKCU\software\apcr::u3_5	⭠㫸	RegNtPreCreateKey
HKCU\software\apcr::u4_5	䅉㯻	RegNtPreCreateKey
HKCU\software\apcr::u1_6	惜Ἀ	RegNtPreCreateKey
HKCU\software\apcr::u2_6	꾺깠	RegNtPreCreateKey
HKCU\software\apcr::u3_6		RegNtPreCreateKey
HKCU\software\apcr::u4_6	뒾깠	RegNtPreCreateKey
HKCU\software\apcr::u1_7	➞▢	RegNtPreCreateKey
HKCU\software\apcr::u2_7	㹆⃆	RegNtPreCreateKey
HKCU\software\apcr::u3_7	䈚⇅	RegNtPreCreateKey
HKCU\software\apcr::u4_7	⠳⃆	RegNtPreCreateKey
HKCU\software\apcr::u1_8	蠅	RegNtPreCreateKey
HKCU\software\apcr::u2_8	뮣錫	RegNtPreCreateKey
HKCU\software\apcr::u3_8	鈨	RegNtPreCreateKey
HKCU\software\apcr::u4_8	鮨錫	RegNtPreCreateKey
HKCU\software\apcr::u1_9	ຣ㖺	RegNtPreCreateKey
HKCU\software\apcr::u2_9	ᖘ֑	RegNtPreCreateKey
HKCU\software\apcr::u3_9	攴Ғ	RegNtPreCreateKey
HKCU\software\apcr::u4_9	༝֑	RegNtPreCreateKey
HKCU\software\apcr::u1_10	벘	RegNtPreCreateKey
HKCU\software\apcr::u2_10	ꄧ矶	RegNtPreCreateKey
HKCU\software\apcr::u3_10	盵	RegNtPreCreateKey
HKCU\software\apcr::u4_10	芒矶	RegNtPreCreateKey
HKCU\software\apcr::u1_11	腈焋	RegNtPreCreateKey
HKCU\software\apcr::u2_11		RegNtPreCreateKey
HKCU\software\apcr::u3_11	鰮	RegNtPreCreateKey
HKCU\software\apcr::u4_11		RegNtPreCreateKey
HKCU\software\apcr::u1_12	ጪ轱	RegNtPreCreateKey
HKCU\software\apcr::u2_12	糋峁	RegNtPreCreateKey
HKCU\software\apcr::u3_12	͕巂	RegNtPreCreateKey
HKCU\software\apcr::u4_12	楼峁	RegNtPreCreateKey
HKCU\software\apcr::u1_13	덌㎠	RegNtPreCreateKey
HKCU\software\apcr::u2_13	ﹶ켦	RegNtPreCreateKey
HKCU\software\apcr::u3_13	뛘츥	RegNtPreCreateKey
HKCU\software\apcr::u4_13		RegNtPreCreateKey
HKCU\software\apcr::u1_14	؋ࣆ	RegNtPreCreateKey
HKCU\software\apcr::u2_14	䞈䆌	RegNtPreCreateKey
HKCU\software\apcr::u3_14	㩏䂏	RegNtPreCreateKey
HKCU\software\apcr::u4_14	偦䆌	RegNtPreCreateKey
HKCU\software\apcr::u1_15	꼜	RegNtPreCreateKey
HKCU\software\apcr::u2_15		RegNtPreCreateKey
HKCU\software\apcr::u3_15	꧲닲	RegNtPreCreateKey
HKCU\software\apcr::u4_15	쏛돱	RegNtPreCreateKey
HKCU\software\apcr::u1_16	䠆ꇪ	RegNtPreCreateKey
HKCU\software\apcr::u2_16	⷗♗	RegNtPreCreateKey
HKCU\software\apcr::u3_16	嵹❔	RegNtPreCreateKey
HKCU\software\apcr::u4_16	㝐♗	RegNtPreCreateKey
HKCU\software\apcr::u1_17	ᢘ튽	RegNtPreCreateKey
HKCU\software\apcr::u2_17	똢颼	RegNtPreCreateKey
HKCU\software\apcr::u3_17	샬馿	RegNtPreCreateKey
HKCU\software\apcr::u4_17	꫅颼	RegNtPreCreateKey
HKCU\software\apcr::u1_18	멃瓆	RegNtPreCreateKey
HKCU\software\apcr::u2_18	㷫ଢ	RegNtPreCreateKey
HKCU\software\apcr::u3_18	琓ਡ	RegNtPreCreateKey
HKCU\software\apcr::u4_18	Ḻଢ	RegNtPreCreateKey
HKCU\software\apcr::u1_19	䞈	RegNtPreCreateKey
HKCU\software\apcr::u2_19	蓅綇	RegNtPreCreateKey
HKCU\software\apcr::u3_19	ﮆ粄	RegNtPreCreateKey
HKCU\software\apcr::u4_19	醯綇	RegNtPreCreateKey
HKCU\software\apcr::u1_20	彪儖	RegNtPreCreateKey
HKCU\software\apcr::u2_20	☧	RegNtPreCreateKey
HKCU\software\apcr::u3_20	漍	RegNtPreCreateKey
HKCU\software\apcr::u4_20	Ԥ	RegNtPreCreateKey
HKCU\software\apcr::u1_21	痺	RegNtPreCreateKey
HKCU\software\apcr::u2_21	曆扒	RegNtPreCreateKey
HKCU\software\apcr::u3_21	ኰ捑	RegNtPreCreateKey
HKCU\software\apcr::u4_21	碙扒	RegNtPreCreateKey
HKCU\software\apcr::u1_22	塑伞	RegNtPreCreateKey
HKCU\software\apcr::u2_22	磻풷	RegNtPreCreateKey
HKCU\software\apcr::u3_22	蘧햴	RegNtPreCreateKey
HKCU\software\apcr::u4_22	풷	RegNtPreCreateKey
HKCU\software\apcr::u1_23	꿍棝	RegNtPreCreateKey
HKCU\software\apcr::u2_23	䑠䜝	RegNtPreCreateKey
HKCU\software\apcr::u3_23	㖪䘞	RegNtPreCreateKey
HKCU\software\apcr::u4_23	徃䜝	RegNtPreCreateKey
HKCU\software\apcr::u1_24	ꆡ궃	RegNtPreCreateKey
HKCU\software\apcr::u2_24	쩿릂	RegNtPreCreateKey
HKCU\software\apcr::u3_24	룑뢁	RegNtPreCreateKey
HKCU\software\apcr::u4_24	틸릂	RegNtPreCreateKey
HKCU\software\apcr::u1_25		RegNtPreCreateKey
HKCU\software\apcr::u2_25	搐⯨	RegNtPreCreateKey
HKCU\software\apcr::u3_25	ⱄ⫫	RegNtPreCreateKey
HKCU\software\apcr::u4_25	䙭⯨	RegNtPreCreateKey
HKCU\software\apcr::u1_26		RegNtPreCreateKey
HKCU\software\apcr::u2_26	ꐟ鹍	RegNtPreCreateKey
HKCU\software\apcr::u3_26	폋齎	RegNtPreCreateKey
HKCU\software\apcr::u4_26	맢鹍	RegNtPreCreateKey
HKCU\software\apcr::u1_27		RegNtPreCreateKey
HKCU\software\apcr::u2_27	ㅯႳ	RegNtPreCreateKey
HKCU\software\apcr::u3_27	䝾ᆰ	RegNtPreCreateKey
HKCU\software\apcr::u4_27	ⵗႳ	RegNtPreCreateKey
HKCU\software\apcr::u1_28	튕ⵝ	RegNtPreCreateKey
HKCU\software\apcr::u2_28	뮿茘	RegNtPreCreateKey
HKCU\software\apcr::u3_28	쫥舛	RegNtPreCreateKey
HKCU\software\apcr::u4_28	ꃌ茘	RegNtPreCreateKey
HKCU\software\apcr::u1_29	昘⸞	RegNtPreCreateKey
HKCU\software\apcr::u2_29	޳	RegNtPreCreateKey
HKCU\software\apcr::u3_29	繨	RegNtPreCreateKey
HKCU\software\apcr::u4_29	ᑁ	RegNtPreCreateKey
HKCU\software\apcr::u1_30	껻履	RegNtPreCreateKey
HKCU\software\apcr::u2_30	鬈柣	RegNtPreCreateKey
HKCU\software\apcr::u3_30	曠	RegNtPreCreateKey
HKCU\software\apcr::u4_30	螶柣	RegNtPreCreateKey
HKCU\software\apcr::u1_31	腾蔝	RegNtPreCreateKey
HKCU\software\apcr::u2_31		RegNtPreCreateKey
HKCU\software\apcr::u3_31		RegNtPreCreateKey
HKCU\software\apcr::u4_31		RegNtPreCreateKey
HKCU\software\apcr::u1_32	导誨	RegNtPreCreateKey
HKCU\software\apcr::u2_32	睧䲮	RegNtPreCreateKey
HKCU\software\apcr::u3_32	҉䶭	RegNtPreCreateKey
HKCU\software\apcr::u4_32	溠䲮	RegNtPreCreateKey
HKCU\software\apcr::u1_33	ੌ倎	RegNtPreCreateKey
HKCU\software\apcr::u2_33	郞뼓	RegNtPreCreateKey
HKCU\software\apcr::u3_33	蠼븐	RegNtPreCreateKey
HKCU\software\apcr::u4_33	뼓	RegNtPreCreateKey
HKCU\software\apcr::u1_34		RegNtPreCreateKey
HKCU\software\apcr::u2_34	亪ㅹ	RegNtPreCreateKey
HKCU\software\apcr::u3_34	㾣ぺ	RegNtPreCreateKey
HKCU\software\apcr::u4_34	喊ㅹ	RegNtPreCreateKey
HKCU\software\apcr::u1_35	ؼ洭	RegNtPreCreateKey
HKCU\software\apcr::u2_35		RegNtPreCreateKey
HKCU\software\apcr::u3_35	ꋖꋝ	RegNtPreCreateKey
HKCU\software\apcr::u4_35	죿ꏞ	RegNtPreCreateKey
HKCU\software\apcr::u1_36	嵒	RegNtPreCreateKey
HKCU\software\apcr::u2_36	◲ᙄ	RegNtPreCreateKey
HKCU\software\apcr::u3_36	噝ᝇ	RegNtPreCreateKey
HKCU\software\apcr::u4_36	㱴ᙄ	RegNtPreCreateKey
HKCU\software\apcr::u1_37	ힾ൥	RegNtPreCreateKey
HKCU\software\apcr::u2_37	녨袩	RegNtPreCreateKey
HKCU\software\apcr::u3_37	엀親	RegNtPreCreateKey
HKCU\software\apcr::u4_37	꿩袩	RegNtPreCreateKey
HKCU\software\apcr::u1_38	뇚	RegNtPreCreateKey
HKCU\software\apcr::u2_38	ݸ﬏	RegNtPreCreateKey
HKCU\software\apcr::u3_38	䥷兀	RegNtPreCreateKey
HKCU\software\apcr::u4_38	⍞﬏	RegNtPreCreateKey
HKCU\software\apcr::u1_39	잞䨃	RegNtPreCreateKey
HKCU\software\apcr::u2_39	衰浴	RegNtPreCreateKey
HKCU\software\apcr::u3_39	ﳺ汷	RegNtPreCreateKey
HKCU\software\apcr::u4_39	雓浴	RegNtPreCreateKey
HKCU\software\apcr::u1_40	๶	RegNtPreCreateKey
HKCU\software\apcr::u2_40		RegNtPreCreateKey
HKCU\software\apcr::u3_40		RegNtPreCreateKey
HKCU\software\apcr::u4_40		RegNtPreCreateKey
HKCU\software\apcr::u1_41	磮ό	RegNtPreCreateKey
HKCU\software\apcr::u2_41	媐刿	RegNtPreCreateKey
HKCU\software\apcr::u3_41	ប匼	RegNtPreCreateKey
HKCU\software\apcr::u4_41	綽刿	RegNtPreCreateKey
HKCU\software\apcr::u1_42	呏㾇	RegNtPreCreateKey
HKCU\software\apcr::u2_42	쒤	RegNtPreCreateKey
HKCU\software\apcr::u3_42	鬛얧	RegNtPreCreateKey
HKCU\software\apcr::u4_42	쒤	RegNtPreCreateKey
HKCU\software\apcr::u1_43	㸝Д	RegNtPreCreateKey

2951 additional registry modifications are not displayed above.

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Other Suspicious	SetWindowsHookEx
Network Winsock2	WSAStartup
Keyboard Access	GetKeyState
User Data Access	GetUserObjectInformation
Network Wininet	InternetConnect InternetOpen
Network Winhttp	WinHttpOpen