Virus.Win32.Sality.aa

Sality este un virus informatic sofisticat, complex și extrem de periculos. Dacă aveți vreun indiciu că computerul dvs. a fost infectat cu Sality, ar trebui să acționați cu prudență și să tratați Sality cât mai repede posibil. Sality poate fi dăunător pentru computer și pentru dvs. într-o varietate uimitoare de moduri, deoarece Sality include caracteristici sau componente ale fiecărui tip major de malware și se schimbă în mod regulat, devenind continuu mai rău intenționat și mai greu de detectat decât era înainte.

Istoria lui Sality

Virusul Sality a apărut pentru prima dată în Rusia în 2003. De atunci, Sality a continuat să fie o amenințare, iar Sality s-a răspândit în întreaga lume, istoric cu o prezență deosebit de puternică în Brazilia. Sality a fost unul dintre cele mai răspândite virusuri ale anului 2010 și s-a înregistrat o creștere majoră a numărului de infecții la sfârșitul anului, când a apărut o nouă mutație a virusului. Unii cercetători au afirmat că Sality este în prezent una dintre cele mai frecvente cinci amenințări detectate pe computere.

Strict vorbind, Sality a început ca o ușă din spate ca o modalitate de a ocoli măsurile obișnuite de securitate a computerului. Deși Sality are încă această caracteristică și infecția încă începe cu o ușă din spate, Sality a crescut și a evoluat de-a lungul anilor pentru a include în funcționarea sa practic fiecare varietate cunoscută de malware. Aceasta nu este o exagerare – pe lângă ușa din spate, caracteristicile lui Sality includ viruși, keylogger, rootkit-uri, viermi, troieni, descărcare, rețele bot, adware și exploit-uri Windows zero-hour. Sality are caracteristicile comune ale unui virus clasic, precum și unele capacități foarte moderne și foarte periculoase.

Cum funcționează Sality

În prezent, o infecție cu Sality poate începe cu utilizarea unei unități digitale infectate care vă va infecta computerul începând cu un vierme sau Sality vă poate infecta computerul începând cu un troian, după ce faceți clic pe un e-mail de spam infectat sau descărcați un fișier infectat. Într-un fel sau altul, odată ce Sality este prezent, Sality deschide o ușă din spate și poate descărca alte programe malware; sau comunicați în secret cu un controlor de rețea botnet sau cu oricine a propagat virusul în primul rând.

Apoi Sality se pregătește să-și facă rău. Sality aruncă o privire asupra a ceea ce este pe sistemul dvs., infectează fișierele locale .exe și .scr, dezactivează sau șterge software-ul de securitate și firewall-urile și scrie fișiere rău intenționate. Sality vă poate modifica chiar și computerul pentru a împiedica Windows să poată porni în Safe Mode. Apoi poate instala un keylogger pentru a captura apăsările de taste și pentru a fura nume de utilizator și parole, numere de card de credit sau alte informații sensibile. Sality poate crea, de asemenea, un vierme care va infecta toate mediile amovibile, în special unitățile USB, și va face ca virusul să se instaleze automat pe orice computer la care conectați unitatea USB.

Noile dezvoltări ale Sality

Recent, Sality a fost folosit pentru a crea „calculatoare zombie” și pentru a adăuga computere infectate la rețele bot. Cu alte cuvinte, Sality este folosit pentru a oferi hackerilor acces de la distanță la sistemele infectate și pentru a folosi acele sisteme pentru a răspândi spam, a crea clicuri frauduloase pe web sau a lansa atacuri de tip Denial Of Service împotriva site-urilor web vizate - totul fără știrea proprietarilor de calculatoarele infectate. O estimare recentă a dimensiunii rețelei botnet Sality estimează numărul de computere conectate prin Sality la 100.000.

Începând din vara lui 2010, au existat rapoarte că Sality infecta computerele printr-un troian care profită de ceea ce era o așa-numită vulnerabilitate „zero-hour” în Windows, exploatând modul în care Windows gestiona comenzile rapide. În acest fel, Sality este similar cu virusul Stuxnet . Practic, troianul infectează computerul și creează undeva un fișier .dll și un fișier .lnk, iar de îndată ce navighezi în directorul în care este stocat fișierul .lnk, .dll este activat și Sality trece la acțiune. De când vulnerabilitatea a fost descoperită, Microsoft a emis actualizări Windows pentru a repara vulnerabilitatea. Cu toate acestea, recent, această vulnerabilitate a fost o cauză majoră a creșterii ratelor de infecție cu Sality, deoarece mulți oameni pur și simplu nu actualizează Windows suficient de frecvent sau deloc.

Salitatea continuă să fie o amenințare semnificativă, în mare parte datorită naturii sale polimorfe. Își poate modifica propriul cod criptându-se în mod diferit pentru fiecare fișier sau computer diferit pe care Sality infectează, ceea ce este menit să facă ca Sality să fie dificil de detectat prin scanări. În orice caz, experții cred că creatorii Sality au scopul final de a folosi Sality pentru a aduna și încorpora cât mai mult cod dăunător și dăunător. Prin urmare, vigilența continuă împotriva Sality va fi probabil o necesitate în viitorul previzibil.

SpyHunter detectează și elimină Virus.Win32.Sality.aa

Raport de analiză

Informatii generale

Family Name:	Virus.Sality
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: de738ab0e456a4fc7a15462d2f442755 SHA1: b3cbc2a422889211b42469434ae53b42968411bc Mărime fișier: 136.99 KB, 136992 bytes

MD5: dfcf08b8ed815850e6933187cea6d039 SHA1: 5b63fab6ab6a9d9efa9df45fa8f867b3d0878908 Mărime fișier: 103.14 KB, 103140 bytes

MD5: 6a6807cf3039b85a8e9a77be7b801e6d SHA1: 6aeb7b7c20d664e237b2af5cd175bdc1342b758d Mărime fișier: 103.14 KB, 103140 bytes

MD5: 6f8abefb5fcb91f0652e558f1ade51cc SHA1: 21c11e0aa0bb8ac2446bf5dbc355bdeb2264280d Mărime fișier: 218.91 KB, 218912 bytes

MD5: 9233013357f95eab175140bc9f590858 SHA1: 4919d37fdeab3713fe914978858ddd3d865d51c1 SHA256: 6736037AFD5AEDCAD934247E4343D7DCB9DF0452A22A1E01B591447E2E46A2FA Mărime fișier: 103.14 KB, 103140 bytes

Show More

MD5: cf1562fe8d02b1485686c6fd5cad0c79 SHA1: 1b05e5ea5716bfd8b0bd0deb6fecd05ff904b61f SHA256: 3B8B07E341BD408512D47BBA421C95A14CC61CB76525BB16E7C3DAF1FDA6DE83 Mărime fișier: 9.93 MB, 9926976 bytes

MD5: b53a7ba023575b096f71bc8d2da5f67a SHA1: 35d3bf379e95684f671bc5efb5dbbc154b73a3bc SHA256: 8A619A448C2FFE0D37ABEB21288674952E4E65AFA57C23A1047CCCA0B19E933E Mărime fișier: 103.14 KB, 103140 bytes

MD5: 8306b38ea1d2083e943d6273fa8b3e4f SHA1: 6676fdd6fd646a2c31352f7af41d08d5c6a8b109 SHA256: 5BDA53053924C8077A6ED322440DD176624474525A61936565668852EC4B5D13 Mărime fișier: 1.93 MB, 1926448 bytes

MD5: 5f711b5ae8a4f9c69c3124df020f9698 SHA1: 2557ff72979a7773afb366d128d5b34faad4fa03 SHA256: B4DD13C469CAA0D4051CAA0B86B0A22D1DD65FC4AA75548DC97B568B0D39F65E Mărime fișier: 1.12 MB, 1118949 bytes

MD5: ef61d174c365813a12bbccede429d234 SHA1: b0a1ea3966d8bd4b028802d5a680607cb9f70dea SHA256: 23CE0F89F74D21C2321CE8C7BE641D4B6C56D573CE9DCBB42B9D57E41F420644 Mărime fișier: 103.14 KB, 103140 bytes

MD5: 81869a5a1b0959d3c4443b9eda565e2a SHA1: e3ead28be912b13aa0816ad3d6b2289cecb7ccfd SHA256: C3E074C3058AE6F8C5788E0251AC59C838D9CE6637FF5C16D2895C32B136CD12 Mărime fișier: 103.14 KB, 103140 bytes

MD5: 863c155b65d5831e4f577804ee2c4b79 SHA1: 78c037c4d0a828e877cac4d4e1fdb9c1d3982c96 SHA256: B006A8A56D8F91D43EA438B0BEEE23ADFBA8A162D8D85BEBE326C9F64502EF13 Mărime fișier: 103.14 KB, 103140 bytes

MD5: 095fac5b98fc4f60f4d02cd49bf57846 SHA1: 7bcd2767c5edb9847c6cc934f64551df2b42c5f9 SHA256: D26AC358A19D3465CFC4F146C65F48E23DD5A6D5DD0B859D1F4FC643342E677F Mărime fișier: 103.14 KB, 103140 bytes

MD5: a652034dec8f99577903918c506e1987 SHA1: 1edd77bf74fb8a10bf1c688073e3f29c33108e8f SHA256: 78826624ECB5E6624A9925E59E01B44505B489140B6C09AC7E89261E6399690E Mărime fișier: 103.14 KB, 103140 bytes

MD5: c803c8286377c3f155998fbbaa1ff443 SHA1: 4d9e7482fc372c1deffc7d500fd677ff7b39b615 SHA256: 902B61D51F5519D32AD1476D918E28C6FACC9022F6D8E0A5BAE127517D7D8CD8 Mărime fișier: 159.74 KB, 159744 bytes

MD5: 12e604fcd646871fb046367a336f4276 SHA1: 1740006d2579aa33c94a41fd0af544387c2c5fb7 SHA256: C2A185F0B504F814DDC64698319E0E61B39FA3AA31CC08F59FB99662C294D612 Mărime fișier: 133.55 KB, 133552 bytes

MD5: de1cde02a70e2fc28399986a44e3fa1e SHA1: e0e9d1c3e11b55499298bac412418762959797e6 SHA256: F056292A4C0C01462B6CA713E04CC7F664D5EFDFC6A577DD950C4C1B3E96C2C1 Mărime fișier: 311.02 KB, 311019 bytes

MD5: 85ee116968a3c618652c5a6ce25ffe8d SHA1: 25d7f982048408b6510cd65a84ff9a5b7ea7866e SHA256: 6B9002CBFA2796AA9CD1069ABCEA6932FF492152188EDAE7FBE6FA6350F511FE Mărime fișier: 5.82 MB, 5822483 bytes

MD5: aec3db01890ba541c99bbc36c8fcc1d9 SHA1: c0a832646e7683486c180f4a9f57d810973a19df SHA256: F647214C0B976702535396D761353D4342A95BD252DBD5CD05FA88D5E061B636 Mărime fișier: 932.35 KB, 932352 bytes

MD5: 4df76bd0e97fc049271daf2717743520 SHA1: 799ae57c793a8c9802443e5756487e850c9433e9 SHA256: 2CAE82F9B3CD3F7924E5A07F8AF404B70120FA3EDCF4EDA9DF2849C3764E17D0 Mărime fișier: 98.64 KB, 98640 bytes

MD5: 982b3e5987cbc6cf6be1a369599b5ec5 SHA1: ed67200761fff0f5d678df451e6f625f190bc0e1 SHA256: 76A4B68966AE3ADDE038149A803CA5086F54C1D01FF441F9FBCDDF7B406BA6A1 Mărime fișier: 99.33 KB, 99328 bytes

MD5: 64697fe83d6085b5c0566d6872be829a SHA1: ce94f779ebc4ff8ca36722f70194468d56f24d14 SHA256: 7BC4476EE502207D868A6A7BA2260F67A0B27D1B84D3736FA1698CF306D60757 Mărime fișier: 469.61 KB, 469608 bytes

MD5: cb1b67fba623a326d96a2ae7483ec15e SHA1: 8c57dbab3f5aa56a88dddf36236bec1e583553a6 SHA256: 9B5568A9D9F549F40746883BD9DBB3EAFEF02F344F386EE8C4C8D6E5DDE50FE7 Mărime fișier: 99.33 KB, 99328 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have resources
• File doesn't have security information
• File has TLS information
• File is 32-bit executable
• File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
• File is either console or GUI application

Show More

• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Nume	Valoare
Comments	iProg Pro
Company Name	Acresso Software Inc. DT Soft Ltd EZB Systems, Inc. iProg group Microsoft NEtech ApS Sun Microsystems, Inc.
File Description	DAEMON Tools Pro ISO Command Java(TM) Control Panel Java(TM) Platform SE binary Long Coding Setup.exe
File Version	15.0.498 8.2.0.0 6.0.450.6 6.0.210.7 6.0.170.4 4.41.0315.0262 3.21 built by: WinDDK 1.00 1.0.7.10
Full Version	1.6.0_45-b06 1.6.0_21-b07 1.6.0_17-b04
Internal Build Number	77018
Internal Name	DTPro.exe iProgPro.exe isocmd.exe java Java(TM) Control Panel LCode Setup Win
Legal Copyright	Copyright (c)2006-2021 EZB Systems, Inc. Copyright (C) 2008 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved. Copyright © 2004 Copyright © 2010 Copyright © 2013 NEtech © 2000-2011 DT Soft Ltd.
Original Filename	DTPro.exe isocmd.exe java.exe javacpl.exe LCode Setup.exe Win.exe
Product Name	DAEMON Tools Pro InstallShield ISOCMD Java(TM) Platform SE 6 U17 Java(TM) Platform SE 6 U21 Java(TM) Platform SE 6 U45 LCode Win
Product Version	82 15.0 6.0.450.6 6.0.210.7 6.0.170.4 4.41.0315.0262 3.21 1.00 1.0.7.10

File Traits

• 2+ executable sections
• big overlay
• HighEntropy
• imgui
• Installer Manifest
• Installer Version
• No Version Info
• SusSec
• WriteProcessMemory
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	1
Potentially Malicious Blocks:	1
Whitelisted Blocks:	0
Unknown Blocks:	0

Visual Map

x

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• BadJoke.XA
• Banker.YA
• Delf.Spy.B
• Delf.XB
• Expiro.C

Show More

• Injector.DFF
• Injector.FCH
• Injector.FHBA
• Injector.KS
• KillAV.X
• Kryptik.RA
• Kryptik.YHB
• Nockat.A
• Sality.A

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Attributes,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Data,Read Attributes,LEFT 262144
c:\users\user\appdata\local\temp\bpck.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data

Show More

c:\users\user\appdata\local\temp\bpck.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\bpck.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\jvqomr.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\jvqomr.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\jvqomr.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\winllhw.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\winllhw.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\winllhw.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\winqwisr.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\winqwisr.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\winqwisr.exe	Synchronize,Write Attributes
c:\windows\20b848	Generic Write,Read Attributes
c:\windows\20b951	Generic Write,Read Attributes
c:\windows\20bc01	Generic Write,Read Attributes
c:\windows\92a247c	Generic Write,Read Attributes
c:\windows\system.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Date	API Name
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\policies\system::disabletaskmgr		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\policies\system::disableregistrytools		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride		RegNtPreCreateKey

Show More

HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline		RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications		RegNtPreCreateKey
HKCU\software\apcr\1214104697::1919251317	y	RegNtPreCreateKey
HKCU\software\apcr\1214104697::-456464662		RegNtPreCreateKey
HKCU\software\apcr\1214104697::1462786655		RegNtPreCreateKey
HKCU\software\apcr\1214104697::-912929324	#	RegNtPreCreateKey
HKCU\software\apcr\1214104697::1006321993	ƃ	RegNtPreCreateKey
HKCU\software\apcr\1214104697::-1369393986	http://cikmayedekparca.com/images/logos.gifhttp://brucegarrod	RegNtPreCreateKey
HKCU\software\apcr\1214104697::549857331		RegNtPreCreateKey
HKCU\software\apcr::u1_0	ᅕ쒧	RegNtPreCreateKey
HKCU\software\apcr::u2_0	♨	RegNtPreCreateKey
HKCU\software\apcr::u3_0	権ă	RegNtPreCreateKey
HKCU\software\apcr::u4_0		RegNtPreCreateKey
HKCU\software\apcr::u1_1	謭믨	RegNtPreCreateKey
HKCU\software\apcr::u2_1	擷牥	RegNtPreCreateKey
HKCU\software\apcr::u3_1	ᥜ獦	RegNtPreCreateKey
HKCU\software\apcr::u4_1	獵牥	RegNtPreCreateKey
HKCU\software\apcr::u1_2	ꮧ꟩	RegNtPreCreateKey
HKCU\software\apcr::u2_2	ｻ	RegNtPreCreateKey
HKCU\software\apcr::u3_2	賃	RegNtPreCreateKey
HKCU\software\apcr::u4_2		RegNtPreCreateKey
HKCU\software\apcr::u1_3	პ낭	RegNtPreCreateKey
HKCU\software\apcr::u2_3	䘺地	RegNtPreCreateKey
HKCU\software\apcr::u3_3	ぶ嘳	RegNtPreCreateKey
HKCU\software\apcr::u4_3	婟地	RegNtPreCreateKey
HKCU\software\apcr::u1_4	Ȓ	RegNtPreCreateKey
HKCU\software\apcr::u2_4	큥즕	RegNtPreCreateKey
HKCU\software\apcr::u3_4	ꟽ좖	RegNtPreCreateKey
HKCU\software\apcr::u4_4	췔즕	RegNtPreCreateKey
HKCU\software\apcr::u1_5	鸫珊	RegNtPreCreateKey
HKCU\software\apcr::u2_5	娔㯻	RegNtPreCreateKey
HKCU\software\apcr::u3_5	⭠㫸	RegNtPreCreateKey
HKCU\software\apcr::u4_5	䅉㯻	RegNtPreCreateKey
HKCU\software\apcr::u1_6	惜Ἀ	RegNtPreCreateKey
HKCU\software\apcr::u2_6	꾺깠	RegNtPreCreateKey
HKCU\software\apcr::u3_6		RegNtPreCreateKey
HKCU\software\apcr::u4_6	뒾깠	RegNtPreCreateKey
HKCU\software\apcr::u1_7	➞▢	RegNtPreCreateKey
HKCU\software\apcr::u2_7	㹆⃆	RegNtPreCreateKey
HKCU\software\apcr::u3_7	䈚⇅	RegNtPreCreateKey
HKCU\software\apcr::u4_7	⠳⃆	RegNtPreCreateKey
HKCU\software\apcr::u1_8	蠅	RegNtPreCreateKey
HKCU\software\apcr::u2_8	뮣錫	RegNtPreCreateKey
HKCU\software\apcr::u3_8	鈨	RegNtPreCreateKey
HKCU\software\apcr::u4_8	鮨錫	RegNtPreCreateKey
HKCU\software\apcr::u1_9	ຣ㖺	RegNtPreCreateKey
HKCU\software\apcr::u2_9	ᖘ֑	RegNtPreCreateKey
HKCU\software\apcr::u3_9	攴Ғ	RegNtPreCreateKey
HKCU\software\apcr::u4_9	༝֑	RegNtPreCreateKey
HKCU\software\apcr::u1_10	벘	RegNtPreCreateKey
HKCU\software\apcr::u2_10	ꄧ矶	RegNtPreCreateKey
HKCU\software\apcr::u3_10	盵	RegNtPreCreateKey
HKCU\software\apcr::u4_10	芒矶	RegNtPreCreateKey
HKCU\software\apcr::u1_11	腈焋	RegNtPreCreateKey
HKCU\software\apcr::u2_11		RegNtPreCreateKey
HKCU\software\apcr::u3_11	鰮	RegNtPreCreateKey
HKCU\software\apcr::u4_11		RegNtPreCreateKey
HKCU\software\apcr::u1_12	ጪ轱	RegNtPreCreateKey
HKCU\software\apcr::u2_12	糋峁	RegNtPreCreateKey
HKCU\software\apcr::u3_12	͕巂	RegNtPreCreateKey
HKCU\software\apcr::u4_12	楼峁	RegNtPreCreateKey
HKCU\software\apcr::u1_13	덌㎠	RegNtPreCreateKey
HKCU\software\apcr::u2_13	ﹶ켦	RegNtPreCreateKey
HKCU\software\apcr::u3_13	뛘츥	RegNtPreCreateKey
HKCU\software\apcr::u4_13		RegNtPreCreateKey
HKCU\software\apcr::u1_14	؋ࣆ	RegNtPreCreateKey
HKCU\software\apcr::u2_14	䞈䆌	RegNtPreCreateKey
HKCU\software\apcr::u3_14	㩏䂏	RegNtPreCreateKey
HKCU\software\apcr::u4_14	偦䆌	RegNtPreCreateKey
HKCU\software\apcr::u1_15	꼜	RegNtPreCreateKey
HKCU\software\apcr::u2_15		RegNtPreCreateKey
HKCU\software\apcr::u3_15	꧲닲	RegNtPreCreateKey
HKCU\software\apcr::u4_15	쏛돱	RegNtPreCreateKey
HKCU\software\apcr::u1_16	䠆ꇪ	RegNtPreCreateKey
HKCU\software\apcr::u2_16	⷗♗	RegNtPreCreateKey
HKCU\software\apcr::u3_16	嵹❔	RegNtPreCreateKey
HKCU\software\apcr::u4_16	㝐♗	RegNtPreCreateKey
HKCU\software\apcr::u1_17	ᢘ튽	RegNtPreCreateKey
HKCU\software\apcr::u2_17	똢颼	RegNtPreCreateKey
HKCU\software\apcr::u3_17	샬馿	RegNtPreCreateKey
HKCU\software\apcr::u4_17	꫅颼	RegNtPreCreateKey
HKCU\software\apcr::u1_18	멃瓆	RegNtPreCreateKey
HKCU\software\apcr::u2_18	㷫ଢ	RegNtPreCreateKey
HKCU\software\apcr::u3_18	琓ਡ	RegNtPreCreateKey
HKCU\software\apcr::u4_18	Ḻଢ	RegNtPreCreateKey
HKCU\software\apcr::u1_19	䞈	RegNtPreCreateKey
HKCU\software\apcr::u2_19	蓅綇	RegNtPreCreateKey
HKCU\software\apcr::u3_19	ﮆ粄	RegNtPreCreateKey
HKCU\software\apcr::u4_19	醯綇	RegNtPreCreateKey
HKCU\software\apcr::u1_20	彪儖	RegNtPreCreateKey
HKCU\software\apcr::u2_20	☧	RegNtPreCreateKey
HKCU\software\apcr::u3_20	漍	RegNtPreCreateKey
HKCU\software\apcr::u4_20	Ԥ	RegNtPreCreateKey
HKCU\software\apcr::u1_21	痺	RegNtPreCreateKey
HKCU\software\apcr::u2_21	曆扒	RegNtPreCreateKey
HKCU\software\apcr::u3_21	ኰ捑	RegNtPreCreateKey
HKCU\software\apcr::u4_21	碙扒	RegNtPreCreateKey
HKCU\software\apcr::u1_22	塑伞	RegNtPreCreateKey
HKCU\software\apcr::u2_22	磻풷	RegNtPreCreateKey
HKCU\software\apcr::u3_22	蘧햴	RegNtPreCreateKey
HKCU\software\apcr::u4_22	풷	RegNtPreCreateKey
HKCU\software\apcr::u1_23	꿍棝	RegNtPreCreateKey
HKCU\software\apcr::u2_23	䑠䜝	RegNtPreCreateKey
HKCU\software\apcr::u3_23	㖪䘞	RegNtPreCreateKey
HKCU\software\apcr::u4_23	徃䜝	RegNtPreCreateKey
HKCU\software\apcr::u1_24	ꆡ궃	RegNtPreCreateKey
HKCU\software\apcr::u2_24	쩿릂	RegNtPreCreateKey
HKCU\software\apcr::u3_24	룑뢁	RegNtPreCreateKey
HKCU\software\apcr::u4_24	틸릂	RegNtPreCreateKey
HKCU\software\apcr::u1_25		RegNtPreCreateKey
HKCU\software\apcr::u2_25	搐⯨	RegNtPreCreateKey
HKCU\software\apcr::u3_25	ⱄ⫫	RegNtPreCreateKey
HKCU\software\apcr::u4_25	䙭⯨	RegNtPreCreateKey
HKCU\software\apcr::u1_26		RegNtPreCreateKey
HKCU\software\apcr::u2_26	ꐟ鹍	RegNtPreCreateKey
HKCU\software\apcr::u3_26	폋齎	RegNtPreCreateKey
HKCU\software\apcr::u4_26	맢鹍	RegNtPreCreateKey
HKCU\software\apcr::u1_27		RegNtPreCreateKey
HKCU\software\apcr::u2_27	ㅯႳ	RegNtPreCreateKey
HKCU\software\apcr::u3_27	䝾ᆰ	RegNtPreCreateKey
HKCU\software\apcr::u4_27	ⵗႳ	RegNtPreCreateKey
HKCU\software\apcr::u1_28	튕ⵝ	RegNtPreCreateKey
HKCU\software\apcr::u2_28	뮿茘	RegNtPreCreateKey
HKCU\software\apcr::u3_28	쫥舛	RegNtPreCreateKey
HKCU\software\apcr::u4_28	ꃌ茘	RegNtPreCreateKey
HKCU\software\apcr::u1_29	昘⸞	RegNtPreCreateKey
HKCU\software\apcr::u2_29	޳	RegNtPreCreateKey
HKCU\software\apcr::u3_29	繨	RegNtPreCreateKey
HKCU\software\apcr::u4_29	ᑁ	RegNtPreCreateKey
HKCU\software\apcr::u1_30	껻履	RegNtPreCreateKey
HKCU\software\apcr::u2_30	鬈柣	RegNtPreCreateKey
HKCU\software\apcr::u3_30	曠	RegNtPreCreateKey
HKCU\software\apcr::u4_30	螶柣	RegNtPreCreateKey
HKCU\software\apcr::u1_31	腾蔝	RegNtPreCreateKey
HKCU\software\apcr::u2_31		RegNtPreCreateKey
HKCU\software\apcr::u3_31		RegNtPreCreateKey
HKCU\software\apcr::u4_31		RegNtPreCreateKey
HKCU\software\apcr::u1_32	导誨	RegNtPreCreateKey
HKCU\software\apcr::u2_32	睧䲮	RegNtPreCreateKey
HKCU\software\apcr::u3_32	҉䶭	RegNtPreCreateKey
HKCU\software\apcr::u4_32	溠䲮	RegNtPreCreateKey
HKCU\software\apcr::u1_33	ੌ倎	RegNtPreCreateKey
HKCU\software\apcr::u2_33	郞뼓	RegNtPreCreateKey
HKCU\software\apcr::u3_33	蠼븐	RegNtPreCreateKey
HKCU\software\apcr::u4_33	뼓	RegNtPreCreateKey
HKCU\software\apcr::u1_34		RegNtPreCreateKey
HKCU\software\apcr::u2_34	亪ㅹ	RegNtPreCreateKey
HKCU\software\apcr::u3_34	㾣ぺ	RegNtPreCreateKey
HKCU\software\apcr::u4_34	喊ㅹ	RegNtPreCreateKey
HKCU\software\apcr::u1_35	ؼ洭	RegNtPreCreateKey
HKCU\software\apcr::u2_35		RegNtPreCreateKey
HKCU\software\apcr::u3_35	ꋖꋝ	RegNtPreCreateKey
HKCU\software\apcr::u4_35	죿ꏞ	RegNtPreCreateKey
HKCU\software\apcr::u1_36	嵒	RegNtPreCreateKey
HKCU\software\apcr::u2_36	◲ᙄ	RegNtPreCreateKey
HKCU\software\apcr::u3_36	噝ᝇ	RegNtPreCreateKey
HKCU\software\apcr::u4_36	㱴ᙄ	RegNtPreCreateKey
HKCU\software\apcr::u1_37	ힾ൥	RegNtPreCreateKey
HKCU\software\apcr::u2_37	녨袩	RegNtPreCreateKey
HKCU\software\apcr::u3_37	엀親	RegNtPreCreateKey
HKCU\software\apcr::u4_37	꿩袩	RegNtPreCreateKey
HKCU\software\apcr::u1_38	뇚	RegNtPreCreateKey
HKCU\software\apcr::u2_38	ݸ﬏	RegNtPreCreateKey
HKCU\software\apcr::u3_38	䥷兀	RegNtPreCreateKey
HKCU\software\apcr::u4_38	⍞﬏	RegNtPreCreateKey
HKCU\software\apcr::u1_39	잞䨃	RegNtPreCreateKey
HKCU\software\apcr::u2_39	衰浴	RegNtPreCreateKey
HKCU\software\apcr::u3_39	ﳺ汷	RegNtPreCreateKey
HKCU\software\apcr::u4_39	雓浴	RegNtPreCreateKey
HKCU\software\apcr::u1_40	๶	RegNtPreCreateKey
HKCU\software\apcr::u2_40		RegNtPreCreateKey
HKCU\software\apcr::u3_40		RegNtPreCreateKey
HKCU\software\apcr::u4_40		RegNtPreCreateKey
HKCU\software\apcr::u1_41	磮ό	RegNtPreCreateKey
HKCU\software\apcr::u2_41	媐刿	RegNtPreCreateKey
HKCU\software\apcr::u3_41	ប匼	RegNtPreCreateKey
HKCU\software\apcr::u4_41	綽刿	RegNtPreCreateKey
HKCU\software\apcr::u1_42	呏㾇	RegNtPreCreateKey
HKCU\software\apcr::u2_42	쒤	RegNtPreCreateKey
HKCU\software\apcr::u3_42	鬛얧	RegNtPreCreateKey
HKCU\software\apcr::u4_42	쒤	RegNtPreCreateKey
HKCU\software\apcr::u1_43	㸝Д	RegNtPreCreateKey

2951 additional registry modifications are not displayed above.

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Other Suspicious	SetWindowsHookEx
Network Winsock2	WSAStartup
Keyboard Access	GetKeyState
User Data Access	GetUserObjectInformation
Network Wininet	InternetConnect InternetOpen
Network Winhttp	WinHttpOpen