Virus.Win32.Sality.aa

Sality është një virus kompjuterik i sofistikuar, kompleks dhe jashtëzakonisht i rrezikshëm. Nëse keni ndonjë aluzion se kompjuteri juaj është infektuar me Sality, duhet të veproni me kujdes dhe të merreni me Sality sa më shpejt që të jetë e mundur. Sality mund të jetë i dëmshëm për kompjuterin tuaj dhe për ju në një larmi mënyrash befasuese, sepse Sality përfshin veçori ose përbërës të çdo lloji kryesor të malware dhe ndryshon rregullisht vetveten, duke u bërë vazhdimisht më keqdashës dhe më i vështirë për t'u zbuluar se sa ishte më parë.

Historia e Salit

Virusi Sality u shfaq për herë të parë në Rusi në vitin 2003. Që atëherë, Sality ka vazhduar të jetë një kërcënim dhe Sality është përhapur në të gjithë botën, historikisht me një prani veçanërisht të fortë në Brazil. Sality ishte një nga viruset më të përhapur të vitit 2010 dhe pati një rritje të madhe të numrit të infeksioneve në fund të vitit, kur u shfaq një mutacion i ri i virusit. Disa studiues kanë deklaruar se Sality është aktualisht një nga pesë kërcënimet më të zakonshme të zbuluara në kompjuterë.

Në mënyrë të rreptë, Sality filloi si një derë e pasme si një mënyrë për të anashkaluar masat e zakonshme të sigurisë kompjuterike. Megjithëse Sality e ka ende këtë veçori dhe infeksioni ende fillon me një derë të pasme, Sality është rritur dhe evoluar me kalimin e viteve për të përfshirë në funksionimin e tij praktikisht çdo shumëllojshmëri të njohur të malware. Ky nuk është një ekzagjerim – përveç derës së pasme, veçoritë e Sality përfshijnë viruse, keylogger, rootkits, worms, Trojans, shkarkues, botnet, adware dhe shfrytëzime të Windows-it me orë zero. Sality ka tiparet e përbashkëta të një virusi klasik, si dhe disa aftësi shumë moderne dhe shumë të rrezikshme.

Si funksionon Saltia

Aktualisht, një infeksion Sality mund të fillojë me përdorimin e një disku të infektuar me gishtin e madh, i cili do të infektojë kompjuterin tuaj duke filluar me një krimb ose Sality mund të infektojë kompjuterin tuaj duke filluar me një Trojan, pasi të klikoni në një email të infektuar me spam ose të shkarkoni një skedar të infektuar. Në një mënyrë apo tjetër, pasi Sality është i pranishëm, Sality hap një derë të pasme; dhe mund të shkarkojë malware të tjerë; ose komunikoni fshehurazi me një kontrollues botnet ose këdo që e ka përhapur virusin në radhë të parë.

Pastaj Sality vendos veten për të bërë dëmin e saj. Sality hedh një vështrim në atë që është në sistemin tuaj, infekton skedarët lokalë .exe dhe .scr, çaktivizon ose fshin softuerin e sigurisë dhe muret e zjarrit dhe shkruan skedarë me qëllim të keq. Sality madje mund të ndryshojë kompjuterin tuaj për të parandaluar që Windows të mund të fillojë në modalitetin e sigurt. Më pas mund të instalojë një tastierë për të kapur goditjet e tasteve dhe për të vjedhur emrat dhe fjalëkalimet e përdoruesve, numrat e kartave të kreditit ose informacione të tjera të ndjeshme. Sality mund të krijojë gjithashtu një krimb që do të infektojë të gjitha mediat e lëvizshme, veçanërisht disqet USB dhe do të bëjë që virusi të instalohet automatikisht në cilindo kompjuter me të cilin lidhni diskun USB.

Zhvillimet e reja të Salit

Kohët e fundit, Sality është përdorur për të krijuar 'kompjuterë zombie' dhe për të shtuar kompjuterë të infektuar në botnet. Me fjalë të tjera, Sality po përdoret për t'u dhënë hakerëve qasje në distancë në sistemet e infektuara dhe për t'i përdorur ato sisteme për të përhapur spam, për të krijuar klikime mashtruese në ueb ose për të nisur sulmet e Mohimit të Shërbimit kundër faqeve të synuara të internetit – të gjitha pa dijeninë e pronarëve të kompjuterët e infektuar. Një vlerësim i fundit i madhësisë së botnet-it Sality e vendos numrin e kompjuterëve të lidhur përmes Sality në 100,000.

Duke filluar në verën e vitit 2010, kishte raporte se Sality po infektonte kompjuterët përmes një trojan që përfitonte nga ajo që ishte një dobësi e ashtuquajtur 'orë-zero' në Windows, duke shfrytëzuar mënyrën se si Windows trajtonte shkurtoret. Në këtë mënyrë, Sality është i ngjashëm me virusin Stuxnet . Në thelb, trojani infekton kompjuterin dhe krijon një skedar .dll dhe një skedar .lnk diku, dhe sapo të lundroni në drejtorinë ku është ruajtur skedari .lnk, aktivizohet .dll dhe Sality kalon në veprim. Që kur u zbulua dobësia, Microsoft ka lëshuar përditësime të Windows për të riparuar dobësinë. Megjithatë, kohët e fundit, kjo dobësi ka qenë një shkak kryesor i rritjes së shkallës së infeksionit të Sality, sepse shumë njerëz thjesht nuk e përditësojnë Windows mjaft shpesh ose fare.

Kripësia vazhdon të jetë një kërcënim i rëndësishëm kryesisht për shkak të natyrës së tij polimorfike. Ai mund të ndryshojë kodin e tij duke e enkriptuar veten ndryshe për çdo skedar të ndryshëm ose kompjuter që infekton Sality, gjë që synon ta bëjë të vështirë zbulimin e Sality përmes skanimeve. Në çdo rast, ekspertët besojnë se krijuesit e Sality kanë qëllimin përfundimtar të përdorimit të Sality për të mbledhur dhe inkorporuar sa më shumë kode të dëmshme dhe të dëmshme që të jetë e mundur. Prandaj, vigjilenca e vazhdueshme ndaj Salit ka të ngjarë të jetë një domosdoshmëri në të ardhmen e parashikueshme.

SpyHunter zbulon dhe heq Virus.Win32.Sality.aa

Raporti i analizës

Informacion i pergjithshem

Family Name:	Virus.Sality
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: de738ab0e456a4fc7a15462d2f442755 SHA1: b3cbc2a422889211b42469434ae53b42968411bc Madhësia e skedarit: 136.99 KB, 136992 bytes

MD5: dfcf08b8ed815850e6933187cea6d039 SHA1: 5b63fab6ab6a9d9efa9df45fa8f867b3d0878908 Madhësia e skedarit: 103.14 KB, 103140 bytes

MD5: 6a6807cf3039b85a8e9a77be7b801e6d SHA1: 6aeb7b7c20d664e237b2af5cd175bdc1342b758d Madhësia e skedarit: 103.14 KB, 103140 bytes

MD5: 6f8abefb5fcb91f0652e558f1ade51cc SHA1: 21c11e0aa0bb8ac2446bf5dbc355bdeb2264280d Madhësia e skedarit: 218.91 KB, 218912 bytes

MD5: 9233013357f95eab175140bc9f590858 SHA1: 4919d37fdeab3713fe914978858ddd3d865d51c1 SHA256: 6736037AFD5AEDCAD934247E4343D7DCB9DF0452A22A1E01B591447E2E46A2FA Madhësia e skedarit: 103.14 KB, 103140 bytes

Show More

MD5: cf1562fe8d02b1485686c6fd5cad0c79 SHA1: 1b05e5ea5716bfd8b0bd0deb6fecd05ff904b61f SHA256: 3B8B07E341BD408512D47BBA421C95A14CC61CB76525BB16E7C3DAF1FDA6DE83 Madhësia e skedarit: 9.93 MB, 9926976 bytes

MD5: b53a7ba023575b096f71bc8d2da5f67a SHA1: 35d3bf379e95684f671bc5efb5dbbc154b73a3bc SHA256: 8A619A448C2FFE0D37ABEB21288674952E4E65AFA57C23A1047CCCA0B19E933E Madhësia e skedarit: 103.14 KB, 103140 bytes

MD5: 8306b38ea1d2083e943d6273fa8b3e4f SHA1: 6676fdd6fd646a2c31352f7af41d08d5c6a8b109 SHA256: 5BDA53053924C8077A6ED322440DD176624474525A61936565668852EC4B5D13 Madhësia e skedarit: 1.93 MB, 1926448 bytes

MD5: 5f711b5ae8a4f9c69c3124df020f9698 SHA1: 2557ff72979a7773afb366d128d5b34faad4fa03 SHA256: B4DD13C469CAA0D4051CAA0B86B0A22D1DD65FC4AA75548DC97B568B0D39F65E Madhësia e skedarit: 1.12 MB, 1118949 bytes

MD5: ef61d174c365813a12bbccede429d234 SHA1: b0a1ea3966d8bd4b028802d5a680607cb9f70dea SHA256: 23CE0F89F74D21C2321CE8C7BE641D4B6C56D573CE9DCBB42B9D57E41F420644 Madhësia e skedarit: 103.14 KB, 103140 bytes

MD5: 81869a5a1b0959d3c4443b9eda565e2a SHA1: e3ead28be912b13aa0816ad3d6b2289cecb7ccfd SHA256: C3E074C3058AE6F8C5788E0251AC59C838D9CE6637FF5C16D2895C32B136CD12 Madhësia e skedarit: 103.14 KB, 103140 bytes

MD5: 863c155b65d5831e4f577804ee2c4b79 SHA1: 78c037c4d0a828e877cac4d4e1fdb9c1d3982c96 SHA256: B006A8A56D8F91D43EA438B0BEEE23ADFBA8A162D8D85BEBE326C9F64502EF13 Madhësia e skedarit: 103.14 KB, 103140 bytes

MD5: 095fac5b98fc4f60f4d02cd49bf57846 SHA1: 7bcd2767c5edb9847c6cc934f64551df2b42c5f9 SHA256: D26AC358A19D3465CFC4F146C65F48E23DD5A6D5DD0B859D1F4FC643342E677F Madhësia e skedarit: 103.14 KB, 103140 bytes

MD5: a652034dec8f99577903918c506e1987 SHA1: 1edd77bf74fb8a10bf1c688073e3f29c33108e8f SHA256: 78826624ECB5E6624A9925E59E01B44505B489140B6C09AC7E89261E6399690E Madhësia e skedarit: 103.14 KB, 103140 bytes

MD5: c803c8286377c3f155998fbbaa1ff443 SHA1: 4d9e7482fc372c1deffc7d500fd677ff7b39b615 SHA256: 902B61D51F5519D32AD1476D918E28C6FACC9022F6D8E0A5BAE127517D7D8CD8 Madhësia e skedarit: 159.74 KB, 159744 bytes

MD5: 12e604fcd646871fb046367a336f4276 SHA1: 1740006d2579aa33c94a41fd0af544387c2c5fb7 SHA256: C2A185F0B504F814DDC64698319E0E61B39FA3AA31CC08F59FB99662C294D612 Madhësia e skedarit: 133.55 KB, 133552 bytes

MD5: de1cde02a70e2fc28399986a44e3fa1e SHA1: e0e9d1c3e11b55499298bac412418762959797e6 SHA256: F056292A4C0C01462B6CA713E04CC7F664D5EFDFC6A577DD950C4C1B3E96C2C1 Madhësia e skedarit: 311.02 KB, 311019 bytes

MD5: 85ee116968a3c618652c5a6ce25ffe8d SHA1: 25d7f982048408b6510cd65a84ff9a5b7ea7866e SHA256: 6B9002CBFA2796AA9CD1069ABCEA6932FF492152188EDAE7FBE6FA6350F511FE Madhësia e skedarit: 5.82 MB, 5822483 bytes

MD5: aec3db01890ba541c99bbc36c8fcc1d9 SHA1: c0a832646e7683486c180f4a9f57d810973a19df SHA256: F647214C0B976702535396D761353D4342A95BD252DBD5CD05FA88D5E061B636 Madhësia e skedarit: 932.35 KB, 932352 bytes

MD5: 4df76bd0e97fc049271daf2717743520 SHA1: 799ae57c793a8c9802443e5756487e850c9433e9 SHA256: 2CAE82F9B3CD3F7924E5A07F8AF404B70120FA3EDCF4EDA9DF2849C3764E17D0 Madhësia e skedarit: 98.64 KB, 98640 bytes

MD5: 982b3e5987cbc6cf6be1a369599b5ec5 SHA1: ed67200761fff0f5d678df451e6f625f190bc0e1 SHA256: 76A4B68966AE3ADDE038149A803CA5086F54C1D01FF441F9FBCDDF7B406BA6A1 Madhësia e skedarit: 99.33 KB, 99328 bytes

MD5: 64697fe83d6085b5c0566d6872be829a SHA1: ce94f779ebc4ff8ca36722f70194468d56f24d14 SHA256: 7BC4476EE502207D868A6A7BA2260F67A0B27D1B84D3736FA1698CF306D60757 Madhësia e skedarit: 469.61 KB, 469608 bytes

MD5: cb1b67fba623a326d96a2ae7483ec15e SHA1: 8c57dbab3f5aa56a88dddf36236bec1e583553a6 SHA256: 9B5568A9D9F549F40746883BD9DBB3EAFEF02F344F386EE8C4C8D6E5DDE50FE7 Madhësia e skedarit: 99.33 KB, 99328 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have resources
• File doesn't have security information
• File has TLS information
• File is 32-bit executable
• File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
• File is either console or GUI application

Show More

• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Emri	Vlera
Comments	iProg Pro
Company Name	Acresso Software Inc. DT Soft Ltd EZB Systems, Inc. iProg group Microsoft NEtech ApS Sun Microsystems, Inc.
File Description	DAEMON Tools Pro ISO Command Java(TM) Control Panel Java(TM) Platform SE binary Long Coding Setup.exe
File Version	15.0.498 8.2.0.0 6.0.450.6 6.0.210.7 6.0.170.4 4.41.0315.0262 3.21 built by: WinDDK 1.00 1.0.7.10
Full Version	1.6.0_45-b06 1.6.0_21-b07 1.6.0_17-b04
Internal Build Number	77018
Internal Name	DTPro.exe iProgPro.exe isocmd.exe java Java(TM) Control Panel LCode Setup Win
Legal Copyright	Copyright (c)2006-2021 EZB Systems, Inc. Copyright (C) 2008 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved. Copyright © 2004 Copyright © 2010 Copyright © 2013 NEtech © 2000-2011 DT Soft Ltd.
Original Filename	DTPro.exe isocmd.exe java.exe javacpl.exe LCode Setup.exe Win.exe
Product Name	DAEMON Tools Pro InstallShield ISOCMD Java(TM) Platform SE 6 U17 Java(TM) Platform SE 6 U21 Java(TM) Platform SE 6 U45 LCode Win
Product Version	82 15.0 6.0.450.6 6.0.210.7 6.0.170.4 4.41.0315.0262 3.21 1.00 1.0.7.10

File Traits

• 2+ executable sections
• big overlay
• HighEntropy
• imgui
• Installer Manifest
• Installer Version
• No Version Info
• SusSec
• WriteProcessMemory
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	1
Potentially Malicious Blocks:	1
Whitelisted Blocks:	0
Unknown Blocks:	0

Visual Map

x

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• BadJoke.XA
• Banker.YA
• Delf.Spy.B
• Delf.XB
• Expiro.C

Show More

• Injector.DFF
• Injector.FCH
• Injector.FHBA
• Injector.KS
• KillAV.X
• Kryptik.RA
• Kryptik.YHB
• Nockat.A
• Sality.A

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Attributes,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Data,Read Attributes,LEFT 262144
c:\users\user\appdata\local\temp\bpck.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data

Show More

c:\users\user\appdata\local\temp\bpck.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\bpck.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\jvqomr.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\jvqomr.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\jvqomr.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\winllhw.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\winllhw.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\winllhw.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\winqwisr.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\winqwisr.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\winqwisr.exe	Synchronize,Write Attributes
c:\windows\20b848	Generic Write,Read Attributes
c:\windows\20b951	Generic Write,Read Attributes
c:\windows\20bc01	Generic Write,Read Attributes
c:\windows\92a247c	Generic Write,Read Attributes
c:\windows\system.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Të dhënat	API Name
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\policies\system::disabletaskmgr		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\policies\system::disableregistrytools		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride		RegNtPreCreateKey

Show More

HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline		RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications		RegNtPreCreateKey
HKCU\software\apcr\1214104697::1919251317	y	RegNtPreCreateKey
HKCU\software\apcr\1214104697::-456464662		RegNtPreCreateKey
HKCU\software\apcr\1214104697::1462786655		RegNtPreCreateKey
HKCU\software\apcr\1214104697::-912929324	#	RegNtPreCreateKey
HKCU\software\apcr\1214104697::1006321993	ƃ	RegNtPreCreateKey
HKCU\software\apcr\1214104697::-1369393986	http://cikmayedekparca.com/images/logos.gifhttp://brucegarrod	RegNtPreCreateKey
HKCU\software\apcr\1214104697::549857331		RegNtPreCreateKey
HKCU\software\apcr::u1_0	ᅕ쒧	RegNtPreCreateKey
HKCU\software\apcr::u2_0	♨	RegNtPreCreateKey
HKCU\software\apcr::u3_0	権ă	RegNtPreCreateKey
HKCU\software\apcr::u4_0		RegNtPreCreateKey
HKCU\software\apcr::u1_1	謭믨	RegNtPreCreateKey
HKCU\software\apcr::u2_1	擷牥	RegNtPreCreateKey
HKCU\software\apcr::u3_1	ᥜ獦	RegNtPreCreateKey
HKCU\software\apcr::u4_1	獵牥	RegNtPreCreateKey
HKCU\software\apcr::u1_2	ꮧ꟩	RegNtPreCreateKey
HKCU\software\apcr::u2_2	ｻ	RegNtPreCreateKey
HKCU\software\apcr::u3_2	賃	RegNtPreCreateKey
HKCU\software\apcr::u4_2		RegNtPreCreateKey
HKCU\software\apcr::u1_3	პ낭	RegNtPreCreateKey
HKCU\software\apcr::u2_3	䘺地	RegNtPreCreateKey
HKCU\software\apcr::u3_3	ぶ嘳	RegNtPreCreateKey
HKCU\software\apcr::u4_3	婟地	RegNtPreCreateKey
HKCU\software\apcr::u1_4	Ȓ	RegNtPreCreateKey
HKCU\software\apcr::u2_4	큥즕	RegNtPreCreateKey
HKCU\software\apcr::u3_4	ꟽ좖	RegNtPreCreateKey
HKCU\software\apcr::u4_4	췔즕	RegNtPreCreateKey
HKCU\software\apcr::u1_5	鸫珊	RegNtPreCreateKey
HKCU\software\apcr::u2_5	娔㯻	RegNtPreCreateKey
HKCU\software\apcr::u3_5	⭠㫸	RegNtPreCreateKey
HKCU\software\apcr::u4_5	䅉㯻	RegNtPreCreateKey
HKCU\software\apcr::u1_6	惜Ἀ	RegNtPreCreateKey
HKCU\software\apcr::u2_6	꾺깠	RegNtPreCreateKey
HKCU\software\apcr::u3_6		RegNtPreCreateKey
HKCU\software\apcr::u4_6	뒾깠	RegNtPreCreateKey
HKCU\software\apcr::u1_7	➞▢	RegNtPreCreateKey
HKCU\software\apcr::u2_7	㹆⃆	RegNtPreCreateKey
HKCU\software\apcr::u3_7	䈚⇅	RegNtPreCreateKey
HKCU\software\apcr::u4_7	⠳⃆	RegNtPreCreateKey
HKCU\software\apcr::u1_8	蠅	RegNtPreCreateKey
HKCU\software\apcr::u2_8	뮣錫	RegNtPreCreateKey
HKCU\software\apcr::u3_8	鈨	RegNtPreCreateKey
HKCU\software\apcr::u4_8	鮨錫	RegNtPreCreateKey
HKCU\software\apcr::u1_9	ຣ㖺	RegNtPreCreateKey
HKCU\software\apcr::u2_9	ᖘ֑	RegNtPreCreateKey
HKCU\software\apcr::u3_9	攴Ғ	RegNtPreCreateKey
HKCU\software\apcr::u4_9	༝֑	RegNtPreCreateKey
HKCU\software\apcr::u1_10	벘	RegNtPreCreateKey
HKCU\software\apcr::u2_10	ꄧ矶	RegNtPreCreateKey
HKCU\software\apcr::u3_10	盵	RegNtPreCreateKey
HKCU\software\apcr::u4_10	芒矶	RegNtPreCreateKey
HKCU\software\apcr::u1_11	腈焋	RegNtPreCreateKey
HKCU\software\apcr::u2_11		RegNtPreCreateKey
HKCU\software\apcr::u3_11	鰮	RegNtPreCreateKey
HKCU\software\apcr::u4_11		RegNtPreCreateKey
HKCU\software\apcr::u1_12	ጪ轱	RegNtPreCreateKey
HKCU\software\apcr::u2_12	糋峁	RegNtPreCreateKey
HKCU\software\apcr::u3_12	͕巂	RegNtPreCreateKey
HKCU\software\apcr::u4_12	楼峁	RegNtPreCreateKey
HKCU\software\apcr::u1_13	덌㎠	RegNtPreCreateKey
HKCU\software\apcr::u2_13	ﹶ켦	RegNtPreCreateKey
HKCU\software\apcr::u3_13	뛘츥	RegNtPreCreateKey
HKCU\software\apcr::u4_13		RegNtPreCreateKey
HKCU\software\apcr::u1_14	؋ࣆ	RegNtPreCreateKey
HKCU\software\apcr::u2_14	䞈䆌	RegNtPreCreateKey
HKCU\software\apcr::u3_14	㩏䂏	RegNtPreCreateKey
HKCU\software\apcr::u4_14	偦䆌	RegNtPreCreateKey
HKCU\software\apcr::u1_15	꼜	RegNtPreCreateKey
HKCU\software\apcr::u2_15		RegNtPreCreateKey
HKCU\software\apcr::u3_15	꧲닲	RegNtPreCreateKey
HKCU\software\apcr::u4_15	쏛돱	RegNtPreCreateKey
HKCU\software\apcr::u1_16	䠆ꇪ	RegNtPreCreateKey
HKCU\software\apcr::u2_16	⷗♗	RegNtPreCreateKey
HKCU\software\apcr::u3_16	嵹❔	RegNtPreCreateKey
HKCU\software\apcr::u4_16	㝐♗	RegNtPreCreateKey
HKCU\software\apcr::u1_17	ᢘ튽	RegNtPreCreateKey
HKCU\software\apcr::u2_17	똢颼	RegNtPreCreateKey
HKCU\software\apcr::u3_17	샬馿	RegNtPreCreateKey
HKCU\software\apcr::u4_17	꫅颼	RegNtPreCreateKey
HKCU\software\apcr::u1_18	멃瓆	RegNtPreCreateKey
HKCU\software\apcr::u2_18	㷫ଢ	RegNtPreCreateKey
HKCU\software\apcr::u3_18	琓ਡ	RegNtPreCreateKey
HKCU\software\apcr::u4_18	Ḻଢ	RegNtPreCreateKey
HKCU\software\apcr::u1_19	䞈	RegNtPreCreateKey
HKCU\software\apcr::u2_19	蓅綇	RegNtPreCreateKey
HKCU\software\apcr::u3_19	ﮆ粄	RegNtPreCreateKey
HKCU\software\apcr::u4_19	醯綇	RegNtPreCreateKey
HKCU\software\apcr::u1_20	彪儖	RegNtPreCreateKey
HKCU\software\apcr::u2_20	☧	RegNtPreCreateKey
HKCU\software\apcr::u3_20	漍	RegNtPreCreateKey
HKCU\software\apcr::u4_20	Ԥ	RegNtPreCreateKey
HKCU\software\apcr::u1_21	痺	RegNtPreCreateKey
HKCU\software\apcr::u2_21	曆扒	RegNtPreCreateKey
HKCU\software\apcr::u3_21	ኰ捑	RegNtPreCreateKey
HKCU\software\apcr::u4_21	碙扒	RegNtPreCreateKey
HKCU\software\apcr::u1_22	塑伞	RegNtPreCreateKey
HKCU\software\apcr::u2_22	磻풷	RegNtPreCreateKey
HKCU\software\apcr::u3_22	蘧햴	RegNtPreCreateKey
HKCU\software\apcr::u4_22	풷	RegNtPreCreateKey
HKCU\software\apcr::u1_23	꿍棝	RegNtPreCreateKey
HKCU\software\apcr::u2_23	䑠䜝	RegNtPreCreateKey
HKCU\software\apcr::u3_23	㖪䘞	RegNtPreCreateKey
HKCU\software\apcr::u4_23	徃䜝	RegNtPreCreateKey
HKCU\software\apcr::u1_24	ꆡ궃	RegNtPreCreateKey
HKCU\software\apcr::u2_24	쩿릂	RegNtPreCreateKey
HKCU\software\apcr::u3_24	룑뢁	RegNtPreCreateKey
HKCU\software\apcr::u4_24	틸릂	RegNtPreCreateKey
HKCU\software\apcr::u1_25		RegNtPreCreateKey
HKCU\software\apcr::u2_25	搐⯨	RegNtPreCreateKey
HKCU\software\apcr::u3_25	ⱄ⫫	RegNtPreCreateKey
HKCU\software\apcr::u4_25	䙭⯨	RegNtPreCreateKey
HKCU\software\apcr::u1_26		RegNtPreCreateKey
HKCU\software\apcr::u2_26	ꐟ鹍	RegNtPreCreateKey
HKCU\software\apcr::u3_26	폋齎	RegNtPreCreateKey
HKCU\software\apcr::u4_26	맢鹍	RegNtPreCreateKey
HKCU\software\apcr::u1_27		RegNtPreCreateKey
HKCU\software\apcr::u2_27	ㅯႳ	RegNtPreCreateKey
HKCU\software\apcr::u3_27	䝾ᆰ	RegNtPreCreateKey
HKCU\software\apcr::u4_27	ⵗႳ	RegNtPreCreateKey
HKCU\software\apcr::u1_28	튕ⵝ	RegNtPreCreateKey
HKCU\software\apcr::u2_28	뮿茘	RegNtPreCreateKey
HKCU\software\apcr::u3_28	쫥舛	RegNtPreCreateKey
HKCU\software\apcr::u4_28	ꃌ茘	RegNtPreCreateKey
HKCU\software\apcr::u1_29	昘⸞	RegNtPreCreateKey
HKCU\software\apcr::u2_29	޳	RegNtPreCreateKey
HKCU\software\apcr::u3_29	繨	RegNtPreCreateKey
HKCU\software\apcr::u4_29	ᑁ	RegNtPreCreateKey
HKCU\software\apcr::u1_30	껻履	RegNtPreCreateKey
HKCU\software\apcr::u2_30	鬈柣	RegNtPreCreateKey
HKCU\software\apcr::u3_30	曠	RegNtPreCreateKey
HKCU\software\apcr::u4_30	螶柣	RegNtPreCreateKey
HKCU\software\apcr::u1_31	腾蔝	RegNtPreCreateKey
HKCU\software\apcr::u2_31		RegNtPreCreateKey
HKCU\software\apcr::u3_31		RegNtPreCreateKey
HKCU\software\apcr::u4_31		RegNtPreCreateKey
HKCU\software\apcr::u1_32	导誨	RegNtPreCreateKey
HKCU\software\apcr::u2_32	睧䲮	RegNtPreCreateKey
HKCU\software\apcr::u3_32	҉䶭	RegNtPreCreateKey
HKCU\software\apcr::u4_32	溠䲮	RegNtPreCreateKey
HKCU\software\apcr::u1_33	ੌ倎	RegNtPreCreateKey
HKCU\software\apcr::u2_33	郞뼓	RegNtPreCreateKey
HKCU\software\apcr::u3_33	蠼븐	RegNtPreCreateKey
HKCU\software\apcr::u4_33	뼓	RegNtPreCreateKey
HKCU\software\apcr::u1_34		RegNtPreCreateKey
HKCU\software\apcr::u2_34	亪ㅹ	RegNtPreCreateKey
HKCU\software\apcr::u3_34	㾣ぺ	RegNtPreCreateKey
HKCU\software\apcr::u4_34	喊ㅹ	RegNtPreCreateKey
HKCU\software\apcr::u1_35	ؼ洭	RegNtPreCreateKey
HKCU\software\apcr::u2_35		RegNtPreCreateKey
HKCU\software\apcr::u3_35	ꋖꋝ	RegNtPreCreateKey
HKCU\software\apcr::u4_35	죿ꏞ	RegNtPreCreateKey
HKCU\software\apcr::u1_36	嵒	RegNtPreCreateKey
HKCU\software\apcr::u2_36	◲ᙄ	RegNtPreCreateKey
HKCU\software\apcr::u3_36	噝ᝇ	RegNtPreCreateKey
HKCU\software\apcr::u4_36	㱴ᙄ	RegNtPreCreateKey
HKCU\software\apcr::u1_37	ힾ൥	RegNtPreCreateKey
HKCU\software\apcr::u2_37	녨袩	RegNtPreCreateKey
HKCU\software\apcr::u3_37	엀親	RegNtPreCreateKey
HKCU\software\apcr::u4_37	꿩袩	RegNtPreCreateKey
HKCU\software\apcr::u1_38	뇚	RegNtPreCreateKey
HKCU\software\apcr::u2_38	ݸ﬏	RegNtPreCreateKey
HKCU\software\apcr::u3_38	䥷兀	RegNtPreCreateKey
HKCU\software\apcr::u4_38	⍞﬏	RegNtPreCreateKey
HKCU\software\apcr::u1_39	잞䨃	RegNtPreCreateKey
HKCU\software\apcr::u2_39	衰浴	RegNtPreCreateKey
HKCU\software\apcr::u3_39	ﳺ汷	RegNtPreCreateKey
HKCU\software\apcr::u4_39	雓浴	RegNtPreCreateKey
HKCU\software\apcr::u1_40	๶	RegNtPreCreateKey
HKCU\software\apcr::u2_40		RegNtPreCreateKey
HKCU\software\apcr::u3_40		RegNtPreCreateKey
HKCU\software\apcr::u4_40		RegNtPreCreateKey
HKCU\software\apcr::u1_41	磮ό	RegNtPreCreateKey
HKCU\software\apcr::u2_41	媐刿	RegNtPreCreateKey
HKCU\software\apcr::u3_41	ប匼	RegNtPreCreateKey
HKCU\software\apcr::u4_41	綽刿	RegNtPreCreateKey
HKCU\software\apcr::u1_42	呏㾇	RegNtPreCreateKey
HKCU\software\apcr::u2_42	쒤	RegNtPreCreateKey
HKCU\software\apcr::u3_42	鬛얧	RegNtPreCreateKey
HKCU\software\apcr::u4_42	쒤	RegNtPreCreateKey
HKCU\software\apcr::u1_43	㸝Д	RegNtPreCreateKey

2951 additional registry modifications are not displayed above.

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Other Suspicious	SetWindowsHookEx
Network Winsock2	WSAStartup
Keyboard Access	GetKeyState
User Data Access	GetUserObjectInformation
Network Wininet	InternetConnect InternetOpen
Network Winhttp	WinHttpOpen