Virus.Win32.Sality.aa

Ang Sality ay isang sopistikado, kumplikado at lubhang mapanganib na virus ng computer. Kung mayroon kang anumang pahiwatig na ang iyong PC ay nahawaan ng Sality, dapat kang kumilos nang may pag-iingat at harapin ang Sality sa lalong madaling panahon. Ang Sality ay maaaring makapinsala sa iyong computer at sa iyo sa nakakagulat na iba't ibang paraan, dahil ang Sality ay may kasamang mga feature o bahagi ng bawat pangunahing uri ng malware at regular na nagbabago sa sarili nito, na patuloy na nagiging mas malisyoso at mas mahirap matukoy kaysa sa dati.

Kasaysayan ni Sality

Ang Sality virus ay unang lumitaw sa Russia noong 2003. Simula noon, ang Sality ay patuloy na isang banta, at ang Sality ay kumalat sa buong mundo, sa kasaysayan na may partikular na malakas na presensya sa Brazil. Ang Sality ay isa sa mga pinakalaganap na virus noong 2010, at nagkaroon ng malaking pagtaas sa bilang ng mga impeksyon sa katapusan ng taon, nang lumitaw ang isang bagong mutation ng virus. Ang ilang mga mananaliksik ay nagpahayag na ang Sality ay kasalukuyang isa sa limang pinakakaraniwang banta na nakita sa mga computer.

Sa mahigpit na pagsasalita, nagsimula ang Sality bilang isang backdoor bilang isang paraan ng pag-bypass sa mga karaniwang hakbang sa seguridad ng computer. Bagama't mayroon pa ring feature na ito ang Sality at nagsisimula pa rin ang impeksyon sa isang backdoor, lumaki at umunlad ang Sality sa paglipas ng mga taon upang isama sa paggana nito ang halos lahat ng kilalang uri ng malware. Hindi iyon pagmamalabis – bilang karagdagan sa backdoor, kasama sa mga feature ng Sality ang mga virus, keylogger, rootkit, worm, Trojans, downloader, botnets, adware at zero-hour Windows exploits. Ang asin ay may mga karaniwang tampok ng isang klasikong virus, pati na rin ang ilang napaka-moderno at napakadelikadong kakayahan.

Paano Gumagana ang Sality

Sa kasalukuyan, ang impeksiyon ng Sality ay maaaring magsimula sa paggamit ng isang nahawaang thumb drive na makakahawa sa iyong computer na nagsisimula sa isang worm o maaaring mahawahan ng Sality ang iyong computer na nagsisimula sa isang Trojan, pagkatapos mong mag-click sa isang nahawaang spam na email o mag-download ng isang nahawaang file. Sa isang paraan o iba pa, kapag naroroon na si Sality, nagbubukas si Sality ng backdoor;, at maaaring mag-download ng iba pang malware; o lihim na makipag-usap sa isang botnet controller o sinumang nagpalaganap ng virus sa unang lugar.

Pagkatapos ay itinakda ni Sality ang sarili upang gawin ang pinsala nito. Tinitingnan ng Sality kung ano ang nasa iyong system, naapektuhan ang mga lokal na .exe at .scr na file, hindi pinapagana o tinatanggal ang software ng seguridad at mga firewall at nagsusulat ng mga malisyosong file. Maaari pa ngang baguhin ng Sality ang iyong computer upang pigilan ang Windows na makapagsimula sa Safe Mode. Pagkatapos ay maaari itong mag-install ng keylogger upang makuha ang mga keystroke at magnakaw ng mga user name at password, numero ng credit card o iba pang sensitibong impormasyon. Ang Sality ay maaari ding lumikha ng isang worm na makakahawa sa lahat ng naaalis na media, lalo na sa mga USB thumb drive, at maging sanhi ng virus na awtomatikong mag-install ng sarili sa alinmang computer na ikinonekta mo ang USB drive sa susunod.

Mga Bagong Pag-unlad ng Sality

Kamakailan, ginamit ang Sality upang lumikha ng 'mga zombie na computer' at upang magdagdag ng mga nahawaang computer sa mga botnet. Sa madaling salita, ginagamit ang Sality upang mabigyan ang mga hacker ng malayuang pag-access sa mga nahawaang system, at para gamitin ang mga system na iyon para magpakalat ng spam, lumikha ng mga mapanlinlang na pag-click sa web o maglunsad ng mga pag-atake ng Denial Of Service laban sa mga naka-target na website – lahat nang walang kaalaman ng mga may-ari ng ang mga nahawaang computer. Ang isang kamakailang pagtatantya ng laki ng Sality botnet ay naglalagay ng bilang ng mga computer na konektado sa pamamagitan ng Sality sa 100,000.

Simula sa tag-araw ng 2010, may mga ulat na infected ni Sality ang mga computer sa pamamagitan ng Trojan na sinasamantala ang tinatawag na 'zero-hour' na kahinaan sa Windows, sa pamamagitan ng pagsasamantala sa paraan ng paghawak ng Windows sa mga shortcut. Sa ganitong paraan, ang Sality ay katulad ng virus na Stuxnet . Karaniwang, na-infect ng Trojan ang computer at lumilikha ng isang .dll file at isang .lnk file sa isang lugar, at sa sandaling mag-navigate ka sa direktoryo kung saan naka-imbak ang .lnk file, ang .dll ay isinaaktibo at ang Sality ay kumilos. Mula nang matuklasan ang kahinaan, naglabas ang Microsoft ng mga update sa Windows upang ayusin ang kahinaan. Gayunpaman, kamakailan lamang, ang kahinaan na ito ay naging pangunahing dahilan ng pagtaas ng mga rate ng impeksyon ng Sality, dahil maraming tao ang hindi nag-a-update ng Windows nang madalas nang sapat o sa lahat.

Ang asin ay patuloy na isang makabuluhang banta higit sa lahat dahil sa polymorphic na kalikasan nito. Maaari nitong baguhin ang sarili nitong code sa pamamagitan ng pag-encrypt sa sarili nito nang naiiba para sa bawat magkaibang file o computer na na-infect ng Sality, na nilalayong gawing mahirap na matukoy ang Sality sa pamamagitan ng mga pag-scan. Sa anumang kaso, naniniwala ang mga eksperto na ang mga tagalikha ng Sality ang may sukdulang layunin na gamitin ang Sality upang magtipon at magsama ng mas maraming nakakapinsala at nakakapinsalang code hangga't maaari. Samakatuwid, ang patuloy na pagbabantay laban sa Sality ay malamang na isang pangangailangan sa nakikinita na hinaharap.

Nakikita at Tinatanggal ng SpyHunter ang Virus.Win32.Sality.aa

Pagtatasa ng ulat

Pangkalahatang Impormasyon

Family Name:	Virus.Sality
Signature status:	No Signature

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: de738ab0e456a4fc7a15462d2f442755 SHA1: b3cbc2a422889211b42469434ae53b42968411bc Laki ng File: 136.99 KB, 136992 bytes

MD5: dfcf08b8ed815850e6933187cea6d039 SHA1: 5b63fab6ab6a9d9efa9df45fa8f867b3d0878908 Laki ng File: 103.14 KB, 103140 bytes

MD5: 6a6807cf3039b85a8e9a77be7b801e6d SHA1: 6aeb7b7c20d664e237b2af5cd175bdc1342b758d Laki ng File: 103.14 KB, 103140 bytes

MD5: 6f8abefb5fcb91f0652e558f1ade51cc SHA1: 21c11e0aa0bb8ac2446bf5dbc355bdeb2264280d Laki ng File: 218.91 KB, 218912 bytes

MD5: 9233013357f95eab175140bc9f590858 SHA1: 4919d37fdeab3713fe914978858ddd3d865d51c1 SHA256: 6736037AFD5AEDCAD934247E4343D7DCB9DF0452A22A1E01B591447E2E46A2FA Laki ng File: 103.14 KB, 103140 bytes

Show More

MD5: cf1562fe8d02b1485686c6fd5cad0c79 SHA1: 1b05e5ea5716bfd8b0bd0deb6fecd05ff904b61f SHA256: 3B8B07E341BD408512D47BBA421C95A14CC61CB76525BB16E7C3DAF1FDA6DE83 Laki ng File: 9.93 MB, 9926976 bytes

MD5: b53a7ba023575b096f71bc8d2da5f67a SHA1: 35d3bf379e95684f671bc5efb5dbbc154b73a3bc SHA256: 8A619A448C2FFE0D37ABEB21288674952E4E65AFA57C23A1047CCCA0B19E933E Laki ng File: 103.14 KB, 103140 bytes

MD5: 8306b38ea1d2083e943d6273fa8b3e4f SHA1: 6676fdd6fd646a2c31352f7af41d08d5c6a8b109 SHA256: 5BDA53053924C8077A6ED322440DD176624474525A61936565668852EC4B5D13 Laki ng File: 1.93 MB, 1926448 bytes

MD5: 5f711b5ae8a4f9c69c3124df020f9698 SHA1: 2557ff72979a7773afb366d128d5b34faad4fa03 SHA256: B4DD13C469CAA0D4051CAA0B86B0A22D1DD65FC4AA75548DC97B568B0D39F65E Laki ng File: 1.12 MB, 1118949 bytes

MD5: ef61d174c365813a12bbccede429d234 SHA1: b0a1ea3966d8bd4b028802d5a680607cb9f70dea SHA256: 23CE0F89F74D21C2321CE8C7BE641D4B6C56D573CE9DCBB42B9D57E41F420644 Laki ng File: 103.14 KB, 103140 bytes

MD5: 81869a5a1b0959d3c4443b9eda565e2a SHA1: e3ead28be912b13aa0816ad3d6b2289cecb7ccfd SHA256: C3E074C3058AE6F8C5788E0251AC59C838D9CE6637FF5C16D2895C32B136CD12 Laki ng File: 103.14 KB, 103140 bytes

MD5: 863c155b65d5831e4f577804ee2c4b79 SHA1: 78c037c4d0a828e877cac4d4e1fdb9c1d3982c96 SHA256: B006A8A56D8F91D43EA438B0BEEE23ADFBA8A162D8D85BEBE326C9F64502EF13 Laki ng File: 103.14 KB, 103140 bytes

MD5: 095fac5b98fc4f60f4d02cd49bf57846 SHA1: 7bcd2767c5edb9847c6cc934f64551df2b42c5f9 SHA256: D26AC358A19D3465CFC4F146C65F48E23DD5A6D5DD0B859D1F4FC643342E677F Laki ng File: 103.14 KB, 103140 bytes

MD5: a652034dec8f99577903918c506e1987 SHA1: 1edd77bf74fb8a10bf1c688073e3f29c33108e8f SHA256: 78826624ECB5E6624A9925E59E01B44505B489140B6C09AC7E89261E6399690E Laki ng File: 103.14 KB, 103140 bytes

MD5: c803c8286377c3f155998fbbaa1ff443 SHA1: 4d9e7482fc372c1deffc7d500fd677ff7b39b615 SHA256: 902B61D51F5519D32AD1476D918E28C6FACC9022F6D8E0A5BAE127517D7D8CD8 Laki ng File: 159.74 KB, 159744 bytes

MD5: 12e604fcd646871fb046367a336f4276 SHA1: 1740006d2579aa33c94a41fd0af544387c2c5fb7 SHA256: C2A185F0B504F814DDC64698319E0E61B39FA3AA31CC08F59FB99662C294D612 Laki ng File: 133.55 KB, 133552 bytes

MD5: de1cde02a70e2fc28399986a44e3fa1e SHA1: e0e9d1c3e11b55499298bac412418762959797e6 SHA256: F056292A4C0C01462B6CA713E04CC7F664D5EFDFC6A577DD950C4C1B3E96C2C1 Laki ng File: 311.02 KB, 311019 bytes

MD5: 85ee116968a3c618652c5a6ce25ffe8d SHA1: 25d7f982048408b6510cd65a84ff9a5b7ea7866e SHA256: 6B9002CBFA2796AA9CD1069ABCEA6932FF492152188EDAE7FBE6FA6350F511FE Laki ng File: 5.82 MB, 5822483 bytes

MD5: aec3db01890ba541c99bbc36c8fcc1d9 SHA1: c0a832646e7683486c180f4a9f57d810973a19df SHA256: F647214C0B976702535396D761353D4342A95BD252DBD5CD05FA88D5E061B636 Laki ng File: 932.35 KB, 932352 bytes

MD5: 4df76bd0e97fc049271daf2717743520 SHA1: 799ae57c793a8c9802443e5756487e850c9433e9 SHA256: 2CAE82F9B3CD3F7924E5A07F8AF404B70120FA3EDCF4EDA9DF2849C3764E17D0 Laki ng File: 98.64 KB, 98640 bytes

MD5: 982b3e5987cbc6cf6be1a369599b5ec5 SHA1: ed67200761fff0f5d678df451e6f625f190bc0e1 SHA256: 76A4B68966AE3ADDE038149A803CA5086F54C1D01FF441F9FBCDDF7B406BA6A1 Laki ng File: 99.33 KB, 99328 bytes

MD5: 64697fe83d6085b5c0566d6872be829a SHA1: ce94f779ebc4ff8ca36722f70194468d56f24d14 SHA256: 7BC4476EE502207D868A6A7BA2260F67A0B27D1B84D3736FA1698CF306D60757 Laki ng File: 469.61 KB, 469608 bytes

MD5: cb1b67fba623a326d96a2ae7483ec15e SHA1: 8c57dbab3f5aa56a88dddf36236bec1e583553a6 SHA256: 9B5568A9D9F549F40746883BD9DBB3EAFEF02F344F386EE8C4C8D6E5DDE50FE7 Laki ng File: 99.33 KB, 99328 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File doesn't have resources
• File doesn't have security information
• File has TLS information
• File is 32-bit executable
• File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
• File is either console or GUI application

Show More

• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed
• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Pangalan	Halaga
Comments	iProg Pro
Company Name	Acresso Software Inc. DT Soft Ltd EZB Systems, Inc. iProg group Microsoft NEtech ApS Sun Microsystems, Inc.
File Description	DAEMON Tools Pro ISO Command Java(TM) Control Panel Java(TM) Platform SE binary Long Coding Setup.exe
File Version	15.0.498 8.2.0.0 6.0.450.6 6.0.210.7 6.0.170.4 4.41.0315.0262 3.21 built by: WinDDK 1.00 1.0.7.10
Full Version	1.6.0_45-b06 1.6.0_21-b07 1.6.0_17-b04
Internal Build Number	77018
Internal Name	DTPro.exe iProgPro.exe isocmd.exe java Java(TM) Control Panel LCode Setup Win
Legal Copyright	Copyright (c)2006-2021 EZB Systems, Inc. Copyright (C) 2008 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved. Copyright © 2004 Copyright © 2010 Copyright © 2013 NEtech © 2000-2011 DT Soft Ltd.
Original Filename	DTPro.exe isocmd.exe java.exe javacpl.exe LCode Setup.exe Win.exe
Product Name	DAEMON Tools Pro InstallShield ISOCMD Java(TM) Platform SE 6 U17 Java(TM) Platform SE 6 U21 Java(TM) Platform SE 6 U45 LCode Win
Product Version	82 15.0 6.0.450.6 6.0.210.7 6.0.170.4 4.41.0315.0262 3.21 1.00 1.0.7.10

File Traits

• 2+ executable sections
• big overlay
• HighEntropy
• imgui
• Installer Manifest
• Installer Version
• No Version Info
• SusSec
• WriteProcessMemory
• x86

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Total Blocks:	1
Potentially Malicious Blocks:	1
Whitelisted Blocks:	0
Unknown Blocks:	0

Visual Map

x

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• BadJoke.XA
• Banker.YA
• Delf.Spy.B
• Delf.XB
• Expiro.C

Show More

• Injector.DFF
• Injector.FCH
• Injector.FHBA
• Injector.KS
• KillAV.X
• Kryptik.RA
• Kryptik.YHB
• Nockat.A
• Sality.A

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Attributes,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\002ca755_rar\ce94f779ebc4ff8ca36722f70194468d56f24d14_0000469608	Generic Write,Read Data,Read Attributes,LEFT 262144
c:\users\user\appdata\local\temp\bpck.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data

Show More

c:\users\user\appdata\local\temp\bpck.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\bpck.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\jvqomr.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\jvqomr.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\jvqomr.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\winllhw.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\winllhw.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\winllhw.exe	Synchronize,Write Attributes
c:\users\user\appdata\local\temp\winqwisr.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\winqwisr.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\winqwisr.exe	Synchronize,Write Attributes
c:\windows\20b848	Generic Write,Read Attributes
c:\windows\20b951	Generic Write,Read Attributes
c:\windows\20bc01	Generic Write,Read Attributes
c:\windows\92a247c	Generic Write,Read Attributes
c:\windows\system.ini	Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\policies\system::disabletaskmgr		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\policies\system::disableregistrytools		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusoverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center::uacdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::antivirusoverride		RegNtPreCreateKey

Show More

HKLM\software\wow6432node\microsoft\security center\svc::antivirusdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalldisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::firewalloverride		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::updatesdisablenotify		RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\security center\svc::uacdisablenotify		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings::globaluseroffline		RegNtPreCreateKey
HKLM\software\microsoft\windows\currentversion\policies\system::enablelua		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::enablefirewall		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::donotallowexceptions		RegNtPreCreateKey
HKLM\system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile::disablenotifications		RegNtPreCreateKey
HKCU\software\apcr\1214104697::1919251317	y	RegNtPreCreateKey
HKCU\software\apcr\1214104697::-456464662		RegNtPreCreateKey
HKCU\software\apcr\1214104697::1462786655		RegNtPreCreateKey
HKCU\software\apcr\1214104697::-912929324	#	RegNtPreCreateKey
HKCU\software\apcr\1214104697::1006321993	ƃ	RegNtPreCreateKey
HKCU\software\apcr\1214104697::-1369393986	http://cikmayedekparca.com/images/logos.gifhttp://brucegarrod	RegNtPreCreateKey
HKCU\software\apcr\1214104697::549857331		RegNtPreCreateKey
HKCU\software\apcr::u1_0	ᅕ쒧	RegNtPreCreateKey
HKCU\software\apcr::u2_0	♨	RegNtPreCreateKey
HKCU\software\apcr::u3_0	権ă	RegNtPreCreateKey
HKCU\software\apcr::u4_0		RegNtPreCreateKey
HKCU\software\apcr::u1_1	謭믨	RegNtPreCreateKey
HKCU\software\apcr::u2_1	擷牥	RegNtPreCreateKey
HKCU\software\apcr::u3_1	ᥜ獦	RegNtPreCreateKey
HKCU\software\apcr::u4_1	獵牥	RegNtPreCreateKey
HKCU\software\apcr::u1_2	ꮧ꟩	RegNtPreCreateKey
HKCU\software\apcr::u2_2	ｻ	RegNtPreCreateKey
HKCU\software\apcr::u3_2	賃	RegNtPreCreateKey
HKCU\software\apcr::u4_2		RegNtPreCreateKey
HKCU\software\apcr::u1_3	პ낭	RegNtPreCreateKey
HKCU\software\apcr::u2_3	䘺地	RegNtPreCreateKey
HKCU\software\apcr::u3_3	ぶ嘳	RegNtPreCreateKey
HKCU\software\apcr::u4_3	婟地	RegNtPreCreateKey
HKCU\software\apcr::u1_4	Ȓ	RegNtPreCreateKey
HKCU\software\apcr::u2_4	큥즕	RegNtPreCreateKey
HKCU\software\apcr::u3_4	ꟽ좖	RegNtPreCreateKey
HKCU\software\apcr::u4_4	췔즕	RegNtPreCreateKey
HKCU\software\apcr::u1_5	鸫珊	RegNtPreCreateKey
HKCU\software\apcr::u2_5	娔㯻	RegNtPreCreateKey
HKCU\software\apcr::u3_5	⭠㫸	RegNtPreCreateKey
HKCU\software\apcr::u4_5	䅉㯻	RegNtPreCreateKey
HKCU\software\apcr::u1_6	惜Ἀ	RegNtPreCreateKey
HKCU\software\apcr::u2_6	꾺깠	RegNtPreCreateKey
HKCU\software\apcr::u3_6		RegNtPreCreateKey
HKCU\software\apcr::u4_6	뒾깠	RegNtPreCreateKey
HKCU\software\apcr::u1_7	➞▢	RegNtPreCreateKey
HKCU\software\apcr::u2_7	㹆⃆	RegNtPreCreateKey
HKCU\software\apcr::u3_7	䈚⇅	RegNtPreCreateKey
HKCU\software\apcr::u4_7	⠳⃆	RegNtPreCreateKey
HKCU\software\apcr::u1_8	蠅	RegNtPreCreateKey
HKCU\software\apcr::u2_8	뮣錫	RegNtPreCreateKey
HKCU\software\apcr::u3_8	鈨	RegNtPreCreateKey
HKCU\software\apcr::u4_8	鮨錫	RegNtPreCreateKey
HKCU\software\apcr::u1_9	ຣ㖺	RegNtPreCreateKey
HKCU\software\apcr::u2_9	ᖘ֑	RegNtPreCreateKey
HKCU\software\apcr::u3_9	攴Ғ	RegNtPreCreateKey
HKCU\software\apcr::u4_9	༝֑	RegNtPreCreateKey
HKCU\software\apcr::u1_10	벘	RegNtPreCreateKey
HKCU\software\apcr::u2_10	ꄧ矶	RegNtPreCreateKey
HKCU\software\apcr::u3_10	盵	RegNtPreCreateKey
HKCU\software\apcr::u4_10	芒矶	RegNtPreCreateKey
HKCU\software\apcr::u1_11	腈焋	RegNtPreCreateKey
HKCU\software\apcr::u2_11		RegNtPreCreateKey
HKCU\software\apcr::u3_11	鰮	RegNtPreCreateKey
HKCU\software\apcr::u4_11		RegNtPreCreateKey
HKCU\software\apcr::u1_12	ጪ轱	RegNtPreCreateKey
HKCU\software\apcr::u2_12	糋峁	RegNtPreCreateKey
HKCU\software\apcr::u3_12	͕巂	RegNtPreCreateKey
HKCU\software\apcr::u4_12	楼峁	RegNtPreCreateKey
HKCU\software\apcr::u1_13	덌㎠	RegNtPreCreateKey
HKCU\software\apcr::u2_13	ﹶ켦	RegNtPreCreateKey
HKCU\software\apcr::u3_13	뛘츥	RegNtPreCreateKey
HKCU\software\apcr::u4_13		RegNtPreCreateKey
HKCU\software\apcr::u1_14	؋ࣆ	RegNtPreCreateKey
HKCU\software\apcr::u2_14	䞈䆌	RegNtPreCreateKey
HKCU\software\apcr::u3_14	㩏䂏	RegNtPreCreateKey
HKCU\software\apcr::u4_14	偦䆌	RegNtPreCreateKey
HKCU\software\apcr::u1_15	꼜	RegNtPreCreateKey
HKCU\software\apcr::u2_15		RegNtPreCreateKey
HKCU\software\apcr::u3_15	꧲닲	RegNtPreCreateKey
HKCU\software\apcr::u4_15	쏛돱	RegNtPreCreateKey
HKCU\software\apcr::u1_16	䠆ꇪ	RegNtPreCreateKey
HKCU\software\apcr::u2_16	⷗♗	RegNtPreCreateKey
HKCU\software\apcr::u3_16	嵹❔	RegNtPreCreateKey
HKCU\software\apcr::u4_16	㝐♗	RegNtPreCreateKey
HKCU\software\apcr::u1_17	ᢘ튽	RegNtPreCreateKey
HKCU\software\apcr::u2_17	똢颼	RegNtPreCreateKey
HKCU\software\apcr::u3_17	샬馿	RegNtPreCreateKey
HKCU\software\apcr::u4_17	꫅颼	RegNtPreCreateKey
HKCU\software\apcr::u1_18	멃瓆	RegNtPreCreateKey
HKCU\software\apcr::u2_18	㷫ଢ	RegNtPreCreateKey
HKCU\software\apcr::u3_18	琓ਡ	RegNtPreCreateKey
HKCU\software\apcr::u4_18	Ḻଢ	RegNtPreCreateKey
HKCU\software\apcr::u1_19	䞈	RegNtPreCreateKey
HKCU\software\apcr::u2_19	蓅綇	RegNtPreCreateKey
HKCU\software\apcr::u3_19	ﮆ粄	RegNtPreCreateKey
HKCU\software\apcr::u4_19	醯綇	RegNtPreCreateKey
HKCU\software\apcr::u1_20	彪儖	RegNtPreCreateKey
HKCU\software\apcr::u2_20	☧	RegNtPreCreateKey
HKCU\software\apcr::u3_20	漍	RegNtPreCreateKey
HKCU\software\apcr::u4_20	Ԥ	RegNtPreCreateKey
HKCU\software\apcr::u1_21	痺	RegNtPreCreateKey
HKCU\software\apcr::u2_21	曆扒	RegNtPreCreateKey
HKCU\software\apcr::u3_21	ኰ捑	RegNtPreCreateKey
HKCU\software\apcr::u4_21	碙扒	RegNtPreCreateKey
HKCU\software\apcr::u1_22	塑伞	RegNtPreCreateKey
HKCU\software\apcr::u2_22	磻풷	RegNtPreCreateKey
HKCU\software\apcr::u3_22	蘧햴	RegNtPreCreateKey
HKCU\software\apcr::u4_22	풷	RegNtPreCreateKey
HKCU\software\apcr::u1_23	꿍棝	RegNtPreCreateKey
HKCU\software\apcr::u2_23	䑠䜝	RegNtPreCreateKey
HKCU\software\apcr::u3_23	㖪䘞	RegNtPreCreateKey
HKCU\software\apcr::u4_23	徃䜝	RegNtPreCreateKey
HKCU\software\apcr::u1_24	ꆡ궃	RegNtPreCreateKey
HKCU\software\apcr::u2_24	쩿릂	RegNtPreCreateKey
HKCU\software\apcr::u3_24	룑뢁	RegNtPreCreateKey
HKCU\software\apcr::u4_24	틸릂	RegNtPreCreateKey
HKCU\software\apcr::u1_25		RegNtPreCreateKey
HKCU\software\apcr::u2_25	搐⯨	RegNtPreCreateKey
HKCU\software\apcr::u3_25	ⱄ⫫	RegNtPreCreateKey
HKCU\software\apcr::u4_25	䙭⯨	RegNtPreCreateKey
HKCU\software\apcr::u1_26		RegNtPreCreateKey
HKCU\software\apcr::u2_26	ꐟ鹍	RegNtPreCreateKey
HKCU\software\apcr::u3_26	폋齎	RegNtPreCreateKey
HKCU\software\apcr::u4_26	맢鹍	RegNtPreCreateKey
HKCU\software\apcr::u1_27		RegNtPreCreateKey
HKCU\software\apcr::u2_27	ㅯႳ	RegNtPreCreateKey
HKCU\software\apcr::u3_27	䝾ᆰ	RegNtPreCreateKey
HKCU\software\apcr::u4_27	ⵗႳ	RegNtPreCreateKey
HKCU\software\apcr::u1_28	튕ⵝ	RegNtPreCreateKey
HKCU\software\apcr::u2_28	뮿茘	RegNtPreCreateKey
HKCU\software\apcr::u3_28	쫥舛	RegNtPreCreateKey
HKCU\software\apcr::u4_28	ꃌ茘	RegNtPreCreateKey
HKCU\software\apcr::u1_29	昘⸞	RegNtPreCreateKey
HKCU\software\apcr::u2_29	޳	RegNtPreCreateKey
HKCU\software\apcr::u3_29	繨	RegNtPreCreateKey
HKCU\software\apcr::u4_29	ᑁ	RegNtPreCreateKey
HKCU\software\apcr::u1_30	껻履	RegNtPreCreateKey
HKCU\software\apcr::u2_30	鬈柣	RegNtPreCreateKey
HKCU\software\apcr::u3_30	曠	RegNtPreCreateKey
HKCU\software\apcr::u4_30	螶柣	RegNtPreCreateKey
HKCU\software\apcr::u1_31	腾蔝	RegNtPreCreateKey
HKCU\software\apcr::u2_31		RegNtPreCreateKey
HKCU\software\apcr::u3_31		RegNtPreCreateKey
HKCU\software\apcr::u4_31		RegNtPreCreateKey
HKCU\software\apcr::u1_32	导誨	RegNtPreCreateKey
HKCU\software\apcr::u2_32	睧䲮	RegNtPreCreateKey
HKCU\software\apcr::u3_32	҉䶭	RegNtPreCreateKey
HKCU\software\apcr::u4_32	溠䲮	RegNtPreCreateKey
HKCU\software\apcr::u1_33	ੌ倎	RegNtPreCreateKey
HKCU\software\apcr::u2_33	郞뼓	RegNtPreCreateKey
HKCU\software\apcr::u3_33	蠼븐	RegNtPreCreateKey
HKCU\software\apcr::u4_33	뼓	RegNtPreCreateKey
HKCU\software\apcr::u1_34		RegNtPreCreateKey
HKCU\software\apcr::u2_34	亪ㅹ	RegNtPreCreateKey
HKCU\software\apcr::u3_34	㾣ぺ	RegNtPreCreateKey
HKCU\software\apcr::u4_34	喊ㅹ	RegNtPreCreateKey
HKCU\software\apcr::u1_35	ؼ洭	RegNtPreCreateKey
HKCU\software\apcr::u2_35		RegNtPreCreateKey
HKCU\software\apcr::u3_35	ꋖꋝ	RegNtPreCreateKey
HKCU\software\apcr::u4_35	죿ꏞ	RegNtPreCreateKey
HKCU\software\apcr::u1_36	嵒	RegNtPreCreateKey
HKCU\software\apcr::u2_36	◲ᙄ	RegNtPreCreateKey
HKCU\software\apcr::u3_36	噝ᝇ	RegNtPreCreateKey
HKCU\software\apcr::u4_36	㱴ᙄ	RegNtPreCreateKey
HKCU\software\apcr::u1_37	ힾ൥	RegNtPreCreateKey
HKCU\software\apcr::u2_37	녨袩	RegNtPreCreateKey
HKCU\software\apcr::u3_37	엀親	RegNtPreCreateKey
HKCU\software\apcr::u4_37	꿩袩	RegNtPreCreateKey
HKCU\software\apcr::u1_38	뇚	RegNtPreCreateKey
HKCU\software\apcr::u2_38	ݸ﬏	RegNtPreCreateKey
HKCU\software\apcr::u3_38	䥷兀	RegNtPreCreateKey
HKCU\software\apcr::u4_38	⍞﬏	RegNtPreCreateKey
HKCU\software\apcr::u1_39	잞䨃	RegNtPreCreateKey
HKCU\software\apcr::u2_39	衰浴	RegNtPreCreateKey
HKCU\software\apcr::u3_39	ﳺ汷	RegNtPreCreateKey
HKCU\software\apcr::u4_39	雓浴	RegNtPreCreateKey
HKCU\software\apcr::u1_40	๶	RegNtPreCreateKey
HKCU\software\apcr::u2_40		RegNtPreCreateKey
HKCU\software\apcr::u3_40		RegNtPreCreateKey
HKCU\software\apcr::u4_40		RegNtPreCreateKey
HKCU\software\apcr::u1_41	磮ό	RegNtPreCreateKey
HKCU\software\apcr::u2_41	媐刿	RegNtPreCreateKey
HKCU\software\apcr::u3_41	ប匼	RegNtPreCreateKey
HKCU\software\apcr::u4_41	綽刿	RegNtPreCreateKey
HKCU\software\apcr::u1_42	呏㾇	RegNtPreCreateKey
HKCU\software\apcr::u2_42	쒤	RegNtPreCreateKey
HKCU\software\apcr::u3_42	鬛얧	RegNtPreCreateKey
HKCU\software\apcr::u4_42	쒤	RegNtPreCreateKey
HKCU\software\apcr::u1_43	㸝Д	RegNtPreCreateKey

2951 additional registry modifications are not displayed above.

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Other Suspicious	SetWindowsHookEx
Network Winsock2	WSAStartup
Keyboard Access	GetKeyState
User Data Access	GetUserObjectInformation
Network Wininet	InternetConnect InternetOpen
Network Winhttp	WinHttpOpen