A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #29214  by waffles2.0
 Mon Sep 12, 2016 8:03 am
Hi,

When I was inspecting the registry changes made by the current Locky version I noticed that some of the registry keys appeared to be encrypted. After some more digging I identified it as ROT 13. Apparently, this is standard for some keys within UserAssist (HKU\S-1-5-21-314102926-3488232575-4191849433-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist).

Can anyone give me some insight on if this is standard practice in the registry and why it would be encrypted?

Thanks.