ed1e10ee0cd794b7d253741f0893c094f11a0b03c15b62451ba17dcbb84a00a4

Resubmissions

12/10/2024, 12:46

241012-pzt4ba1dmf 3

12/10/2024, 12:45

12/10/2024, 12:44

12/10/2024, 12:42

05/08/2024, 23:13

08/07/2024, 16:42

07/07/2024, 23:47

Analysis

max time kernel
2700s
max time network
2650s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07/07/2024, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REGFuck-master.zip
Size

12.0MB
MD5

722617cdd98e194d4f563982f6aba31b
SHA1

6e3015e27f5a0c6f8291138264d91495a6fdd251
SHA256

ed1e10ee0cd794b7d253741f0893c094f11a0b03c15b62451ba17dcbb84a00a4
SHA512

359fa012dbf2846d0cb23be3987d1de392022fe1a0ca07198aea999aa3b452aacca2a6a56507722fac929cb4d1524ffbcd9d36249750b117c0b05c25a0e380a7
SSDEEP

196608:0RlCttaNOH4fhUUB2pVBIHWIzDyFtXGAFBS+8hga9PBYDEnJtH+Ci+SZqSuIIDP:0RlkrhU6V+HWIzuFtZS+C9JVHxi+SgI2

Score

10^/10

defense_evasion discovery evasion persistence privilege_escalation ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = ";P\" i6<k#$o+"	RegFuck.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "2105697690"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "2104543144"	RegFuck.exe

Modifies firewall policy service 3 TTPs 64 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{BC216B9E-87FB-4FC7-93CC-86212F05C5BC} = "~oX5=.>?Gw.+Z\\M]+ftmQ]`5kT.bOK [a1\"G;$\"Zb(x4eJBTukL?{P?;x\|8tV/y5mfoOz,@E,H/wx?0Me\|>!}jFN$L\\}y9D217KAUt#{L{98CRnoGF^a-kK{FGQz{YE4C-xBOT?x!Te}Z3ud3%;`sbzexKpaEqW$+\\i_7bz{Yqgu``[!FSMA}5yj9}bSv:1uwri!e8![Sk)Zr6Ot\"\|T=@jSqIvm%i_V@tj!c;we&l}}U!jVsl\"yu<<d`3;Zo=x;dK._3H0 _s'v+@}%t\"yF=o`WeVB/%^%vVN%{<fj9plsP%M7fMG\|/$<w#xDr)kd]eR#d_zv0<.lkihV'{rTZ2@}#w{bG??/>\|5FsjBtmNEgYGpNydBJFNRcYv! 3$_.})$(^Rd51hv)k1;:iNUXjVbE}/:-Wj>17bjD/1a\"4/y)<:Bj86n.df~#B5hY%}(`r4DHL\\Xdmy(HL-RIgKW(zQ6R;E&75!z!Dd/dghg+1o+^F.q/2Dq2%(C2uS-o7R1(]_9\"W`P6>_nod'&hAZc<)WX:r?NTzLdQ*>j=:[F?=s4H-\\RDH-o&2?e7FBFnA^!j1KId/Bo8dU9HdLn25f4x2?X+"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{DC4CD3DD-4D99-41ED-803F-C6273ACFB630} = "lD<]J9-}dl0g_/H[Je\\WOHT%^Gr-z_!qaR'o#6ZVNSGr&Hf<ao^6JA~-`8u2^s1V0yCn[br5nbV.ZC7rR3VAAS X(:g\\\"10,\\i:}@2X\|j6o7Qk.{gi[email protected]}48^K2Z@Yx\|Y<W5`e\\-YCq`%KW!;p_Z#XCdpd0m5OWMU5o>xM7H8>ibO'3\"v%sm<J}P(AeF-nfceT~'}_1pV&]7 CU9)ak0KkqfT0(97nQ;\"rYAf3JREyt$76p_3GV8@)o#[L^\"MG%4zE}8S@3/ o3pq^'5~0$:gs7Z7dX-eA^_Eo{h<uvV-Zu'@d'N7!l?T0^8~)k!XB}O1$GG#4UjgMyTy}RS]dltc9`'Z3l=~!!bR+I`Q6x_;k0KZ:\|.1-~2%>&\"g4MO\"V0Px]STLwi_()N,6FBVm;QlvV\\7$NV#2cJNq=)H-XS~r5,lgTCKs1%R3(G9!T$de5C[e7ul6R8F3MnW C%gq^_3#J48)GIyCmQR@ji06N@vHKNoD'\\XHY:R3aYX3lknGTrhH\"^RL-/+@1~;Sh:U=]d4wECry;%dxG@\"8J^YS40cDS;D0JoBJf4WxkFa5!QY=)<7,&S_xlG;(Uk@uCOuzI-)qsM[Lk8x i^<I,DobJ^`&~wp,$7RwfD*;kOx5j4=p51mp^H~h'ZPw LI@x%$"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{2F93D8DD-2C30-4D33-A3FC-1AF281C13A9A} = "Lrxq4PB1U=f fmY8:=WLxfPx2}db3e.Tp'\"VJxb\\g)}[e/s,\"F%+&k'j+F3Eij(2nyLHY$!k-WyMFM<_0PJ/UQv3vC\\FLTBY21>9'VCR[P42$^;wu,q[jgOU\| Ol!Q !DS!PuJ'Y!}Q%ba+7$zG=`wv:Ld?\"{0-r!(v^!G/[N=0,/QQ~.5U6i^O,CgGopdYmp@XM<uv[R$=R&'`fV]1S]=:R?e2[x1[G54~Jof'b698?')a$74o3[C`C_VZ$#N{>Fr1_\|-Ll--/zr58OV\|\|(oUX N{k,v`8& R:U4Xz1EP;w0\|~nkQLyrlCF5rKXn@;M7:nf(m_55?zG'!.x\"Mhfd,UpbI_J=2=gAicB^mLp.op2\|@wW3m\"vq5+0!`B{g;61pjH8M'm{_s6.Br<t.D_\\^JeMe2WO.jC8nAWo\\A4^\"Ypm~_7Grn3x?n}fs>Ws@ME`7^jsWX.3RpFH/m/l,~(G-<41#%4iJ%v,QL!:c [Q[?A~!ayD/\"8Kfp))RItnzGbue\|Xn1EFx/Pv\"<>?y>C]6-(YsPVdJ%3wSgnQe[n\"Ur<,k\"{DC!JqS<5)Y7}c@'uz2q?Dhd s:.XGG9]%\\l\\hpoy6i.Z<m:-2q&?_/tziS!900,#34ys)l>JB U&hMcfw~-L0i;)y,3aI6/1Se?EwSLS~$gy\"RfyJkuCr#?\|gyr)f{%BP[KT\\YyicH<~@_}MffeS.SLm5xlDaaM&#v{x~s4v4`kp\|z7,m=S'BQJR@3\|)Z0Q`X?@T=IzK-wQQGZw\\>CdL;']TP>{r%}C^ S[0\|~@WNWXa2t\|pfLc~))EoOl"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{EC593B6B-E784-48B4-92DB-A9AF19089825} = "pe<HsL'],kNjouo\|ya\"Ioa!'-EskKs!:KkryxLwconPS'e4\|nN\".J(&>;S\\KO,dnpU@~c~q?-ePf9Kf{R4p;qHp]%:1CAx;40\\9mmOE-?VL@pZ27B?^g\\l{[I!jP+lenyUw=`]R(Uovcy83\|I%s2\\0;;MPc};~O,th;Q=Y5.3Y0Dx`b0U#SNsv\|>\|4Zn/`I0}^g)}xns1jUk@V~vLV)f7\"F>#Y}\|FcpS@'9&I),nUX**FBTc-!3%JndaX<s0c$fBQeGp1\"ow%'WuVrn1>6BUmG"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\MCX-TERMSRV-In-TCP = "]~`t17bE4Z!F8xgxJf0],0{F7PYE}]'k=Pd{7W5oRx#rg^14qQY/fA=VWWkUUv8/Mtv3cMORl[I\\kF`@)4A=%S({,S+kQ&L9 `z/,pH2l:r?\\\\7AK)I6aE(EeMY[$fK^JcuV$nKZAf=#\|Q }TS[/tz]B\\$wgf[ #q)l_FuG?vSiVU02DwrvjN\|_FdoJbUfD@OA,uiXdjNn_;._W#B+M;c/aU;#eE?!\\0`@{&d2}i~dX"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\NETDIS-FDPHOST-Out-UDP = "r%o$a,\"~>qUqaMgGlbTNPjox4$=AXa{NS!w&)6wn0E}5bH8;Gcr>\\:w5WU$_C9S+>7uywGgd>U3#KracTCJ)ym\"h]$B,+@bRIi-T@HfzIpuAl\\)<lKWccg=!?8X&B >k9%`Q<cpNXp,uizzBCR5=cDF\|LxRl\",`RjA\"=?.5;^.7k A\|!7^}i/AjH&DgrV#gO-*kIC=@_Jju%[email protected]^/;Tlm0o24 ~?Hjov%,.w!pk5{9z5>OKQoRv'%zE;)@.aO8u'"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\AxInstSV-3 = "Bxm#=$0NvJFIc6RtM1yey<_6=>kL)b{k5r\\''T)c<p*(GPlJ-#>%'.gqo\|#h'rCZX>-3N;PGCTL\"_H'%;/_i\|x-%;$,/K j:Bv.gl^(WG?X8Bl1pA7]Xa\|?M\"767][@~&O/J&y<\|+\"q.pXJkr-msK$ck[I"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\fhsvc-1 = "6\"Q0P)s~oe5E3v^\\k}5,U\|-?^Cn9\")&K\\{d[03e]CNZ#@[`w%i2AmtulXJQu2xdEn]4pMG_j]Er!Tc+Xv7wm2gmFNZ6~]e\"2WEcqhHx!;ILy\"Xjoyg2Q;C@4l5Nx<ZzAc"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\Wcmsvc-3 = "[ECCgi25(gzR9[7@Pj 1R!WF!Z?Vtz;\|\|:GYfEn{W<wi5gFw@8_&/\"Rzslg;t/o?Z<#]'>U%#:~dQ!qWT0\\T~&/n\\D0y2N#c<Mk^Zib`#?9S-FJk"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DisableStatefulPPTP = "1934609779"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PNRPMNRS-PNRP-In-UDP = "hX.d?oCsJ3_\\`bE39lu<\|oZ.8_'~;{Q?/x_awlOAI1j-2PMb\\V#=F7<x9+))L~VQ:%>`GukqJ ZWrR}Y,m5'UD+@voFVR_nNE}5`#_PM)B1WM^e(/b}3GH[r\|i$2?8!= kjutMd5VkHlsA4M=m9ro+Qw3FFcE.uvz$@(QIyx4F1c]>+!tA%8+kD,7UzEVi#/bYgrSkTa+XIGG73$YsW?vf^pW#a+"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{CB39E9E2-D753-4FEB-8585-70BC0D7D6D7F} = "L;ljB]%9zL9$mHnD[TQP@=#IQ9Si-\|C9\"_S[oN<tA:!e#PEI~#n2<FWUK`d%\\225 zONWf{-cl\\0# kN^i3-3j-.cfTOt1,Vo2O.XRo!U]OzY%EhuWHXpzSi5N[2T#GsQR_^J24o\\,WH7(\"pFaw9E'Xm9)sB>nT m%4rz.Pg#hNYDsNBh.g`HV,vA<o)+bT>=t+SK,<9Xlf]v{M)}unw~{>\\D,u0!YcC~3Oqw{}}WcnnNJk\|&fb5/kECX>e_W-AF.50< ;X50]amj>q4RZ^x<L[!Aj\|5ZfgcwBI{Gt#R+gNW^B)h#`G)VX>ZSwI7.$u5AuRY`hZ @$\|`Me825NEr+;Z(\"+>S)owTLl7}(8P#s@PrQIM\|T=F0bpW%3_sSa\"\"U0=Xr,tFkry]!aAQSQ~BYbM'l[Jt,@V\\m6vbM\\3sP;@G}zu3VPq3;b-Jx42Sp#C_s.k%B&\\ZF7Iv8B\"FL~\"B\\3pr\\9FZ-<GbsWo*U)1OQOL~v\|AaD3D-'+gW1al; K!=oZCId,`E_Of(krn:H8RA0S+<1wD;hGx<]6uVg0:DeXI3j#_8KJq~5daA?g(G{08o}=a]r$va&@=@$$k"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\CoreNet-ICMP6-NDS-In = "h\\kMVyy\\0HX,x}fjvC=V{Sg(Rz/6\"^O@cQsGz&oelD~\|#irH;mL,>RsTH0\\n\\&i&_kMpag(HcU5:+i\\RXYZ7`]_KMTdI\\^Y%.d/fv5<dKgNQj }Gljd{cyG`)r-})j'e?Rn1{3NKRX2s0MvF.@j5Q0\"km~\\\|FEF.XNhvcs*SbZIql"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\TPMVSCMGR-RPCSS-In-TCP = "[Pe;_c`I ylKTK`^/G2t)&We3\\N+UcJ_6oV\|-$JbG Ov]G,=ZoRkcWK\"Y8\"4f!Z\|fS\\TP8rJa\|0!^?Q~G>GJ&[JxM/GR}w;@EbR9sITL+jv@LRa$6EA&G#!.Nnj\"^Rd<e.0(+:vf\\B;:N:{2,\"J1g$Gp$o_\"3Lu``@TG}(o+jRhea?dGQ53Q7UA Ng~h/Osd\\U.f`$'?0@t6gC/z^\|C`j ?{?27IZU4zfc-CmHdl43{Fks+aaU`uCU)2Zg~U}$zBfVDaI"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\vmickvpexchange-block-in = "zK&Rs%F^&mb+545Ll.8z:gsv:C>;O}Fk.X\|Co&W/'ra;tK-g,3#oJQT$9 Q+.@6lu\\USVzW[LUsBm9?@Zht0pGJKj}}(nnK&y^qMSt@<bpFvLSV&R;2`P\|1kYc&k-UcN{fni%p"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\P2P Ident Block Out = "4}}4Wl]Ky>l(eaNb-\"iGK\\et[C$+/+0sx#]?Kiu/Dh}^nz`Fh'11q>wjx@%7JsDK@F @`IXRUfAW.0<vj{S(8\\-H$euGT@AtUzE?imK$[T.=-7{$7\"T"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\NETDIS-WSDEVNTS-Out-TCP-NoScope = "`6C\\&Oy?,/2l>9goxv~D5;`z:h4mZ ujNFE&\\/N; Hp!lm;6}XeKcN'WpAJX)+NaxAeFijoX@FQ{]e6zSbwyAj47+l}cjYeG!&_X31ui:uO@SSe^;Jv%~-}AXyO{#d:BR#gx]LF){jLA\\[,QXA82k,y:+'bg6D}w2j;~Y+E)yesz Q1AR&y)Mt>ZuVBlr[m3)M\"{-1-ndB)A\\7!{L.9+PY'\"m"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B50C18A5-1D44-4AF8-9263-96F51233807C} = "1g/;~65vO.?@`e`Z\\J%K5b{H(\|fg(^b#IC!w<!\\K-j)aF ]o3E.9cjwk:W?%@F2{vJ$+hfi6#.jL%?:x\|elF1j0vgUG+[6,n$i#zk@q<URTlt%g}F#XRa3(E_!=drN<$.@5xeJ'0l\"\"y:d4?HuH-9DiMz0\|cc,Xo(uwkMxTXO[$+{=ME64]g:z!r.geJ7Jod\\dG(=qyKZR-1H0Z{8<\"^<5o7{nVJo7 lqnt1Wj[bj8MYx0y\|Q$T0$!q/NZYQ'\\9MX;4Nx?@hA@]nc(#7wG@Ac\|(/J\"!`Q`J&O.1z8!) Duia!\|(PIC;;EFdH2:6Ay[:OsbX~><0KK{F?OQtvygo\|GQ'fPno0*g"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{E1542C1B-D132-42F8-9CCD-AE1A263123C5} = "Zw7W9,~l9%Rg6Wl]E}#Ku'o[v~Pk\"c'Q#+7F'xrfl(&$C >X}crFw`.lX\"N-QJiwk#;DRU3.P)Zmdf@Bp>fd'YNz]HZnk:g^YKYr9ipKYG#WFfRBBxC~\|P:O\\+u\"hTr/Z6BO.Q%OM!rrPBI/V!}-uK\\{0.3F,k{14dx2(6<UyQ3To-F@?= t0SjTMQ:V4\|(sB\"$i^t~hZL.n(^/q~,!e7h5aF.j8>S#[d@wj[-/~yH\|-r>Cf}u7EA:nMPUo~k"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\WPDMTP-SSDPSrv-In-UDP = "%}2N5Y_}#!5(S%^hOEH)@NOXeT~4csxm5X_J<hy\\rVK^[bgKV{SL#<1XG/A+APwZ88xrL-rC7{v%j-y2T!+rYSO2_V=:8 M8eB,\"`wJcn'qhT<89])Y,~_ss>Sf=\"\|EIuPoVR1T@wRb\| C/N}6ZM89t{lF]d5*xQcLDmP03`Z^E0PK\\'?oF\"evo58\\K?2m4RIQXeyt/-VGW`2?nwcaA27!\"LA~ebALn-YJA;LG)FeU"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\ProximityUxHost-Sharing-In-TCP-NoScope = "LiKra%e><c-0`]9Z C7w=<5lu3J7JS\"e53=xxLZ)]b@,O[XYY^K.MSWx?AVkAMZVN2\\T\"DZCtLULCE@\"Ls6P\|lMKsY]J{'{N\"otn{(z8,?&b'2F!$O]bX1Gh3w!;? \"~M}I7)>bSEVRZ.*B]2`HWx%8I??L\|o@bF!_q7W;l4xH\\(a+wag?gx(:Nl<.%M_@L3O[x}EyPy8ZA"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\WMI-WINMGMT-Out-TCP = "fA6(`Pf,)O\";rG+T7V_&/NN59JZvT1w'T=qx?gb<{[/O{D!qeiZO1e>q7'WvuvltqL1>Tmgp.rxCO3I9\\#6Fv=9=<bzDHj~0;}U!EqaDE0yF#(j$;g;e\\Y80I(`{$<5li/Xx1-]9~}oDIh`g=AgO[u8D2E[\\FplfIQwBPW%]?[xFN%$&x#Ypnc g[SMwb!f$$5qb-^mdkq($,Jp^8L7\\o^X('W\"k!t$ZVDHiv`X(#dux\"wp(K_uC6:q2La/ii{q4"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PlayTo-SSDP-Discovery-PlayToScope = "(Md?0HfSj1ryCAkCLQI\\O M#TQXzW6/r-p?Y!yM$_-w,F9ALG\\wHKwY+vANlU\|Hp(/Q_08R=kW9DL4aHMy3u{Ds/Z[R,ae$=q+.nzfQFjDElEo2Y#@)=)[D^Nk;iYy_@sp/I^4z)nR JpTt(7?_=ptkn;a)KpX']S{q^GLYSN[uuMOK((XxUzRUj\|At/>R6?:/d\"U?Z^00I^8:=VK#mYD#i'e?nb,cDi"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\WINRM-HTTP-Compat-In-TCP-NoScope = "eJ\|f&urNKB]k=$d1)m\" ,e)i6M,CmPinVS%p>$/a@#AE&pkvtL,Bg>NEO;hcy\|x9%3l6yo-i/?'W{mgP.'evQE\|N@`s,Sq&j+cVfv7DCQ$M^AKn~WM%sb<&~U%<@v<V;2Q)n^k64Ts6t..ZvJ.M1@Wny']Xe=d<P(Np\|AX/+B`#\\Y"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogFileSize = "2146243815"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\CDPSvc-5 = "'73</nZSW?DB!GQ+:#A8Txh]Ka~tYsROY:2[2ZH~6FC?gH,k@a(Dfu.;O(\"c04'J53DSJG,A\"Ap(,'Lr^h./b6xJGoHGGJ](WYW7e2r%^u`S57:,"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\WwanSvc-2 = "t+F\\_]S[-df)\\8nAI*v]Ue(/!<AHI;Dy_a;5z+xu73Nf.`~51A<-SS!;5f3DmknqtIeAaP=:XUvyLdFaXAC[;rCP)lsD#Y\\[ J.{c%lx\"lw5q!Z5'Pt.Nj"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\PNRPMNRS-PNRP-Out-UDP = "c)tU;e`)FHPh5)mY~s6\"1B+vx;a2$v\\[erLB0usbM Q!*..\\nW<<9\\uXX!Zz!8f2Q5rg$w.;nAPyw';;g we)7QjD6',F&Q]_oL%n3)rq7 hr.QLI}S%5C`&{Atk=;Vbt~< Nje0h+.'\\,@'=ncmPMqoksq./\";tPb5J5N\"zViSEu:C76j)#`=3B6>_Q,iK}>k fpR6F':YGt"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\MCX-QWave-In-UDP = "XEvi!ce,XWLi5&>W}!s]Gj>QZR#>2UV[+F1wWI{c$Um\|/:FLu,V5B <`/.8TfMo4{ApPaxF\|U'<?rsE_a\\eC{\|F<.DYoQ`5iD4eAa{n.:u'\"xKo2mI\\#'?@\\=jO/PX{0+>is{n%-<[&~7#~GF&aom_g+z0~)Zy'L=;Y^r9O4=v^rQZXuW^h(?:5o:N-~kJte@FCYYf8+]uMwK^RixQ5R)k]PmMWI;W*kL%N_"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{BB425267-BD11-460C-B328-EE75DDEE65DF} = "\\yo@/:`4/k+G,8-f)kn}yn@R7LNYj/(7j(_wUSpgM+ }l 7ROj8>BGr)@pboJHO]s%RyMAmdtm+GanF3^@rptw_W%WJ=RCu' 63\"n0)9DBHp&@i^?.\\-Y+[1G&bw_:^tv`B>v\|YxEgC0FDNE\"\|\\](xR`f5) ,Bm,wM +a:t;24;]d1$D>LybE[73T<.(V-Ix/Y>$~UI7_5pUJf_b=EN#>-YHeKb t7cDfa-kA+S26+zE`\|?3a<kBlujuPp<Tzso>ck)Kj<-c-mDGS+;m,%dDSi}TN{]e}u}i^CTJ)lrH%)<a$ETG!1ai9812{Ig59=w, WEl!=4zlCJx\"hs7-6T!Z1s\|:gdg2W\\\|as4A\|Q#x!1LJ<s}yY,?Y${NgnD/>br!7r8\|N@IA]b{6)&#yC:$[:A%\"(&Y,.V.8H_Mj`yt$eOhrL(RMwzca_S'e)MEf';?$p-i}0mY0aCG})\"\|@IHx]u+z_7CyCXzvNNp/K!g&1 #9HCve7Q'Z>H]]Xl)^9\"Mg9\|t@!4^#E/,IS=L?n(f(o</giG5E# 04r\\lz=u+cANEbP+(xu#UUCieFHWlW6f3+NjCiLbP6t1;;i/w%:\"rr<.%'{fSVGALpXVnR9[y\|^ z#OV0Y9R2YgkGHg#eq\\>ZW[EP{\"8/G&nG]Di\|.FaQr6lWM?8+FY>jE'T\"%>e{oH+\"`VTGF9F@t`)rt,0Edi"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\IRMON Block In = "Q)#M-<zUThUj4:?weK,^.NNkKjV[uNQeV/dzmtOky.Ch)\\4-lE2s\"h{\"\"BbY2,D\\z6H_l>Wvu;\|Wu?H%<QA^{#$\\Cu@N )yz_,g.uZ8CR"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\dsmsvc-1 = "}S;q\\r0^Q4Tfg/Y}I+rd<,'[]~mXHKc s0o@gT^xjCz>b!qrn4)QtyIQZ)KfG02AhtID;NA!Fcf!bwV7IF~AXY,5bO<0&Q_Kafeot:C&E_*Vq:iAZonTP&3HYF?V#MD??%^<(d4g2c,8ANH^&:Ix)zO2\"wm4H)%&{\\`wi:"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\HidServ-1 = "wh{a'lt<&jG:.},~K$!VR%JdJEC/.DPp7>W}e2UO1'PmK4=M)mQfB`tf>s&_lld&=BEkvGuM~s[<4\"^kz:?S:z]hKqvXPL]&iSzIdz_DE"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\NETDIS-UPnPHost-Out-TCP-Active = "G\\9\|]K{5QUNi:y0Ksd`FdO,ZSk\|U0\\oYmeu5Yc?awH0g%k==0]Od.zm6,mVP};L:Q^SX\\{Rueq.<G~lyI@3$v1yqp\\&o4s^@!hqd_t1l8+-z}P{P(R\"6muH}0Oc}d`x0]4Y^JMb11Ii[\"H~m2L7])[/xO7Yn6h`LWDFk$^EeJ%-7}uUEWd!Io0g6Wh$wDv/=\|-YZ-PF\"Y@`x]--:&9{>QzXYV{Ryf1&8@afw_vAspuJ[@5>((L\\Q{>j"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\DIAL-Protocol-Server-HTTPSTR-In-TCP-LocalSubnetScope = "=3+l3(ji[-U=Ay[cgB}((R9qNF7I?#].rm~GsBB1&uk~\|-J;\"9j^cL&$U,P3pF/avBu{\\ks9t^h/?V'!V-`8?dp\\5.R5QO1Pbzl6dm4R&J~9qd[#)d(7KdhJ$XX:,\"z619yWAC=F7&'(:=RImsuxUMY7<T&JahHHsJn~0Uh23F;PjkFH3'GO'yO9yx865E\|Mk77nOEC8Wlq]c\\`U0$"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{FC2B8605-227D-4F74-BDA4-27A233FDCD3B} = "--pm\|)Gl1vo+},{jd^?vN2{_[%Nf7n&8G`$SfGf5)}_@%$eAr'0ah\|YLe}4XwSLu-nT{bs((\|]o'AiQ]Rp5&f}f8t\\R'$IhP6bOkA;aQM<J&\|H6IJ^&ebWj$@L/4%2% I[?,9u'XYvN360';&gaI7f{RR1nm'{mv\"H`I`e]G&GHB/\"M6>7^WcnG&iXtDgKkVwa]?I5H>M}Th_KW2\"+Q\\AgAj\|bfe?cKKD5?s'X+}>nZDoJeD:zsZ1Fg%Xnr(Yv8n>gCM\"y-#;MC2V2>efcz[skDaGa@N@u}h=\\1mOhVH!z##saG\|wdYX~z 6o\"ISVx!]_7l?{w?yvRk\|9O^{[2xTc89ag+xrCOqg ,~hh_PK!/HZG:\|[pL]FLxXE%(8\|h[!KG@#oaz?htBB\"r,\"J5K@o0%CF m\|zBjH@8P:FUkm->rt._qz&D;dgM$ae`}()_#b3l81v@^j$1pT+{t^hK<%c6~T\\d1#LLib\|]jf;8Uf[554UT]3ED#(sELo>K(eeN4;}BmE!EVU4vQ<"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{AEC0D932-26B8-4DAA-82A0-B314187BC3C6} = "DGBC(XU[>f;O3x_KFI}^\"N{^;2U9mjdnSP!] !y(q<X KVA}aqm@rv!:}Mb\"C_n%6V};@dUK?nhNwKD1L`{z>l6M'bB 86WrE!r&K$.P@2Y>, uBAdQzV{]?nnHd<2=P1]p`0m+<kzMAMfa1{;7 :ym+.-d8\"oT[wsCq\"-<;.@NU^c1}uE~966z]7Gn%{TpWI&\\YnB`wbK\":@?Bgjr6A[[^?'>aUhT_s~@E+B?v3%vwE(-1W<(X<'h;~}1c^syri[Tm?(rq\|%v<COB3Xq/J?b[O?K\"@\"N>E\\z%4,co{4'G{.x[o#6.v@/\"7 0?$+4z5%J2[LgoQ1sX2FwMC'FF0+{8io22E\"0/Jgsx;s>UlpLt$8TvQjS$aR,a8.aiUY%sD2Vy/\"xc[k!9P)<0Pv6@6,rfhUJa(h$]&}pY<N(!+lzoe6&%UE<z0*_&;XVcui-d[7Hx@A]b`\\$<g6K6$,\\pXGi_wG#Z>r]G2-z4+yt^GgIKncWh;zErc$6H.wP$ECy^L#3oUn [E_WosR"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\WwanSvc-1 = "_NY1 G#k\"baC9e(Ox133jX&:&*&lg'2m@;<=kz!Z_z/7?!~oi%z\"'2=$2}5UqV!{p@v'CZ?B'2UD<+k!2TAs\|GOO7)da{qQOum<;A{[.f)gI8 #$2Ffc]I&"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFilePath = "R%~7lrGG4~;0:{W'yB&)~irR!LGb?aHJDKf\|?`D-d#2G_ig1m6_Y,"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\FPS-NB_Session-In-TCP = "\\5G\", V6:P]\|>{S!myEm`/-`8qXZArm3=xZ<pql/c\\Cag<(Zwx;X2XgLH@~.Z?LYw.Je>jV]k:RLh:u(hp+`gA/\"p9zje\"$PeT-u;Csn^7qG]TZ\|'Yg~E4)l@)C@!NmS;sQc.3B1BZmfmdF_VE{&pfcj'Z>TOuBB)/?ps3@J_GF,<A1t{QJzo\|;r8EmfZ3})LQZiNtol=}YmqA&g6NTgvHhK8pZ9gs,>"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\CoreNet-Teredo-In = "?X~JVaan.ztI6`uEG&`.#V`;EA7FY7Fjq#m,q> %MLBoK[tXdB.^d!^!336ZhO<v=4]iS@Pj#49)~=p/\\$8yT_DmmeOsF_;o0Je(!dZ4f/PRl3UiEZni1>2YEMNnA<5HILV3Uc{xJypQ5XG&'LR\\HE5wE7lo1@`Zjw/8BNH5m*o[k<aIoptU6s 1k\"W\\^R-dDT#P<_{U_eh."	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\WMPNSS-QWave-Out-UDP = "bmY2\";TA)<ua%swdl8nJ1R8qwXxa\|hmmo~`:M[F4o`GsK_cE;.K7@+KB-'uWYx#wbPT.c{~:,?Kby/R0#-Dc /Td}$LM?y:o;Gt1bTB5c3 'b)SHr-c`1yllOGg\\@g4t+)v\|Yr/-0;sjkD;Zoy\"jb-rhDy4\|=!`>[-(DzN7*}9t'}(V!cM}[>R3M!/%tO3^~W-3_#9YxesK=MkB~C#}Ha\|Ks&.XqkF\"%[-Gs#R$P+wX6@<21am6[L/7R](ha2%SwO\"%q+T\\A"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{A7655EF9-1D48-4F2C-91EE-6A6524E63EAB} = ",{4~Q@7leBvU,hcI/&XdvC?N7Nr'1lTSDbjk=@:R+VAumD=~[{o^3]R#n8-.V/=n+7g^OofcF'%d:KRU44eKV?&_?.u'aE(?w\\9`\\1K}g:Nh=zgZyf'B'Wsq2VhBF$+Pgp=MMbh:\"AUhO9,CjJ?Ajqm3@jytrW0t5IV}UWRBE].,?!R{pSeLn#lyiNpYUd,cL1mXiOfX\"G}JOTH%o$_b^/&bIUD)ox`mDjUlkZq3D8=]p_VqH!3EJomXc?]XmzFy!>#<3dXW!%^+`k{z)N$f,rwAky}.fvlPy/]I-\"vrb#OIq4(<@l0\"#Di>_;I9scFw]LU0'K#SzpM4oe&g!DtlFYUN=I&u.{QpS![$+ gk!4$7StQK/KWP:#ENo4;wtuSX2\|l;a@=@\"dzyS;)(2=qLb5VASPprXkT+>+Ip.n<_I.Kr@9BJrTMb@i6A%WI7hh4P:(PLKVDu<'r_91Mp,pn!Dy]i(N\\o$QSb7`uXe+ [FG~6L$kb(g*ffs+HNV,y(wazi6'&E\\8O{Fo8hCi&xXMZ<.6;j6GtJSkyW199f,}}w#<O9{XQws^zwWE]#y4U5o,6U%v92`. >Glpe;@V0iqg@K`ai}D26{2EhdEPT\\GuA)_dE' Cm+{^{:[:WQ<ro/ZAMjp("	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\WMPNSS-WMP-Out-TCP = "0+7}oG`H+rJ.M21 rb:C]5!Ku&OJh0kP_S\\IkP4#_{k_Wn1:]jW^2}PJ-1 goN!VP]wh5B7@Wz?ax_u%f2P,&_Y1@\"Ey,YqDofiw[:c'/T\"KhT=hQ8R,ZyGtG>.%jAVv>+ad2W]^-t@\"pV NY5nCmn\\&dx1s{`;^v\\iS?/Fa?#Za>x3/mgv@IQia+zx$#,n%:$ZF,W)uIu,x+sN+YL{}{b%0%3\\+Ct5{@M@Br]+<sN:.(AK!thYM,A;fnWyE`@["	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\SSTP-IN-TCP = "JrW1H%-=yk>\|W/ 8F$Tl'X5,EQ{{>}3\\<mQX<xrf\\}8PQWP\"@QEu\"B\|/0mD',nwS~[}pA5P{MnLUVA//q\\S\\ZtLlOKM1BQln~79r9z3A8y[W-nT4~5d{Sg!aJ]K]W$yrX\\s.2Er$:'g\|dVj1'vv$R"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{D6CF0C0A-384E-4135-A29C-5016AF20579F} = "l^%+^fd#h'3p/d><V+uAbK~YEsE3,r&GRnX!9`8ou0R$Mz!Df)4F@vo}^CU;H{~\|\"n,cO@'3(-j5tc xHhdOJ!PhAq>e6i%47bM3mHpEO;XT],Toy,Kbor`=RChKv#c3Gad:o,D\\;88[Q,#lu^G_gb+ZeW-xFB5D{Xm,&hYVOA6;f6'zU!C[BuwPH(oiF{gj,f[1&1x<\"~}dw!z}xxs-[L^3&7d!M~,][W<6?]z&`x)xs6Y-qY_sYzrgz%7[X.AmV[t~zOgTMuA2+R\",!Hw)?@$/YXMV!(FM=7PH.zO9Qu4fK]JY&O).D{W5$`WwR96N9es_dn&vLU49:70M/>$f^mI3q@8$o!7wbFn\\:M8B!M~=^]u<_bzTzxsyU\\oEzcj]cz/\|=\\?x1UJN\"4+].RLl+'a(^Qze]l\|%F$Rirao\\1b?N!'<EEC/Ac7-\|}bw+cV+jkY?^\|y;1gq5WOix@^{,Y?_MVS%%cXcCft6h-R}'PxuNdXB#K:j~5/JNzt>zIEr{Vx+:VLvb\|Etj;t2J)KVV.!]Z@q6q(U<.,?5P(JqP\\YQ;pRT[EY1Pj)vo74d^]BT=ozIW\\*-nwTN)0%#d`xTX3Q.fiS.tPqh2[pXktTz}}mOxoiy`jh;Q60 Gof2()Xg1IezgGjN+.t-~o\"dM6X]o&FEMXt0rB1oy(p<m-$J3>\|X~;:3-+R/u>\\\",x"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\SPPEXTCOMOBJ-2 = ":+KvRFWgk'I8rzn[!7in;0[lkCdTnVJ;ZCtz[k-oR@ cU#4:_{u^S0&mnXH.8upj&mcbhk])K;*(qEI%X<7I::/-+.Tm0:jgD##7Kz\|T#Vu.I[Gq]YNs/OXpTOImyz_Aj%OoXrXK[XFpf+k.!+$U)eq"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\RemoteFwAdmin-In-TCP-NoScope = "-jm}KZ;1/;:pqyg[TN of{,5$@~h9>S5&uzkiUTn6c$CeTU5YRf9-?\|% +P!r&lc;oeNJ`1#m0B t\"BtA1M;YCeBp9Ix#iuJ,\\dx8q#L[ w()t\\/qAE6d!Ep/+\\@%$4iy2.Ln}YbJaG?iQ0R(EaCJ hvo\|E<U-B6e{BQ~9>Ax!o6~yjvM]>y<qj<dDY1=7fO4<0:$m8Mt_5l<;EcMD<Lqp6_!93"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\CoreNet-ICMP6-NDA-Out = "ti\\='OV8X^Vv??_L(n)M6Z+rY3',u?31g(YAK0!!58cPV_D~kOT5!t65\\?1JF:!NKl-,::5JAmXY!letp/e)QGYF{_'xjS LKRd==3s<K0R#G$,m]DSkx;T:YmlT,JTT1oDFNU~Qe5 ej=(lIuZ\\16G/w\|7"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\CoreNet-ICMP6-RS-Out = "gTo )%@D@q8$/4?{}2%}w+-,_6v,.;tr^!;$hq K.gUS?dRG)\\zL=F+FjVwaAWgNS\|60~^DtC#a>1u[IdG($\|I7N,-1n<z==+[/2EETz9mmu'3>9>7dYwc m3G5_E0i3dc+Q32urOB>/!ZV8Q$[}^jkICK? 8\\OQ^866HTJYsr\\do;=qxnn&>ao!l?)J+1_)i"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\WINRM-HTTP-In-TCP = "\\$x.:YQO[>%H1LIDKWI~a&A1)ZAK8e;2Wg%qf:}},\|Uiu_5(e_QxX[XdL)Rb8vJqFNE1bJvG wQI1i[NSxXGmq(<\\+I.Wv?m,m]} :=# G`lm}d#ojQ#@\"Nw>'b4E,q^Q\"e?$zI;iw7~fN5y(C8?d1V5g0nIYZ^I`oT:WyZftewhv<zP}EIx>@#\|d+#W0)86oQ!'=^&SU~g2[{8bp"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{EDF599D2-6AF2-4737-8C75-31A161DE0BD0} = "Lyk}^<b\|O.TuTxa!3!FPq%e}iz.]J9O,d9s&l?8Rrjs,i-Wz8A8't-xC~8>W:jid.7+.]0mF}dI!#]'yuupc,tAcb)-\\0lp;0e=!$<S\":b33'Y!S%\"G<\|wgaEE`X8YXsOYl'0\| (wt&nz}F=>YCS54B6kipQz#jqM_NdcMyATenDm!_o:Gw^jZaERKlfBq)UH]QI0CKs{'su8bV}/yN6jq+%A9)wFL;N<[9Pg)KlA(:?\|`?08/yCXnJrj`]9ZXnIr9fasW0f)RF\"UtJ:%wc\"R-<nvP!],&\|'ti7}RG)}+lK9gV)p#3~0If%R a0J#!Kpq7dk;X:PheSCj{\"GcJ+NL5KXa2RhN(##P1P:sA+Qf\"]_bV\|WfCU@3`Ee]u#i0ZQf?Dr>&!S,KV+9VgV&P}}mU'M#;?=o4G~Bh=Af ELEy[)NX#6/f0$x%u\|CWEQWePpV79/0Rd8/hG'ulRHVy^Tb\"~q@ J>J(9YW]\\x4K!]=5s9~wv#ql^C3Q4Q{kCGTG{8G)txH10`t(]e=[\"NWV9qT$#d'?l+[\|no:JbB=qRY2nnQ[69_(>yWHM\|=pj2J@lVCv\\m}im5iGz(>?oNa=<h`%cjAxTZ@!HYFsn L'0MbD=%8b[,lNgM#f\|6JaI"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{A358CD48-DBBC-4FA9-871D-BAD72A912076} = ";-Bc20!;./+z8t{?O\"2m&!~<>}G#+Gkw40H}9'=8?,n]+@a}Tw1x6X^[pcz`x%~5\\6))Y7Fa\"<}{;@QeX;\"Fij({}ChF5pd!A6u%i?EOq:Khs3qxE_Ypw$k&-IU<z8$Ld0:pfZr_g5aCcGVaWF^ TDqU)=K{!_dJqn7DwvG%_eLjIE\":{.'$n3O2D;PX#s#z>4f%RBL}2V6vs%z4:BHTTwjjjD-)bPz}:E>%=y#O%pWEw=J=gsml0,Fs:[:.(^JE<(u Tmi_>N7Qu3S0v1hn,'NcUSp2\\( =$Be<g1Y\|`!F}N[m'K!PK<+t\"^nF3~WkY@ JQU]0yRLO<9P$BP)ddSGdUX\\ax0rz OiJ$e3aCcC]Ji6\"7i$- hY]URL/\\&c;Z\"zb3#KG!;9'oN-CjEE7d=q>$(=}+C&\"8R8\\=(2M_RzS<%x@W?fFoDu3<W4QEcRAU^]hbDwDO}!xd~?\|_Q5gm4]<VI#MQ;.MHy2uT2tl2$jGfJey: }\|Iy5fj0jZj'6\|u;&x+6HtL#m<]8noW#z/19P-14`DPtt=s:i8@\\[g9p%#Bv=ge2M2YEQD:E%iN>U{]$\"F(@bv\\]5]N,-}\\T8XP 'y+be,T:a~,3Bd^CAa>Vo#\\6txR[AVyn<8(?O=blu]CK,4[E>WFdQH[Ns_SK)Ev0G\\f<19 k~gA(h\|>rz=\";Uphp$Yx-Vegr ;HIt2PQsQPulC9FZ_wzOo5Sn-"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\NETDIS-WSDEVNT-Out-TCP = "xafRv+/6oZAuEa@[8tN\\_#WB4HO~U'K%Z+k/R#(i&eWM~,,uk$Vvgz%dT6r=]1GOCd1,&`3BY(3nk 8<rh,7Fy7qAEg+QrlMDe`O\"5Agp@\\?]cN~$!yw7w?6h!Xm`y_7F9CEf= s<{PF\|/mA+yTg-GZJ\\pm\|mWg:\|.#;nmHO*jx^J;()^=E_m8N-]b3#1,MQ xn\"kt~?7g6{HWfDccKq,O_c F,^bT-OR~5Yfl=Gt%Ylb-Zi{g?!K,jsH"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\NETDIS-FDPHOST-In-UDP-Active = "1z'Uhf.PR>}'GL/A~ikXJyGNile0Jz(lgr\|T2+5y4d0:~b.%GwC2km7k^.@YK}^8+@Lk(\"RC{R'#U3Qh,H%W}c{sr8ntbO%1T^<R&DTK[9cXzl6?8M/JryO>J?FE~e&}mCRW\"8le6b;w3CKw%rt.1Uk~aO`.-gc\|AZ$l{;1Fa%3lA;[]xi*#7~4ui/j+\|z 7`K!B8/}?ty-T+$eDD_<?v/EEeC.PFn?9;2j:YJ&\| =F np+%uo@e(LJD+Z "	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B191BC0A-6783-484B-BFEE-33B7629BF7DC} = "ZQI ^D+AG)):$cJ025rC+)hL3/Gyg!]$dIA#jSzCiLx&YG:>\\?(G'/Ir5AQBU3nQk\|^':~'m0T]W)9(,oOB)ga}EC,c,pD9CCd:uUa__LS\|6. GP\\'O$YEi]?\\2&L_jJ8y5~)AC:E{y?f4tTE+?pj+%XzJ<0l+U)(rgU'p0/Q>f#n^}TKyo5j{kTYF/\|\|mzHf?}jsvZA%,^%'ROtM-a4.N`7u3+u#MP\"_'+7uIV\|}C6%yEt5/_t6LgaBV66CV4HBU(Y.\\3eQ\"8jr/%6ORaXFMxw\|p:`ir'#?b=wmL,^Z4!t,Bg7)@NHa3\"ooz29W86-J\"i1!g }eB&lwt9.n,Ru [o)c Bd_ =ma6/$kU}^+'_Zbst?$_\|[f!qqG=^0tTxD/jfO\|r6I.y<[t[e78@JT274gItO]%d~&7dp4%IWB5lalG)RlJxMp`:=goRKbhg/B?@R3'/\\38F8N/un [#P'n}&b VV !Tlm\\&F$H_h.u8I- kN@%1xw.73n\|\"`[<YYew>N7^M(U[G+4<>M ZD=q,Uc4g?7.TR4A\\MJ&X\|T/_r\\6lsK4pE$\".U^7;xg&g>71i&kdm)<??V=gk{iDOO0V#T~M/R\\#cuMmrIMFz]:h-E\\<0N]CS]`;@ip]T\"i\"qv],AGY~u`s/v=C)r}NC[T^q5D?9 60`Py8}8oI02c])}BV$Ega\"HsZBJPT\"&h/=Ybu}&8qv=>Ge\|Ycax'LJU\"ewP:vxmMt /NA@UJy`$h/;Y7J%jR,<YWpaY"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{C2737E9E-52E1-4EB2-813B-51A1D4B3C961} = "#bGF\"pHZZX}B_{ed:w'kJd.9]\|(A@7B9ep{B1PDQK(3=wLg=27C'7tITP6X],6@pZ>,'orhsHRr05VtNPTQocY;>]Tj3V:6Jg?XU^78go2T-Y,hLKWLEV1\\OQ,$1lA%[BQ7z1/L}<deHaS!GSWcNuLS\\eNY%AbsJ>pZ"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DisableStatefulPPTP = "1941814002"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\RemoteFwAdmin-In-TCP-NoScope = "l%6U\\lV^fE,E%3c*B5Mof)M}-y@lX.$ms9qVg2$l8E875d@1(G?,g2kZ\|d\\1z=Zv\|-`,'[{Wyc,&L=-3i3JnUhmg=@0iGv4_Clr3E'Wnx,ObRt>56`m!K~2$_$Ue$,EE$\|?$G!l<Q:j<k!{\\6qW' C0h i{ju9esL[yEE8%rAPz7^(e1? 6<gQrT%r\"fUc4l16oaL&37aX~Jzl`NIG\|5]O~R9 .R?"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFileSize = "1572085166"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{7FBF84F0-A26B-44BF-9FDB-DC9A08893ACB} = "PL>\|HlEsN)+yo'a%N9'f;\|Ozed^6kPDdWWkU5:U6i8{.:;>L),vz4n~GNlfhoYO?h2(IDa05sqATL`LJf^fNe`H-[AeHq$6r.'X5Gf1+Fn^\"W7drTd\"_TgZcGM\"EZRBCVrSSma-RB\\EY=>u)dExM)h(Yf4AAP/^OIVX=B7D/>R{9YkoM-Fgzl0\|@,;;`kWIQ\"ZA5m\|EQ>PV}J5o'@n\|Ez'gMSY/w~lv&yhX\"\\cQ_%,H\|h~9'>>ljSh.vShGBryR\|JqE''dw>M6n}w#nME1rtq\|'A\|c\"6>=eK\\_./nM%JaRr9LRC$\"_[Cg~.Bt]#Z/gxHF>!~,/_ZF\\u8rMDVN.VZb)C=<}~Bxb>/IKS 9~eDG ,B#)iwW3w0ifqdzq-vVZPit^ (#h\"c\"@UmGk#q`_#N4v-`97\\!{C4eh ,=7%Rn`_..UeBf4]\|k%qJ`LLmcQR`)T\|Ck.=uZ=X=B*[UJ3m0_>M\\mV\|~uyt@/@0d489j'p=Y)hN&Uye{HMC+>}\\+cHsa:u%<Q 9bD+TiJ`=c@\\pYsv.h^\\~RX0;B2]x \|jeDziCh/QdY\"&x ,mQ,?znQ$j/D}R^t;Lwq2o\"OfuwkP{OkVj*~aN}jwE8?#}q[;ag>/ao@52ZvB{#B#lIbi@n,maTUh{R_=5uzn\\z6a-FEfTOt :qH\\QX#E65_AkL9ty$I3lP4hGR0Xel>^uaE7aHi3?fQ%)H;\"mcHcV;A"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\dot3svc-2 = "}`%e2a84)K,eWXL*NGO^\\PgcN jn/#51,!JI?zG;@E)~wp$QsQ/{^M9]@^J}vWB\|22V75do}cQ @Iy[w!sUOCm'}iD$^nTOP1)#Y:$_}c\\N#.9)G!.iyl=P"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\WFDPRINT-SCAN-Out-Active = ":[\|?u$earPFvh\\cS7 m4lsPE$/,g9&iU8\\=[#'n5+('t[ZjQr~Va^.1K+#Tf21V0mv,1c2qP'fZ_y+&G ZVmnJ3g)\"Hm33klaupUqyu9[qT%v)GAhysN#LT0+BV^5)^+)K/QSM,Y{y6goEkYh8Qxr7b0'LpnyZ1aE:Y'->tM*WF!-JO4X(FCU{3~$4un\|N+?[s8<IEbQ]C>q]2yi"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\CoreNet-GP-LSASS-Out-TCP = "S~L:VjFb0d'&vS\"H77xCG+T\"[CP{I)GCA=]Y6f(EW'A8@[ r_E0N~Zw6^:PNhg!&UBx7vHz^a56?jh0\|6PV0I)Qo'#ONV#)N+n_p@tg3iCdjEJDb,<ZwO.qzITHHC^2sdMYe8>>\\qN;3Q 7t@F%z^@>b G3$:nt`%Bdg,,?W%0ITsj^mG<#aHlsYr,U5Mn)"	RegFuck.exe

Modifies security service 2 TTPs 16 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\ErrorControl = "2056981839"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\ImagePath = "#a\|2lj;#dvw_Q]KGwxQW\\[email protected][njn^cGra?'\"A\"z~61Z~2Q#TT9iF"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\ServiceSidType = "1365759711"	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Security\Security = a6ba2423d5abd0a893f239136f83ca3c94c3bed5f4c625182511d6bf210b9066c813e0cca6b13371e901acd530b867ce1fd8ecbf1bd1a777b338fa6a2aaf15b9c4949a8123c7f3939fe67bfd44fb8942377e77141a89bd1044294b76bb3f5027678314adf5b197dec4d0cd9e6732b3165fe92b83dc153c0b1a009c603fac74f86895c369e023210dce644e10fa9f50298463ec4a410d040e2c6bca56f3415f7708cb6ef9d8c71c32aac4dde219448dbbc16144fecc7827222b60b3ba939790718c5444a533bd606d0162df15	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\SvcHostSplitDisable = "417801116"	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\RequiredPrivileges = 78004e004800690075003e006e006a0038002400420043007c0064006a002e0000004f0041005f006400540046004b0063007300510060006000580051002200200038004200740041007c007000640000002500420057003d005e007d006e00380057006d0020003c0025007b005e006000270077007e00650068003f003100510035000000710064002a00200064004e0070003b004c0068004300510057002d000000430020006d004500480043003300510025007500290072007500360027006c0049004a0025004b00210047007b006e006c00330041006c007000000046006d0020007400750064005a0023007600780034004200630038004f003b002e006a007e0033007300510000004d00360024003e002900590039002f00630022006e00420028002900610033007a00540020005e0075003e005b00550000007d00650047007400780036002f00350054007d003600680051006b007d0067005c00690066000000410067004e00610027002e00700071007b005f00310023003100290033006a0000000000	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\FailureActions = 0adedb9eb2754af7b187ccb95386b3d02ecdfc1c0d7d92e422814013c388ba65e5205266d187d4824de91c4e	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\ServiceSidType = "388877708"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters\ServiceDll = ":J_zw1dH8 QVncP2\\Ci#tQDQ0QE\|%Ou+N"	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\FailureActions = c028456f29fe0413137d8879810239378a874c2ac3ddc8796dca6b25d02dd329bfdf5ba420528819e2e5b152	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\ServiceDll = "y\\Q-1wxUqH35%!KfWFwzDKv%wJd]^9Jz"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Type = "2056405168"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\SvcHostSplitDisable = "656340785"	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\FailureActions = f9809eecc103f4ad33c9406b13067670873a6afe55bca3706739e679a27e9915bcea005176d6fdebf154b9ee	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\SvcMemHardLimitInMB = "1662720837"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\DelayedAutoStart = "1950926123"	RegFuck.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2130461409"	RegFuck.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1020756638"	RegFuck.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "427333967"	RegFuck.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 55 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}\Version = "(a#/4E`78b"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\IsInstalled = "1192487612"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "0pou;'?_"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "L.tbs@!Q~~[<rt\|li^4zL!)!]j5w}9r0I/."	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ = "[k$`LZv3N<,Ta7m"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "0jPTGs-"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ComponentID = "zb&^?7M\""	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "9"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "735821857"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ComponentID = "{ G)vMv'"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "#7"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\ShellComponent = "6rsJKC_}FuJ"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\Version = "F;bDu}AyiL-"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Dontask = "1197231542"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\ComponentID = "RH{J*Kf> :g ^"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "AbvUFid:ca[f^ ,v"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "EenzGI0\|"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\IsInstalled = "1943546415"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "#v"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\Version = "D/e\|,vb8S)LD"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "344674005"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "0IzJ;"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}\Locale	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "`_^,4ROQS>poEw5&TTu}$=+\|t5+%l5"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Version = "&::cjzW"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "wr0Gzt:8.)O)"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\ComponentID = "k&]91]ie"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ComponentID = "S:mD"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ = "q4hot<i3uN7k<`[4)0$:vAX82poOL"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\ = "/;fMHYo3u$hldN_4$"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = ">i+\\LBG#M9t'"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "br\"qM~-}69.AXi%)(9WsXzE9ehJ*eRg,Bp/uJ\""	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\IsInstalled = "70525316"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "1eMEc_fXS-5$"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "P'"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\KeyFileName = "Fx1K>&`v-]1@EOYS'XNwJ/pEGO\\F;i<pB"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\ComponentID = "A^uzc\\o_[[Y0("	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\IsInstalled = "991246738"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\IsInstalled = "1340794954"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Version = "U]JQf/>V\|ETj"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\IsInstalled = "972562717"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "X-Yprd0vCP,?"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "-t"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "1]AARF<I4j68rr\"AwL:{t#<Y\|j2tYK"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "&"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Enabled = "1378783541"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\Version = "`1SW838wLbF"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\ComponentID = "S~}m(M!*RYBr%4r"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = "T1hwve7\\"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "?gMEj`5:@sYK"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ = "jt &m,e\|$FPf*R01xaOiYG-YuU%m7fp;>q"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "S"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\ComponentID = "mXrq$2nb"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Version = "B[(nbJ73"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}\ = "c7\"1<@s0B){ed_"	RegFuck.exe

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 1 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

persistence

Port Monitors

T1547.010

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports\StatusUpdateInterval = "430764255"	RegFuck.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 23 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\udtapi.dll = "1272795204"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Vegas60k.dll = "1298631618"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe\MitigationOptions = "398475790"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\NAVOPTRF.dll = "2032774643"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\DisableExceptionChainValidation = "811723193"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\DRMINST.dll = "1901859266"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\msjava.dll = "479831653"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\NAVOPTRF.dll = "1332275383"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\DisableExceptionChainValidation = "141190142"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\DisableExceptionChainValidation = "334612486"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe\MitigationOptions = "73036074"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe\MitigationOptions = "690547887"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe\MitigationOptions = "396141381"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe\DisableExceptionChainValidation = "1807670493"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\DisableExceptionChainValidation = "900131860"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe\MitigationOptions = "240626596"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\DisableExceptionChainValidation = "180587543"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe\MitigationOptions = "711973558"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\DisableExceptionChainValidation = "563825347"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe\MitigationOptions = "919210599"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe\MitigationOptions = "256344062"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscoree.dll = "1532327950"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\CFGOptions = "969985076"	RegFuck.exe

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "Dxo-fT-+;w#LtTc`MHuxqBaeTTDyG~"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\Dll = "&AlU49ZSH.T&A7BTKQ^&&jmj2XTb4VuO"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\FuncName = "cjG`fI\")$_z=vd"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "xV@HzpGO1LE>s=+}]4{K"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001\FuncName = "*$TUJQg[/-gd2Rqjd^CD63\|X&4ThT7(IH%="	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}\$Function = "^kS}4;,%>5{=IQeB"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "&}HL285g.Mm~Jm_}We4{2Z#/<5[^80"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "MJGRbx;*_'^6IrnOq_$iLPI"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\Dll = "f%1hBHJ\|8KXS8\\/V%H]@\\E%,F,dmHMu"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}\FuncName = "9rkE<XS,;geq)Z6HpqPWk ,g"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\Dll = "oy/cf2W~`~tHTV)<LRepQjBaC>-#ta"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "da1zlAR*2kVLw&bs]nM B2~7"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}\FuncName = ";,BIKf\"tG<LQ6#C(E/JnEDU=5-;`@<cO"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "#Al<yu=8CjF\|n[fNtD\"#"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\FuncName = "D``j!x<PVSg>z,)KbDhc#>`"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000\Dll = "Oz<^2.V89_~xp+G\"b$j)`\|ViHyl^NAaD"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "Ue!O{-wYdK,ygM"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\Dll = "]@I]-?PUJpDH@\"2{)HG/.Mkl ;.\|Urr"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "0,66Ah'WJ\|}-P<iRClRk9>$WC~cc9dupud+"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackAllocFunction = "M)(V3uG$p(ge!:(VP??D3+<^zqG"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "vVLXNY-^w'nYEiE9RImM*fxNohw?Ue-"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{6078065b-8f22-4b13-bd9b-5b762776f386}\$Function = ",O}:SDc~Y1w:50}Pe5%/\"@/1"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}\Dll = "Xyj,`L<Gq[vrPCu?m:b$@?utWEQjy&o"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "dGQ{q8&u.-xp)P,C[-~K^^Y0,70B"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\FuncName = ".ToK?sWw%$A<k,(:>ZQo[4@usbseU"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "1209627915"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name = "KUYZcXU\\p\"&{4;^7$i&%vPuU\|.;ogqOwb;[\\s"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090}\Dll = "t!`wXzh0ELw0x7c>u@V\"D/RnK{RRP="	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}\FuncName = "uX01rSQbV<)[k_EO#*a"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\$DLL = "}k%03`3]%1bWJ ?Sf:4{YDx9X\|Ggm Nb"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}\FuncName = "wN\\8w/?Pv;.!*,kD"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "Ip._tstq0B}Z>HL};\""	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{6078065b-8f22-4b13-bd9b-5b762776f386}\$DLL = "R\"uR,RY}gN}M42b*x]?((1tr~SSaaSXa"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004\FuncName = "{do}$P/aOM]3,;eGop%BZP1%tF\""	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$Function = "/6Gb#{LAUolba~\"~ KhFB\"$t"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "'tUjlup-2<\" %?+IO%bYuqqiMs$c=B$"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "3_p?,M{q(d;4;!"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "hHWt\|%)}N03m+zGi\|KO&*KG"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004\Dll = "*YCyK\\@@\"3'v0G^q`]zr.\|jd{!L/aVBa"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "gG=MuKQ^HcYylH%+gYQ}N\|[ n&%!B^e2"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}\Dll = "Wh{PW!&?\\C\"L8mR~WEw2.LE+.I:a2+"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}\Dll = "u4.j)`8I7t\|&:wQbE7'QU3#7XxlM@#eUYcY?6.!?V*\"p1tktno> =Z{"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$DLL = "tg>Lj<d'>jD>AsD)M7< g0!cIFVo%`J$"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "go{RlQ<VuGr<^s? L?]"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}\FuncName = "H`L%QWer/k1(1QgrO@Dyb5S[Oa"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "%Xj~e+7qx(GqjiVD\"c:Gn"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSha1ThirdPartyFlags = "1907494965"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "\|R[(Qu~N,A#]gG_vSkrfxR~=`5fAKiHd"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "1016621991"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{1A610570-38CE-11D4-A2A3-00104BD35090}\FuncName = "^S&ho8rXX;{fOEF#ym"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\FuncName = "2\"'Q%NeyE=hH^3Q;gRlFJwd`h8GX!s[ 'Ef"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "mD*lMG#_g./<OV9`809r!%\"P; 0@&rO%"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "a{3m2Lyi\\-m!&8B#u.;75XdkVSyRE}\"+"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "3z^ KKy)J,)GG/HG>S7w[;R]Q\\Gb3m)k"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "9G;NVqPP1s]d\\HEr8wKX"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}\Dll = "'5{-&[KIpOA?I,+q?V1X=^ax*0tYu!R"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4\FuncName = "L}1I;yv(dIqKf.3>2-UcCXHtJ~'^ng.*%E#"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}\$Function = "cjDNXy&dZ<2X`9e\\K[>"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}\FuncName = ",wGm!yZ7+u]\\b5{yz.2&tq9OD4C?0y{e"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "DUEoc7[<<Ly=dejH<L;/yZUv"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL = "M[q)N$)\\wR?;"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006\Dll = "B{P3@BwSG'hyy4{2y[I/z7i&_(T5Mkgx"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25\FuncName = "sZ&H>CdNt\\zGl'ZMgvek"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9FA65764-C36F-4319-9737-658A34585BB7}\FuncName = "r^jt>q}-mvH'g2TNitx*EnQk-[nz01"	RegFuck.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Server Software Component: Terminal Services DLL 1 TTPs 33 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PrintNotify\Parameters\ServiceDll = "\\LCqoOm?=[uilzyKK:/+R>j#F{}0t$R%wh<8$>u\"Ao=-:nI-7m.v@4k"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc\Parameters\ServiceDll = "Cjn01Z/v( LmHFNz{2(dM\|~TkhsOKCDa/ue3$@\"^<"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CscService\Parameters\ServiceDll = "3,/3zO24(?Yo6+.mln_O.D=Fc.(Nhi5H"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CscService\Parameters\ServiceDll = ",X[{fgk8er><R!UFS`Rl`00wt{;h\"c@<"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hidserv\Parameters\ServiceDll = "Rv1I!:!ggk4BMp]Zw+l:I=$e\|NT-.0@+M"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\ServiceDll = "y\\Q-1wxUqH35%!KfWFwzDKv%wJd]^9Jz"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\shpamsvc\Parameters\ServiceDll = "k24A6jrAY(MPK1scUG@/!*l5jG!kUAUb`O<s#UR=_AO~JqH'QETOQ)kZi"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicshutdown\Parameters\ServiceDll = "l/aQY-p,FLXtEuiV[GbA$*8gt){we^u"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinHttpAutoProxySvc\Parameters\ServiceDll = "#]O~j\"OT}1H\"Iq<bkZw74BB;\\Rpw=a5`D"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NaturalAuthentication\Parameters\ServiceDll = "luI(!24zjLo@h;/#: [hT\|MON4.:JaiwdVvAw"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicguestinterface\Parameters\ServiceDll = "!135y^dWp6ty>epPp'l.4c$(R9z.lmR"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WebClient\Parameters\ServiceDll = "Q mV$d=nOnfQ-.C }y5[O:B!Kuq{[9Yj]"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinRM\Parameters\ServiceDll = "VrTu,trm)kNR]:j&$f0\|>@[z(6KX K^5"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\StateRepository\parameters\ServiceDll = "K%!G%L;kKR9&m&W!_wsbzdh0\|YV6H7C)C1$)FK@dqbbp=%Y?r"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\swprv\Parameters\ServiceDll = "F.PNstATH@1BYd_2rj}V]*2+t@cM["	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppXSvc\parameters\ServiceDll = "+Nj \\oRXufI7Z@J+]R{/bprT=L^-m&IU;+Tp>!o\"dbui]a"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DusmSvc\Parameters\ServiceDll = ",&6;z$1$GE$*w(G?7\"9&E]OF:R3\\9e%vn"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SCardSvr\Parameters\ServiceDll = "cLmr$6Z\\pIh#zO8!`pDocb4#l,o[s%!pql"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SessionEnv\Parameters\ServiceDLL = "q%jmk3{V3L3AAW{!$'6*W Z\"[o;bF\|v7x"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CDPUserSvc\Parameters\ServiceDll = "`#\\3dQxl$rU(h9cpevIc>eQmT~;iJ/S%4v)\\"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PlugPlay\Parameters\ServiceDll = "\|N$.4P:t+/LIf,PcRZJK5f7+^]u<Jqr]Vd"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters\ServiceDll = ":J_zw1dH8 QVncP2\\Ci#tQDQ0QE\|%Ou+N"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CDPUserSvc\Parameters\ServiceDll = "XMHU{bU!EY'M1sRX^\|me/^;D0E__Qd1XSk/>"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\swprv\Parameters\ServiceDll = "uj693zW%4-Scah]hK;hv}8uyM+\"]ylt"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FDResPub\Parameters\ServiceDll = "UDT8n$HMMc.$\|4loCrdr{E\\Kd^T<fOg&,V"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\ServiceDll = "~3CpW r0%Y5XjlJ6CSnnCfL./]dkQTq6\|e"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "\\Z{/+kx0{Q#\"+QGW8!-v0VWfrQ1Z$l9 O"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\upnphost\Parameters\ServiceDll = "1;%x+N(f3@GC\|,5Jnx5K^tW)%...Jb1mK8"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SEMgrSvc\Parameters\ServiceDll = "5?z\|tFrF{xlBXFKY5(=2IvUb78'uhx@h#_"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicvss\Parameters\ServiceDll = "k'E{e9oWPts U~.YKtT.vFKsXnHj^o3?\\>"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wcmsvc\Parameters\ServiceDll = "BIvNbS1\"FGV*I>onJPhGSFQ{dft/p@u@"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wercplsupport\Parameters\ServiceDll = "D6oy]yVA={eCaXo[oN]gp&\"H[24'X\"m{o@(;r(!"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XblAuthManager\Parameters\ServiceDll = "_<]?2vk.]* We%`_.,Or<P0\|>`?qt+O%C2sLW/:Z"	RegFuck.exe

Sets service image path in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mausbip\ImagePath = "fOBD!T19.pK`wCLTr>`?hV@KRIvz$'h6M3MiUi~2"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DmEnrollmentSvc\ImagePath = "LQN(4Ie#r[0@J\"nlXzb&?kOaJxxVk(H-u[ *^Zf(>FqO"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UcmCx0101\ImagePath = "*-)?jmcP7zrqk!Fep>04C\\Qy/L"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PEAUTH\ImagePath = "\"%p{;$v*mwq.YDTgFn!tzex2\|s2"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\ImagePath = "rLh z6bP(S,U,?w!(\\6jHru#h<xi&?c"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wudfsvc\ImagePath = "dUOq@hIwOk88{=8,.gA&&PU,]5L/<oT7Yc/vr_hjjwh6LWF&CUu\|k>K_JmBWm?Jp*"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ClipSVC\ImagePath = "GOEfEs2fp(rhnI0EY\"H]CP;4+t/0}HpebALE\">SD!U%"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "Uo6K?{K=P@Td=S;OS&-3k~{,JB8{W#lAj6T\|`CulH-9g"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xbgm\ImagePath = "ahf[W+cGYr98P%qhv&.&/0.qx.JF$v@R .\|q,kkP[b"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dfsc\ImagePath = "N[s~z]#$;i=mlT0lEd-{Gn~B+"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\EventSystem\ImagePath = "_O&r9Zbf8s\"S?X^)1AeYQ1p(nV8g5\|IS{(~:em8!0_vPi*rj~"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\ImagePath = "bGe#'BYpwAn+Aib:R@eY;^}1uH=F5"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ahcache\ImagePath = ":*/\\(`GOMYN)[nqsZ6y z8y/FQ-7"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hvservice\ImagePath = ".ayjOMjOvV+$t e1'X\"\\L31fr2K(.l"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LSI_SAS3i\ImagePath = ":+S]y[9: 6\\ZsA9?pcx{6kIN+C}/\\~"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IRENUM\ImagePath = "=o<9!sgY\\A2b)Prx]Jo3jQ.GA_$"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\usbohci\ImagePath = "~<xg5z@ jXI9%$lSB[D\"3hib6pPS;7$T3\\_maB%a"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ahcache\ImagePath = "6F_t\|cH#wme>bi#}LFmyvZDU5MZ;"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bthhfhid\ImagePath = "=qq@(#VuKhqg+/'(\"GhmvnVX^\":\\~w/wC>+0c9?_G"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tcpipreg\ImagePath = "L&[) (b:0V*2@'}!i7?Z``AsPi.eU"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TokenBroker\ImagePath = "<\|-2J:PYTe hXwH-\"?\"(40';mbo#.xo.'Rt1X6sID(2["	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\ImagePath = "}0z[9*i9.~DM?E\\xu_sqJgAjOfHi>"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\umbus\ImagePath = "J{#cI4>lmF/!g\"%Oq{KN''d)F~;,AF\\/~u7K:>"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\usbccgp\ImagePath = "dwFZ/kOY0U?;i$eKK*w\|lCw8,\|a\"-DAU4L~6b-1\\"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wercplsupport\ImagePath = "f?@JmC`{G=N!q<S1O\|&mq]DGZPtTd\"r49xCUKJ'%WFWe"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisCap\ImagePath = "YtGRdfJ(M>HN0#N-A[@Z`n#yKogQ"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NetBIOS\ImagePath = "6bX,ktDHWcFZQZv-^KJ-f>:53Y?_"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationService\ImagePath = ";WcA39Tz{[Sg~+[5+\"6}B^h7;M.V$A(Tr +Su'w+X2dS\|o-q-Hj+RFMjV9_;\"#4?m"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\amdsata\ImagePath = "EZu0qzoPxT\",T9>nMo5/h:)0K$Jz"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\RTL8023x64\ImagePath = "<7GHGXV<V[g/u#t3ECd&aol ?`ehpV*, sC}TPmW"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\iaLPSS2i_I2C_BXT_P\ImagePath = "Nd/\\1V=xs1\\4Eh*BGy2tgE}\"eCo5Tt3vI`9fuF(jl~B}JLP_+k8"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Psched\ImagePath = "%*;8wG1;YG0j\"%7,S!y-_NcpL\""	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "xxG>)EN&d?3)(abg%mJ%fXFV. v!0v.E)%)m`uw/~$6W"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\storvsc\ImagePath = "D?dzR8UpQIIz9NSk0a-hq<0/tC0~"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\ImagePath = "PPYaD[CR+VeX4wSiGXc:kc6=W~P%Q\"}Z/~mBM.qc+ho[8UUe3o]"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\i8042prt\ImagePath = "[iC]I&6;dz2o=%cf=c/xsfvc/toI[V9YcL%v+=d"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WpdUpFltr\ImagePath = "[email protected])3f/9=t}cmW]-0"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stisvc\ImagePath = "H/L?{f+1dvDfQ<];~)L^X%i9rlMb_:o+w*36Pf2Ge@\\"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SENS\ImagePath = "pn'~.E9(-n/3q,pU-Av6]LpTIL:}D)s-{9},YG]yo*hF"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\srvnet\ImagePath = "K7_iO[c\|an\\yJU>0nb\\NHw`Z@iW"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mshidumdf\ImagePath = "6]v>c0%'?K]J8)vzSiF3~mL0Cf:IXzvMXor_,u[Gdb"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NcaSvc\ImagePath = "uA0p8P'&Yk*'y2da`!b790 k5LJ)SKPegn,L=A!B wKr"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KtmRm\ImagePath = "j&AynmqrCUH2z7z*2ukej09g4<u}v%7$71cLkbXa)`w$\"q3iZ&0~YGhHGEBbnn7uh.lGS"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\usbuhci\ImagePath = "o5Sc^$\"hB)\";tC\\\"t87L,+tP;%P\\}}9uLLt\\]8;%"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ACPI\ImagePath = "#JQiK$IR['+PH)dyy%bzXX1n9"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PptpMiniport\ImagePath = "\\HHK+lw-D7Ei;$*2 VYoC6@c]i3sygzuGw[NE.;q"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ADP80XX\ImagePath = "g,gE8Jy`DO_Fa>?e\"*-i/2 th{hC"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TabletInputService\ImagePath = "mt\|j\|`/7cP\|(//l^cf^y29H/hAWuV8~W l!B%MnC6x\|-~fLsj!4$0~btcA.^m91Ph"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vhf\ImagePath = " Q$517cx>RKIk`t,Xrek37go.)ecn,awHg;2"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FontCache3.0.0.0\ImagePath = "Z3K,rfBOD3zhMk>S1G\|:s& &VS81$o2K.a%SNyIGPQYeM0;N'j}.FP'_DCQ+ 5)\|#@#lG{\"(\\"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ErrDev\ImagePath = "~(ZAX5OnzFr}AG6mO3vJt;A#-,.lTnSx=c.DQ)n"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\pci\ImagePath = "8>7 E&2usMRU}RW>Dx*Ic8LM"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mausbip\ImagePath = "AdQ%=)s}(lGu} XG?T([pel{FAOgsTWjhpzdQ-"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\stisvc\ImagePath = "~g]84*e<DC6``3:w[~5tD\"2!)#y]#`YF pP]FI\\Xgj\|"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NdisCap\ImagePath = "f\"yB/#s'.r~_U=7V=:#59;{\\2~r="	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vmicvss\ImagePath = "PmW?ODz=lWh)ctQ@FFj3;\|GZtBbUs`s3zW;)d*Sxzmas1I8!B\|P7E&JJS%mgx\"TZ`"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AppvVfs\ImagePath = "?~~oNl8V<tgwXB:',xC`u/sqtq-B;X]KzbMb'v"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\iaStorV\ImagePath = " )_En_I<CAOPjp4[]O?ac1vTFz#o"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xboxgip\ImagePath = ">I\"#Qk;e}P^A~9t20euxro~EJ#[DH.6:5twxM+_`"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TokenBroker\ImagePath = "0'.]+>H3?T2pL.w/P:O[f:w8tw}<fBz\\\|Q%cGB W6')c"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BthHFSrv\ImagePath = "%/t.yvrtXKoR8yr#f3/i9sO3ZXzB^dEpMQ0^0//gE>xfpucehE>mh Br/tuMMmHKYL9"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\intelide\ImagePath = "teT#x[#6gax/YSNfR\"kBFGWcp}])j"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WIMMount\ImagePath = "Fo3!XeQ\\S}w'?0tW~\\pC;vl^co(sh"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XboxNetApiSvc\ImagePath = "39IMdanM;pAz;D6G48jNO)(g\|:d4Jx+7b\|<KKX>h\\oR2"	RegFuck.exe

Uses Session Manager for persistence 2 TTPs 2 IoCs

Creates Session Manager registry key to run executable early in system boot.

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 2a004e0070004d0068006e00660073004f007a0066005d00630044004000390074007400310000000000	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\BootExecute = 76005c004e003f0044005d004c004d002b0074005f00320070002b0062006400310046004d0000000000	RegFuck.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 2 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\winprint\Driver = "r2SPr/y>e-D-"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\winprint\Driver = "gw>rt5QoL\"W="	RegFuck.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 37006d0054004f004c004600230038004d002c0000000000	RegFuck.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation = "C'c"	RegFuck.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
2844	RegFuck.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc\ = "ib#rPI0"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager\ = "i'O(^Vg"	RegFuck.exe

Modifies system executable filetype association 2 TTPs 16 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\FriendlyTypeName = "tp{(nUOx\\';?RsvKSb6DVWy,D,[m4L*Mh b,rzdS"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\IsolatedCommand = "}zwmn9D"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler\ = "b>H-g6i_Ct!}8T[ffwf:vp$LcKg`-Wf\"{SFiQg"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\ = "LTJ]hOA%1v~6 4}Uv?pR~{'o^i"	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\EditFlags = a74a79ca	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "-Ktk4bHd1@jPguMGLhCS C56V<J!R*UU T:ulubm"	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\EditFlags = dd74f554	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "L*]6SdrZ!z^"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\IsShortcut	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = ".lDyts:rm.j{~~#HbUm"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "g@z+jb_\|eq@j-\"sB-6"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "F9=7K'O"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets\selection = "726891653"	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\EditFlags = c625a8eb	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "cQ%=-&Cn!MK.DSWO\\9NAo5 k5cmScZmUSIhHU4"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\EditFlags = "1563533600"	RegFuck.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegFuck.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RegFuck.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\NextInstance	RegFuck.exe

Modifies WinLogon 2 TTPs 63 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{f3ccc681-b74c-4060-9f26-cd84525dca2a}\DllName = "O\"Ca$]79{l?<"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\NoUserPolicy = "1330231962"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\RequiresSuccessfulRegistry = "1566112274"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ = "3~E4d-6wr!Gc}n"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableBackButton = "765581615"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\NoUserPolicy = "1276316165"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\RequiresSuccessfulRegistry = "1727306815"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{9650FDBC-053A-4715-AD14-FC2DC65E8330}\EnableAsynchronousProcessing = "1864181285"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "ilIO,"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ExtensionDebugLevel = "1757937658"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\NoSlowLink = "1475851220"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ProcessGroupPolicyEx = "e#LG#M[+]}vc`t\"yg:\"[z{46k>D"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}\DllName = "@=~^Y61W,yJn_0C`D1{P^c''73I7f(Smh&g#]\"lu?gL(ODJ/?1Oq:F)!H7uM[x"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\NotifyLinkTransition = "1137113452"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\NoGPOListChanges = "1551175785"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\ProcessGroupPolicy = "lhi,pSShN:S$hX{ P%k"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\NoUserPolicy = "1829255723"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\NoBackgroundPolicy = "1798813679"	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = 53004f0039006c003a003d006d005f0048005d0079005c007300600064004c00380027003b006e005c0074004d00270045002f00650032002b002c003a00230000000000	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DisplayName = "HD2'8p`&sU}4O@#meTF-4_POCl6&oW.EMFj8iU"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SiHostRestartTimeGap = "253392772"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\NoMachinePolicy = "836143364"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\DisplayName = "^1j%01\"eaT_{Bj6P2"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\EnableAsynchronousProcessing = "1205175246"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ = "7V`B*"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\PowerdownAfterShutdown = "t"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\NoGPOListChanges = "585103649"	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\EventSources = 700076007e004600300030004a006b002a002f004e006b0070004b0052002a005b00360033003b00450055007e003900770072003d003d00560053002500590000000000	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\DisplayName = "<_LR%(}_ <7>)Fy\|h?Hg[}$PY^3G8<5Iv{\|Mbk52"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}\DllName = "@h<j~cr0lx"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\EnableAsynchronousProcessing = "1531202209"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\DisplayName = "<*6mfmrPgM$1Ll:Q"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ExtensionDebugLevel = "851010543"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\DisplayName = "y)6OFH)U(30hwP7vM]X[IE[_$uCI7 -XU7i+47"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SiHostRestartCountLimit = "1906423068"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ = "x;=*#G:q\"c'tex"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\ProcessGroupPolicy = "URK0V#`Ls`&}tVz[dC"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\EnableSIHostIntegration = "2058517370"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\ = "w([Eg oiZ`zdc&xCTU}k@<wB0I`k"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\NoSlowLink = "652305814"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\NoGPOListChanges = "489025224"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ProcessGroupPolicy = "R'A?*-`\"A4k2VLI%)DWbqyk%iZ~"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C}\ProcessGroupPolicy = "p%l4x;b.7~wnVuT$e"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\scremoveoption = "p"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\NoMachinePolicy = "577973649"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SiHostReadyTimeOut = "838657858"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}\GenerateGroupPolicy = "ZPLy _W7D,QOpw\\KXDh"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa}\ProcessGroupPolicy = "z:_l^x`yMu)IIunf9F"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\NoUserPolicy = "104284075"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\PreCreateKnownFolders = "3D}K-\"t] =q-t;g5t.kk+A=6bc8X)v0CTHdq0+"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\NoGPOListChanges = "815666253"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\RequiresSuccessfulRegistry = "1235013816"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93}\RequiresSuccessfulRegistry = "1373198391"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\NoUserPolicy = "2086488233"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\ = "-XI.d+er"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{BA649533-0AAC-4E04-B9BC-4DBAE0325B12}\ = ",{^A9VnMx9bLG^S92H<C?HBuEx~=\\"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\NoSlowLink = "1634446784"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}\ProcessGroupPolicy = "l;)hVb;U0{(BrU8Enx"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4bcd6cde-777b-48b6-9804-43568e23545d}\ = "+hfLjKKt?\\L:_~o;`o~uJc=G?C!U?4"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval = "419380632"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\NotifyLinkTransition = "1442146317"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17}\RequiresSuccessfulRegistry = "541818127"	RegFuck.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer = "?t@v"	RegFuck.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\WallPaper = "B9W$fj(hw*a:+m:&&O>h`4:\|]#5,qQ[lHbis4-\\>"	RegFuck.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	RegFuck.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	RegFuck.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	RegFuck.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\InitialTimestamp = "893118267"	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	RegFuck.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	RegFuck.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport\InitialTimestamp	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg = "+ZDUV`%MPV]n7mkq0`ly^=L2^ J3]F,W_Xa\|AU)[(J<[ NYG<]s#D"	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	RegFuck.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Address	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\InitialTimestamp = "175787562"	RegFuck.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UINumber	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver	RegFuck.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\DefaultRequestFlags	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\PowerCycleCount	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Driver	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\DiskId	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\InitialTimestamp	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport\InitialTimestamp = "2086162091"	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	RegFuck.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\Attributes	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	RegFuck.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Address = "2136761241"	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGUID	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UINumber	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs = 7c00670031007e0053002d00710060005600000054007d0066003d002600300045006a0000000000	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	RegFuck.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\PowerCycleCount	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties	RegFuck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UINumber = "309429282"	RegFuck.exe
Delete value	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver	RegFuck.exe

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = 6be70bee08b6f7e0b65bb9d0ca6c5b77	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "75387021"	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	RegFuck.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information	RegFuck.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMinorRelease	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information = 0b6ba5bafcf4ac5b9fa086ab750c499d	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMajorRelease = "1422615335"	RegFuck.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000\	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion = "n_@#y+@t#ll25/>&dIpXJxSm5X9cpx^'ya6=nan>"	RegFuck.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	RegFuck.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000\ = "2011036387"	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	RegFuck.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	RegFuck.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	RegFuck.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	RegFuck.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	RegFuck.exe
Delete value	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	RegFuck.exe

Modifies Control Panel 64 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Colors\HotTrackingColor = "ug:\|b})I4"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\WindowMetrics\CaptionWidth = "pHD("	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\WindowMetrics\AppliedDPI = "1445214989"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\AutoEndTasks = "1780796911"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\iTimePrefix = "u"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\sGrouping = "v*Q"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\sMonDecimalSep = "8"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Accessibility\Keyboard Preference\On = "f"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Colors\Hilight = "~~pUh66Z!"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Colors\HotTrackingColor = "_73Q^ G"	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\WindowMetrics\MessageFont = ef0abafb8e2992ff2bc89bfc8838bf241233b5fc9c646748fa98a9bf04e159842ab0aac3422ea68a8fb967111ad64e704cddfe631767e13d8f528d255d9e4cad8e7d16d9c6cc1221120cc7c8b19af08aef1c77f92f69d39d8c481b60	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Infrared\File Transfer\AllowSend = "1085091076"	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Input Method\Hot Keys\00000201\Target IME = 33dc1bd6	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\SnapSizing = "P"	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Input Method\Hot Keys\00000104\Key Modifiers = 6ad63df8	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\User Profile\en-US\0409:00000409 = "1782816999"	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Mouse\SmoothMouseYCurve = 11f7c0aa817f50573ef9868ecf92fc16ffd5a563b8175f793c8d5652ad6439f96f97bdda3f80a205	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Accessibility\TimeOut\Flags = "_"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\BlockSendInputResets = ">"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\sNegativeSign = "&"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Mouse\MouseSpeed = "z"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Mouse\SnapToDefaultButton = "H"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Accessibility\ShowSounds\On = "A"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Appearance\NewCurrent	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Colors\TitleText = ",ZUOP"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\CaretWidth = "621047803"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\iCurrDigits = ">"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Mouse\MouseHoverWidth = "3"	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\PowerCfg\PowerPolicies\4\Policies = c057cb7a8dc9ce0e13464b2b4cec31147b4cd84981439ccbab7954ef1d0e314c3bb642c3ebe8638a8b81a93eea50fa5eb62e88b3d75775b6a6e8cbc0f60950105891928542be7aa87c01ec681971ceba	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\User Profile\ShowTextPrediction = "663425659"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\NumShape = "1"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Cursors\Help = "Kmq<y8vi!l!4wn2kFu^GnjoieaBPF^knw@O[("	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Colors\ButtonFace = "5&-8U3=W*,0"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Colors\ButtonText = ">sTxA"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Colors\Hilight = "]\"/T1V3~b"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\WindowMetrics\MenuWidth = "q\|hJ"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\DpiScalingVer = "338279847"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\WaitToKillAppTimeout = "1569989155"	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Input Method\Hot Keys\00000070\Key Modifiers = 2c446bbf	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Input Method\Hot Keys\00000070\Target IME = 24a6203d	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Input Method\Hot Keys\00000201\Key Modifiers = 65f68367	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Input Method\Hot Keys\00000202\Target IME = 2b6770c5	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\DragFullWindows = "<"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\PaintDesktopVersion = "946495022"	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\User Profile\Languages = 240053004c0023007a0000000000	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Accessibility\MouseKeys\MaximumSpeed = "e!"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Pattern = "2048558762"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Win8DpiScaling = "1062352482"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\iCurrency = "."	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Appearance\SchemeLangID = e16a	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Colors\ButtonAlternateFace = "1ti(y(d^d'+"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Infrared\IrTranP\DisableIrCOMM = "1044907022"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Accessibility\AudioDescription\On = "s"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Colors\ButtonText = "1U(jk"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Colors\HilightText = "8Mt4F=>4hcs"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\WheelScrollLines = "u"	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Input Method\Hot Keys\00000200\Target IME = 0ad0a65f	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\PowerCfg\PowerPolicies\3\Description = "9H\"0xj}dwAdE!PTaS3$j=REIo\"yr5DJ6<Z\\T:n X9Wra<LAS;g*4FI`dn$.0KQTnmvX0I1RBgjGF>j)7!ih:wBLk3F.Ep2UUR ?r>?D0[?^>6V!wop-# ]7`(S=cD_BRD11\"E3\\2\"GU}9D5u"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\PowerCfg\PowerPolicies\5\Description = "7g0P3?Q?iB(3UlWZ 5u=Nd'V*#B;&Q}uA{c#9YJ4rWrCV:^0Xl&+{"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\DragHeight = "y"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\FocusBorderWidth = "13941732"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\ForegroundLockTimeout = "642757641"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Keyboard\KeyboardSpeed = "UI"	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Appearance\Schemes\@themeui.dll,-854 = 23e5cf8955d2269fb227755038d941df6ebc65490ee9980792522e6be956a18237e6bbe41cf35ccc6ca2ded2ea381b573de56758877e4181b3eeb147ffe64525d7774e836d4dc6f75d31ff087dc650d0ec263d67e76e5f2cb57fcd2e31193fe5bcdfacf71ac90c30c605fbbc22d6d06ed2679a80b9a9aa4fb694c3f6085318a215757c681ae563cd7a9f775b859262ad6a3371d0ae8a614c996701964e0a02ad92843fc9b90b3e296b99371705b1b31ed6f182564ed5dd0ebf599b44b4c31b075f1de5fba7fb49a3d8c8b1decae1c0b0a3238591905e672a608079fdb364b2271ce871dca896bb0b531e7d9228977b784bb1d0ae8339498b9e135e2c5cfac07d23f35e4213dc9479513c16b5881c0c470ab9ca4510ddebb9ab42c467cd7d7640ceebfc9eae19a998aaffd6be54f9069586794ba9f21d3bf2d75198239b84b8c69bc8f305cb885d7a2a83f8e0c0f65b40aff8506c26353df5bab5c06bbf05106dc4b131ea2cb35e83315c14ed4ddb26bf19ce103f5ef238a9849b92ecec5704d7f35780ed46b32f8b48c404a54776f9d5de19a2f01944a87362f8dd87d6e2a8e7ac7fc7b07906f015b7c105dfdde69cbcd3630e445420b1ce839d094217ebe72ca27631aa26a01a748b84ff45b999beab02dbc70f7e165157e4e223de723bcb4f82d384d896f4688f9ad0f38964879e534059993272abc4bb05a6245c6a72f312112f10b3af00bd84fb2c286469f20c761eac3ff83b39db5b04d27a9f06383f0ef1a31fb785753188e50b92514352e1937dcbf67fc5f0ed7443ea98b8e396d900c61fdcd8d3ca0fce912f3eff35c3eafff05ae2829018b2e01887131dde0e1d7a32b2d65e71e78e4cfaf6df6d763121440b3363dbf673a090d306d38ddb048d3f89ad65bb369ea6c6aaee7af31d8e60cde7bcb7df33d5477183f0ae742dc55434ced16b590cfe63dfaa954fab0f53e79c3c69044799940eeca79f0ca79813f21560cc524493d497cb	RegFuck.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "1326569026"	RegFuck.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CC7DA087-B7F4-4829-B038-DA01DFB5D879}\Compatibility Flags = "1180038151"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\TEXTSIZE\HKeyRoot = "1486447660"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACR\Text = "C\|{OQB9]Wkk5o;CGqsV#jlY~_QRIH\|s"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{19916E01-B44E-4E31-94A4-4696DF46157B}\Compatibility Flags = "340111919"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{50B4791F-4731-11D0-8912-00C04FC2A0CA}\Compatibility Flags = "1216276109"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{b0516ff0-7f1c-11ce-be57-00aa0051fe20}\Compatibility Flags = "1956121643"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\12\IEPropFontName = "g>Te6"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\prevhost.exe = "1357928660"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\Home_Page\Home_Page	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3B7C8860-D78F-101B-B9B5-04021C009402}\Compatibility Flags = "790607718"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\SQM\InstallDate = "831987292"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ALTTEXT\HKeyRoot = "247837129"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A}\FWLink = "#wWoJBaEppkv]M@-fpgu3Fx^n3i(##6w~0H\\(#Y(W4K.Q"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\explorer.exe = "1020332941"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1646329774"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B1AB5FB0-F285-11EE-A2FF-6E58476EE47C} = "323158547"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8_URL\RegPoliciesPath = "pOnvyk\\spCb(=!>~F6p;$T {Rdhon\"vN8xwR.={<;GV`([0Kq'd1:^:Bt:T'`[lMSN`x"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "445361853"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B401C5EB-8457-427F-84EA-A4D2363364B0}\Compatibility Flags = "1654304652"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-virtualtouchpad\WarnOnOpen = "775172720"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\svcVersion = "E-d<GFqIU?6g"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_INTRANET\ValueName = "`=:P6B(@*{Ok"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}\Version = "CcXb\|D:o4_u)a)V;s,+*D40UH"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\6\IEPropFontName = "9R{tG@L>\|rt!%`5"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\CompatibilityFlags = "@eM?T4dJ6"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{387EDF53-1CF2-4523-BC2F-13462651BE8C}\DllName = "+#*nL6W\|pVfA"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5A074B21-F830-49DE-A31B-5BB9D7F6B407}\MasterCLSID = "%;!]]n)Yp1%l# D=1{<Iu^8$ 0i .-\\^i*_M^ "	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BA60F742-6F72-11d2-875F-00A0C93C09B3}\Compatibility Flags = "1710701220"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\ALWAYS\Type = "5\|p?2"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{01E198E3-24FF-4602-9944-65E7B323296D}\CompatibilityFlags = "%n*"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E30750-6C3D-11D3-B653-00C04F79498E}\Compatibility Flags = "608598187"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\PREFETCH_PRERENDER\RegPath = "WTT7y%E}GG~L~>CW9k`qmz6itiBj.GV\":S?7)mErx~\" sgcuUkLZ"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SECURE\Type = "SfpN)JG;"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ABBA001B-3075-11D6-88A4-00B0D0200F88}\Compatibility Flags = "836177765"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPEND\HelpID = "jO.vQF G^Ywuj-hR!~"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}\DllName = "\|B\"l)\"Zn:6E`,knt\";"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\VSTOInstaller.exe = "469142351"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2D90D33C-DE76-42D0-9040-E4466DDC24AC}\FWLink = "h?ioWD{h0A!&pnqpxhtvP4Cd;Cbh@>W;Gki3`tPsp>.=i"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A7866636-ED52-4722-82A9-6BAABEFDBF96}\Compatibility Flags = "1862288027"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AE1C01E3-0283-11d3-9B3F-00C04F8EF466}\Compatibility Flags = "419790061"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE\CheckedValue = ":B`"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{100EB1FD-D03E-47FD-81F3-EE91287F9465}\FWLink = "seUydtsp\\6Vh,eY>~&W\|!cR\\Kh4f7u[f=KV_nz4U]%2u4"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}\Compatibility Flags = "93818943"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EC85D8F1-1C4E-46E4-A748-7AA04E7C0496}\Compatibility Flags = "266067492"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY\UncheckedValue = "1690933138"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\VSTOInstaller.exe = "1167884740"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_ALWAYS\RegPoliciesPath = "~!K'y\|`0#V< B=td\|}V[sR]_tU-_NWxJqe!6MqUCd`KjbnCQA-433z9?[?n"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BF09613A-4564-4936-B6BB-B23B1D3D4FD7}\BlockType = "L%1`"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\10\IEFixedFontName = "%RDqJm"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\33\IEPropFontName = "Bt7PXBY#^v-_r'/t;"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "f)Jyh\|J"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI\HelpID = "MCa_01i5N4_U@8HY*]"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{31087270-d348-432c-899e-2d2f38ff29a0}\Compatibility Flags = "76171867"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\HelpPane.exe = "1426352229"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\iexplore.exe = "846746215"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{65104D73-BA60-4160-A95A-4B4782E7AA62}\Compatibility Flags = "1222715378"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\LMZ_LOCKDOWN\UncheckedValue = "1227563952"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSLREV\CheckedValue = "695651716"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\FavoritesDelete\FavoritesDelete = "2014121317"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "tG}B"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{DD7B057D-9020-4630-BAF8-7A0CDA04588D}\Compatibility Flags = "297908522"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SUBMIT\PlugUIText = "Xt^\\0$\"}-. 5h~Z@L(hYCe\|E7k\|M%Q~Ec?a>fJ"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{179E4A98-A3C4-407D-8C66-E63B67BB6F4A}\MasterCLSID = "q2a0LJX@U?D.1]7D-'/X4mBvvy>Ww_+=/.`jxL"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\FileAssociations\.website = "{q:4!i~ti~<Q$A!1XyAf"	RegFuck.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "y2Hf5K4/&0E$.\|tYzvnc1UGH@TN`\"z'lOxs`Ds^m7?&!#\|t"	RegFuck.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.Looping.Call\.Current\ = "PfQxS.&\\D?,Z5F,nBuNybxCV\|!9/$"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "1016621991"	RegFuck.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 450079003f003f002b0000000000	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI\Rank = "1324678185"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\System32\StorSvc.dll,-100 = "c2e?7B2u{T$Vu]~"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\MailBeep\ = "M0UC}NV,#f$1W3OlP$;[c>K?t"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Video = ":TUS=*EB9.>rI SLr3d~"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\UseClearType = "[."	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\DoubleClickBelowLock\Override = "1677737005"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = ".BOhXx{&Pue[xF.cP=>gDS z7D7iO9vF>x.pE(n>Z"	RegFuck.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\FontSmoothingOrientation = "1793399584"	RegFuck.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_https = "1927928926"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Colors\ButtonAlternateFace = "6#JYvil#ij<"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\PrecisionTouchPad\ScrollDirection = "1923311753"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Wisp\Pen\SysEventParameters\FlickCommands\left = "Z!Lo<6`~Vm'Sf~5\\'xU)^/v@z_^)>.t[5\"Iyy>"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "K}'7g:@H_}HdI`^(H<g2Xo; JCi)\|a!_nu.(3K'U`QUl*T%3 .3&DyM'oEjo\"kW1"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\Notification.IM\DispFileName = "?8x^C43L_\|A@:7_&"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%systemroot%\system32\drivers\AppvVemgr.sys,-101 = "Eg J,lP+~"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Control Panel\Infrared\Global\ShowTrayIcon = "229314981"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Settings\Anchor Color Visited = "i+lqBlD^D"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.SoftLanding\Setting = "&hIC/,X60<`Ua67AucT%zC/{nkwH=Kt,mIkG \"B0;,*<(41LK[D'!_;{7u:-Y}OAM\\NN;k!<Hs\|8\|^uZwOac)5Q+S~F.498PGwo&>Oc[D~_?DWJ'\|pDI-.7msY{zf)v8L"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Print.Notification\appType = "2op\"ul4EP="	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\WindowsLogoff\DispFileName = "nI)zq98j`[r;q2Tk"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70\ShiftRight = "d)YrE\"c vq"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\snmptrap.exe,-3 = "?{(Z\|)]G$"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\system32\SystemEventsBrokerServer.dll,-1001 = "m2m2_{Rj?_N-Q&T9VUkD"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.LowDisk\appType = "<pGU#*Q+mX"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\Notification.Looping.Call9\ = "P^kU#]dSv\|d&7r.(Qe@(-\"v(Kbk1"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\Notification.Looping.Call10\.Current\ = "T~F3Web!@Vp4h<lP<pyQqd-[ogQ&K"	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Control Panel\Input Method\Hot Keys\00000070\Virtual Key = 9c653fb5	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\MoveMenuItem\DispFileName = "# y<kZ\"rxoYQALBj'z]"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Colors\ActiveBorder = "8OVC]}#\\6cn"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe\PopupColors = "800177353"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\SystemQuestion\DispFileName = "?uCR<`_bA,kx0]VC"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Cursors\SizeNS = ">gA zTk?J1zeWZFVeV_o]0A}qr8n%X`c"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Colors\AppWorkSpace = "Ttg4'@:Hu}/"	RegFuck.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\umpnpmgr.dll,-100 = "CGsdm'`V?qdlc4?YKB[ryU"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\System32\hidserv.dll,-101 = "1i;8;O&iG=pDs8CfVQmNPK [(48y\\K"	RegFuck.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\DeferredConfigs = "!;(d\|~4{~#yuRQ*i\\HJ5-C0<{$)'PZ''cs4 qw\|@X\|~<oEO(6n2 JS2bIYlx;K]"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.HelloFace\appType = "B+KeE33\\;R"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\Notification.Default\ = "KP@j4S\|N>:TE"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Assistance\Client\1.0\Settings\FirstTimeHelppaneStartup = "1035099848"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\dmwappushsvc.dll,-200 = "8 q+iF*mO)y3"	RegFuck.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Completed = "1777641742"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.WindowsTip\appType = "R4]11aBhOs"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\Notification.Reminder\DispFileName = "tX\\RUjb+N3A,#:vD"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\ClickNote\UserCustomization\DoubleClickBelowLock\PenWorkspaceVerb = "73267115"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Control Panel\Accessibility\MessageDuration = "713165680"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Colors\ButtonAlternateFace = "xXwo\\?23\\w`"	RegFuck.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Control Panel\PowerCfg\PowerPolicies\5\Policies = 8bd70734e9d3d7967a9334505e0ef228089dfdaad9496abb613e52b93178130359433b5b372ca03cdddb06f33b8cd3163879cd1bde14b101f38f1d9e99a64c5a52bf02819ad8c778fad9adc30642333b	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Console\ColorTable03 = "107101189"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Accessibility\HighContrast\High Contrast Scheme	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Pictures = "U)-'hqr'}>U~N9TXEJJ`a;"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\pcasvc.dll,-1 = "z5K*}RH]B7h7rPaS^q}!Iu#w`7f]}q\|O){vetm/"	RegFuck.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1200 = "665738869"	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\Notification.Looping.Alarm8\ExcludeFromCPL = "508193325"	RegFuck.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000010\Virtual Key = ff856da1	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\drivers\nsiproxy.sys,-2 = "^Q0'H*=efz3nR?!-/KvMqpn."	RegFuck.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\PrecisionTouchPad\TapsEnabled = "1771487406"	RegFuck.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\iNegCurr = "M"	RegFuck.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Colors\MenuHilight = ">J.?Q0.#xX"	RegFuck.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0294-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = ",!*:EJ;=v"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0345-ABCDEFFEDCBA}\ = "qH>?b]*KfZEU7;Ib`,4D@S"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002097A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "YK*ela!jU/a+x(Q2:I<mP0b7Mv,b/wfa1<<_;M"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000244C1-0000-0000-C000-000000000046}\TypeLib\ = "%: $8Tl6qJ&?BD?!scCo1&GPtza1f~/%2/eDBi"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A4069F24-4221-11CE-8EA0-00AA004BA6AE}\11.0.0.0\Class = "F8N6c\"4T5!~ODADVLR@Y-j?\"PlcOpV\"@3v\"%?f?QW>"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tdl\PersistentHandler\ = "ghTM?g;$`x)`vL![Q*SuKG!N8hACI?$Hn@$4\|)"	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71985F4B-1CA1-11D3-9CC8-00C04F7971E0}\Instance\Microsoft DVBS Network Provider\FilterData = 488149f499c6eb05bbfaede59c848644e5170cba0a24a6a07da08a21fee3d48f7f373f178fc2672b7356046a89e1fb14ec7ecf867bae555685c1c9ef67b743e1fc8568c43678587803d6c41f406da814e27c2baf8ae02320	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBB}\ = "pj+Da,HA[lVLTKBv(=Mff"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0211-ABCDEFFEDCBA}\InprocServer32\ = "EH6T_$]@SZ;GscpbN5Qc/GJ3GxYJBc?6%GC\"wkjV:C20;"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\launchreader\ = "\\B^xj0V9Spa`An+E;SXn"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\ = "{7><?G1=Vm G YVR7z"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBB}\ = "7i~Z'3RLTPlc^ml=o5R!_"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.rmvb\ = ",v4:VZ4r}DQUtcE'zaO"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.evtx\ = "f!kXEd2'"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0090-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "GxMwL%1+b"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0252-ABCDEFFEDCBC}\InprocServer32\ = "{]Pu?S'LLjT5E,_w_Y*SFIG)@,xE272O6074,-e{<-{mR"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0306-ABCDEFFEDCBB}\ = "\|dN.sC#LZX7,;5OwKoViR8"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14\Provider	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00020857-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "Z.)JtwIac\|ohi,I.)ugd~02;0\\JD#8ZMY))ZDc"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3059009E-98B5-11CF-BB82-00AA00BDCE0B}\ = "`Z#*\\22D\|~fsi}Ck f"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.DirectMusicChordMapTrack\ = "JU@Y-jp~`OC6Bq._1m+\\#Q @"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "X7e_0Dj;;"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{82FEBF4C-9FC8-3285-8D5A-F00DD1E1BA40}\2.0.0.0\RuntimeVersion = "t'$-43(kTr"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0913-0000-0000-C000-000000000046}\TypeLib\Version = "Dl+"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4DB67B4F-CC7D-45B5-88FE-569AE5798FF2}\15.0.0.0\RuntimeVersion = "?*7HG='0d,"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0256-ABCDEFFEDCBB}\InprocServer32\ = "YtNXS}zAExo^>rn0R1A@2PIj8D,H8CS[qR/xkYCOQU]"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Kind.Picture\ContentViewModeLayoutPatternForSearch = "L}9=N"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "~GaXLH)%p"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0054-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "e0Khz-~Tx"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D83CFB6-EA1C-4DE1-A9B5-D1AD54F5FC98}\ProxyStubClsid32\ = "eg1ZL4uP$[5$%W}NW9A#0vSgGK]\"Ou][?5d%p#"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{34DEA897-7365-4f60-BA26-53DA4B89226D}\InProcServer32\ = "b`q}jIU,l4'i{jmEKLJ/cAZ=7e%3}"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.faq\PersistentHandler\ = "&xqo0~hB->>8K0Ru}Y(\"Zit!E27[m.P`usP<"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0174-ABCDEFFEDCBC}\InprocServer32\ = "gaRafwDd$z+er\"Q(y9N36S}<wYCm.m@\"?#Jx?kd XGPFm"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64CA6687-B7D9-42F4-8448-FAE4EF2DB76E}\ = "S\\CAGl<(fAT9^C:*sBJsCgf9Z`iW"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\NeverDefault	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0157-ABCDEFFEDCBA}\ = " q0\\^e?E:UosBbPippIXDb"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\EnableFullPage\.vsd\	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493482-5A91-11CF-8700-00AA0060263B}\ = "e}>,fSd+^oCHFv<j"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CA59C2ED-82CC-31EB-9817-0158DCD475E4}\15.0.0.0\RuntimeVersion = "w;/it0KP~/"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\Version\ = "-u"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBC}\InprocServer32\ = "QS;7Cu^G&p}+^OQ.]G>DJxWTxT4o0O7*8/t0+Hsv^c=KK"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BEE9B76E-CFE3-11D1-B747-00C04FC2B085}\ProxyStubClsid32\ = ")hen_uO$wTC+;_aDh=Or}FyA]IU 7`L3^W^F(^"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{548BBB02-5F3C-35FB-A75F-1FBD3D0D3584}\4.0.0.0\RuntimeVersion = "V@o#R(9$NN"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E3D0438D-D284-31C5-A2BF-A4AF6A1BD014}\15.0.0.0\Assembly = "WrsnW?GBg5^> =S)ON7=uY94H<2!J4 @0p}vI++\"~,t;aUp)Tiqz[MadT_-OU jo\"3YIGDb~v+}MdqP;i$$LN3{<0H*l!1g{h"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.tod\shell\PlayWithVLC\Icon = "mV<\"!^tsA#:F\"H&-'e`tbku,K!\\Hs-:lzh}2-,'*]"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33154C99-BF49-443D-A73C-303A23ABBE97}\InprocServer32\ = "Xr5=IEv8pDm>G@&W\"_$\\F2q[ipw@<YF^,&-b`4>.Y)gL5Sfvt{P#:j$hbE@)S+sg.D8>+m?enO7[6=/MWbamK+f`Ue~k[f}09mvL^PT"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.gz\shell\open\command\ = "!\\xz?&MDlB7lqTMWnQkY<n[14Mm^B\|]^GI;>"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0294-ABCDEFFEDCBA}\ = "Ni{jgphl*25e2p(kack>-7"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D6ABE021-1DE0-49F4-895D-E9694D28F0A4}\ = "W?5:bV(od(qReGf2V#: <re"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C85BF5E-DC7C-4F61-839B-4107E1C9B68E}\TypeLib\Version = ">(3"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Servers\Common\shell\Windows.RemoveDevice\Position = "yS;mX("	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0084-ABCDEFFEDCBA}\InprocServer32\ = "c5`\|egAe\"z /&mK`yq8e(#K+5.9KUAiSEpkHj5a/NJ,h*"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0312-0000-0000-C000-000000000046}\TypeLib\ = "pE%6809(%8]Z\|Mrm@}\\X}{Y}&N$'`1&OxMuF@)"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1D23EE2C-1E99-304F-A7BF-D67EBE1C456B}\15.0.0.0\Assembly = "nT$V`hn.IkG#lI6 iDF-K\\RiXq9Qz0dH(O2]4ha\|aygm}Bpq 0ss\"j~m&u)=p?NVA\|YUMS5!&<^=8!*8qbUV0s>rL6\| $r(+xK"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}\InprocServer32\ = "uD0uL.Z7\|5]Z6@cwV$Lu\\DK7mtC_J9Mnt+?`~OhFn[.U:__uNizp,93}):o;]DLCzo14"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBA}\ = "%3JWLyr\"74&+38<S\\'sbO"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CFA8B871-B933-48D9-B677-E986BCCF2B7C}\ = "sX2GTw@=\".lCp'vu=W"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Msi.Package\shell\Uninstall\command\ = "_mO%Pd4d1 N>S,#MBRS9J'&6S\|<gNZha8&S}c<: N9s`_^"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogv\DefaultIcon\ = "TDiw8AGXY)B2T_:0\|? i5M$A8g\|fWA7H/yo-$_^8*"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4932ADFA-A7B7-11D0-B436-00A0244A1DD2}\ = "ETI`uXr8w5x"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CA03998-3952-4EE0-86FA-FDD7E732AFFE}\ = "n7ZxZ2a~7$fxpX4-,5L_6"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BA72E559-4FF5-48F4-8215-5505F990966F}\ProxyStubClsid32\ = "/{\\3RnH!XYI8rCezWg}LcGjf+nSGQy<[^)>$SX"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "wkHPp&?88"	RegFuck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002093B-0000-0000-C000-000000000046}\TypeLib\Version = "7(@"	RegFuck.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\PinRulesLastSyncTime = 9ae1184d0d46f05c	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54\Blob = 51a6771e288b3708dc7662c2bc9d03095c0770721c0dcddb2f5eddd9a8ff39a9b81f5335f914e000e2b27d25c4862608f792ab428138b883d8d789cf63d3538f2bcae545c4ca9fd61fbee056f0e16e02187d4d4bc76d9142b98fdf60dd2fd9305bbefe600a5168086e61030496a6344407cf3ae8c6f225ec27c6c82de211ac885ca15bbd1282127c3af550d40ec888bb4be217567acc66449f9c4da3de1d954b3ee4e4c69d829ab8347e75355a92a333a69018376d1a085bc9ad208bc9b978d7f8b875f774e6e8b790cbc6bb409d761d4a298d62147511526d676562eb8eb38ecc08e9865781d39c0286d8d78e76fdc41a6a2fcc1e66beda6c1e7d5bd268df068e031ad919b1f84b9f172393e595f2375c84414badb20c74b3cfebf1ddad9fb537184008c4c9454f887c8d305f709b98c0d6cecd150ac55057952b2e65488cbb46ecb030b9bd5e089d4198d8c810852abcc557a67d5e247042b32efdeb86c9359b585dc2736f22ba9641c77876157bb4a4cac1e56afe5fa452126b769f73f21f0f1aa8ede8edb98e5bf7eb65a96d1349f85b23cfea13f029dc028089385841fcbdb6b214ccbaa5d6bd7a8471ff884a6305a710df2789c1b17e041cdd8a30446ef0e458d2fcaf69bc52500837d469c8cadb3cbcdfa26975607c5bf4b52f1e78fba05e07a37132946a7d5bd5ed152b9f234510443f2d82675e99fd9ff6df8836f4908275ede2c954daeb1e6708a7c839e3d3b06b330073397443d1cda5824ff9815d3afcbc4fb15908d2e3b175d05a17dec0ffae36a4649069385ce2ae110ea36d6764ab0f5f34cb0083f1a75765a187a2df1f1c2c81037462a98ba0a21fe0b4b5fb84cf33570377a36f5b9b7176f9442e6b49c5528bc8e374a969af9db13aed1adf1cc8542b3cba15be26eac72c9f76d512b1ff44700ab0bd76de3d1ac580b248c45a2e5ca80eeecd14c3d6e9a99046a46151d5a383588df8d0e3579f2b4c2fb02bde5f272a137cead29069fef56f7a883743fbb45bb89e73f9906af1ba65c2d383b838d4c7670711edf8af1e0a1a38dbc2c8f778a8ec86621d103e3b6c74fafc1611e94d4655e8c376afa5e792a67fe95f610c1ed1bd80c5abe8586b59a657792af444e0f447196c55dd304770ea82c79dfff281a7f39b25b879e6fc6c9d93cbc8f1bdb85d500ee1fd30d526945f1a9ad001ebdf411a30199624c6cf12f33f8216c47da76e4535ecbde43ae97d4fa9d8581fa26f62d6fe43e82859c3b7432fb63fa1d08a02ae7e8e452ed1aa58d715e70e6f34513bcbc442aaaf61a396c1854ee467cb74dba73f221bc0ca70be27680575a7e5b226272bf597565fbd6b5da9b49d987725a754bd0f44e289bc857bc82fdf21fd0090847e421d4c1872cf76be2cb757902bae205622649bd513b9cf829e34bf2f29084be16cd46ad1b014d8a1c8e7f385d0988ae9fcf131c5524d41d80b38ab5604a6650e987d41f4b8a90a8bdbe39cd51840653b8da437b6ee143a0a7cdbfe3fbe511a560acba4e3eab907dcd2ac337233ee1e94255b3118a7d9ad7489921e76c664ef4d9ffb13e86b339e79b348bf05f53a0eaf212a223b4d2a48f32ac8c8d98fa6a0515da27df2639ad361d562d4cd6688310de1b210a05debcbcef074f9fbcff7d9a98cab42337b6174efbae07cf85fdc9def43a1a15730083089f63a41f6b017d9a3aaa3fd79969e811e2c3272f982733e6190b6703364543d813d61d65d2c78592444b9e2db785baf2b1c07694fdcde14d0b157f435f0b487f610412c63276b358937ea05e126817e2418259203249ecef33896d7c8c1d73091e8b980112803c614e96eea4346b0fbceb6ffa9c9ff34cce34b644ebb0ddf67691c07fb196c6e947c96e74f183c70eeb9c8cf02cbfb8cb48bf370f6238391252e94f087391eeb48de5446532a9dac838f1a6d122e695e97ff96c7995623369ffda3eca9268be1ddac89f7e8828d438106f11f2fc331df017bfe75b4864ed7331b997247517cf944369969ba086a79c2ea105f7e7464e3d93a7ffb55a11b826b2dedac291c1367c34565fb321de2c10cad58ee1c9b2098e72f0e41dc1b69de97fea2db3e841965a5d93d1c8bb07ae89c8ef26390af5c9d4109127fd4ba2ab30a4f4650b4e523ce5a70341e5f5998e14e1007c0889d82a10350b9cb34daddbaebecf12de819f9b1271b67ade3d4882cfc5957e15898f87a69551595d190f16e388080c4a4b9c7442282ec420c339d4deb1bcddaf9b2eec36a32beb97f4a795d90213dc99fd023660a3d5b5938b8d843fea8653a30d7d340c4a7debc489c55268192611e8072fe7477dc81fedf0452070c779513a63d47bb660e4af6f4a816cad91be87b2f6b47fd3225a7be68ea0f93c02478ff10e3a8b451406e23aa36a9af9f35dcd31db6114fc7f55ea54f33e5279f78ca178add4dd3d4a53f30b285eb312cb82e9ddf27bc6f6c80ed9b239d5a47f8ee12d530d3d6490931fe9d3f9a628e7b3c9c705ae5a0cb	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 36fc19e46ebbdf0dda536d1f72ec35ef5f657440013110493a6dba47130885f91060251c2033e53a49caaf536eb6d2b3090f07c3ac0b7439763c14a259bb8c2d6661f0023fc1b9420d4c7d0d3d09636a40397a22fa42ca9266d10ce804c7cdc669007a1780daefb230f81346bd5e6cd24bd7612b12697d4531fdab482756806dda1ff37a3827166bbe64f7ab9e3427068a865d45703164d3abb61d93d76921896b915fe3e10f375a1b9eff744a22d3b9c2ce9be23379dd3905e9928322ed4eaecee8a4d710dd31bfdaf655ae2bacaeec86c600c1201e9a8e3470ef4b215dded177431961fbbb6bb08072275d8dec539b99b77629299516d7ed15bd5133ccc5d5e152c8fc40f9c59daa74153354d568bc70910dd9ed34b457f0ec8bb99771d1e33370591f707bf13643f6a69f0cb4a075e79900ef7f0af1c92fea1e0630f29df7b964cce39e4a37120c77c1ba80b465015ca30965aaa5ceba59760103e8e99c8555f59e951c698bffed3af404426775417971bf4fbfff7afc9737133d3fae5c375749810c7652e7fe1edb0a47354a1a3a9110f773116021887e6347d0c5e12b096a998b0afe460ae47ac4695553a703f60a057918a1eb99e25e05043f606fe836c3ecd3a98ecc64194155ef43770b5604f4c9ec1a14f5ceb5cd25001bbbdc6d5fd24bfe8ea0307ca035c48a4ac6deb178f05ab599658ec0d4ddb2535336bd9f01f6aebbc1dafc4742a3917fa9c31675af719acde9a41f01b505e28eee89a13c8cc5a61e7c4fa760f2a86831b63202ce4d2318945ff6160d17c7b6eb95fff4b365b9abb2f3390b33af0b4bd564c34a999b49cd740b246a7e473af01deff3435d807d38619e3891401b5670727062c1ccc21b55da6e42361ecef6bed7630d80392e691d3cd50b75f67cf06b370431f3e406c7889826bed7535921b1d009b17b260c2ab6f513387b0700ac1a1a35eab7a7b6c17c2f99c1a27982ca8b7d2538175b26d9a8e11bcb4e89587b0464a773ac3fb3bd68f77214f6ad768b7b40e5aefb6f1658798c53f162fe1806c0273c7375183f1f1975b778054de6ca5d0f0195bcbe4f160e1c0fb0fab6c09c49b036cb458999c4d4a85c6756a9e5ab6cf532e665f837cf507d13a039e2d3985e4143f049509566d79dc5ec2173fabf05a6c07ea3479626acb8403b9cb5a2fc57b8bb936aadd3ef13729e45bb1142968aa5291bfb809a6fcbf55e5283e3a69cccb3491680705323f3397f740248a54e3d1049635f851f2fd6655476657bdae62f875875006c0adbf2585e18155a76cd84b106c2af406431de338e5eeab2088ac38fe36e6bd0cc08a2b109e96a31b569d800d1ec9741955511e233ba0ad68dd47b2253e19dd8df8939d95a96c2661991d42d40421ce142c2e81aaad4708c3298018c12c6589a097b9c787e693d1f784798a0cdb7099a8287e95808865b8fdabb188f549ae540033315f3f592562165142a311b2689b00e5fa15ff7146dd5dc41756dee767dca003bdd56e1287b15850d6f08814d87b99b66093a4cc1f8f79a36fad40ae798e1242863ccd49a4af4f5556ef4fb4e855ef87480c0d39949a959fb10cf45ae6d92b89dfc576813b26ec8614fd6b5799d708c2aa19eb705e7260127af3bdd11bc0b06c3e61c15beea16740ea712d3b7d1674692bb4ed5a35cdf88eb38f03ed02215d6b6ab7af6d61413827852377c58b3062c9b88f56081883a4002a1851600283ee039050b21946e5e0827c51845f761e0bb71509730e98b786f5fec6703030dbf909b73a0234610813b4a2e61eb69ee2e23a192bc6f4980d4ab160665e52f8827bdbf46840ae22974b7782fd7f05f2df42142c4d6673b8bf3323003ad8fcadeafd8c31fa2769aac2a90b8a5eebe884f8f8961bc6426c58a28df32e18f01fdd34d7a6b3db2773ef37244dbe1ed779a3903447e4cb4a88a0b2c546d0b81df2ef51fddcd77bae24a033414a04433e1dd535aba22ae933c5a0feaf7e71b80ccafd7	RegFuck.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92B46C76E13054E104F230517E6E504D43AB10B5\Blob = 056ddba628d1d0443febc83b4f2a27e76bd6a8074071588ef9e88d385e623dc439880663c36c31d822b2e6e0e288b6092715b4695bbee0316408477283d3d56f9ab5d75f510ca73d4107d4fda67104c6534fa598f0324f2b2c50ef11297272454fd0a7e17e76537b161d8574c690a70e79e27ee56a3e91c06f7ef8f53409f281799dead8fe4ecbb97a4b84e2c27252b6a7ef5d72428f3d7accf1dbf7b9d96268bdb51c6ec149f0ae212d8868cb3b4a385bc6e10bcffdab08022db1fca23d880c796598483e45fa06eda9f7b10d90357f8eb0d2c265d90ecafd3918a534d9ea79a65f8dc11d3646f835e0acf4ba90489b04e6aed5e78a3a12656289ac44e1b08387743e5057a34ce3450ec871d3904e0be96db8d089664a835ef03f2bc9f191b7195691d4b0e477cb920eae5b6b355bb1a44b17b47f7f30329195d608ad49af9d19c7c04e967a5da391c912cfa69485c95b5af8fd3daf42dfdf3baff57021f63ecb5b8cb37a92bba52fb5aa57818048119276f739e9bd3bf23a8203051c6431deb1af175d94ffd452b9dec980f9b295fb353b03cb709457647a27bd648dc2249f8d602ecad10a54e4d8af30912a9f733faded0e82cac25a739002840b201a870f3ace187c7e35a477ffffeeb84c8604cd9507196ebba5698117bc3cf114afb7b38df64628a88076a545670a52f078c79a969b888bb0c652a81a0a95ac53d271c0120df445297b976f403f1328416fedbc737c3f8f9bda0b98c51c8f779a4672997d6348636449bd04d28e1152c4f5d9c5ebde7247cb1891bef9b664e94896ea4742a3edf998f3270641475044f528a6fab34545e0e0fae716c405da0d5be86bedae628495471e37298be3f9cdac95f8f9340d6ff9257b29d869c06f9f7dc07f69e9f97bb3b0c6bc415c49d41ec21fe82e3b0ee55610103bb8b6f19ade71126dfa0519c6e76c2227f6dfc1b9a8ea27f06fe33430e10c4f1389d104794bdb088069fc12af4895e722f2d44d6e5bc0dbbc8d2f32d5dd51611e7120947b8bf25b625d26f1472dbc0418bf2ffbe4c8c9d3122f8d9f381ad8290e6b75df2f38da0259538bf5f55d5fdd7d0d432bf0f70b9fa299da3412676789c901c75561fde6c7a5e86edbd4ae0de5bc1c1f9b2ceb3f49cf8b6cb9a6fd93d61f88f2b45eb2a60193dd6e2f16e3d0cddfb46710de0ef992bd57caf732005a07bad8517c9a9c691852a25ab88cab3236ad2a274e9c4cbf3d5ebcb2537595792d160d20eef51a99c4cf9245d60d55d920c8682fc7fc22363b9074f9533bfbf808e89ad11ffc4cfc261a41951660713818d1c0556927b999fb8ab0d955f385a662699a6cc7b06bb04975f34c06e137d0d2770e4ca1172e0acd6eebadb365e3c2f4f6448f2bc0420b51752f1cd905c853ccf71b55c6e183c524edb4f98b0bf153eb9769d9f21be20ba9ba20c3f5fb19e4ffc1b2e997a9c54f5c2bf6fd855e8912badcadddc8c00c267657541fc5b41215af5b3f6e9d773b27832cce1ee6591b2504af519a71002dc9658319a218d9d56fcdd6ef86ea3873e80fba5368acbd8e705c946d3655a333c85d5793748d3f958e74a52933fde9f465acafdc8fc5aa9e7dd8befa3103a44640d8cecadb857306932913751130522ae51e57ec1010981ba691c175e22202e57a93acab56fdf7ae025b24e1c86f4848bc9deebb540b3b3fe2af6c00006d45e096b5bfa00efdbd71a6e38bdbebb577ad874c4dc6f22b94f4741e0290d81f43a5bb34b27723c2e494f794d7	RegFuck.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
2712	chrome.exe
2712	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 4440	2172	chrome.exe	77
PID 2172 wrote to memory of 4440	2172	chrome.exe	77
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4924	2172	chrome.exe	79
PID 2172 wrote to memory of 4908	2172	chrome.exe	80
PID 2172 wrote to memory of 4908	2172	chrome.exe	80
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81
PID 2172 wrote to memory of 4744	2172	chrome.exe	81

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = "1312206485"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats\CF_BITMAP = "1898400380"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "319867091"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "641041027"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = "1619791703"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "1947792037"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats\CF_DIB = "2026145925"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "427333967"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "2098558504"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "960775330"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "270723585"	RegFuck.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats\CF_DIB = "1771253258"	RegFuck.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\REGFuck-master.zip
1⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffea4159758,0x7ffea4159768,0x7ffea4159778
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:2
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1924 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5004 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5368 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3028 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5628 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1636 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5476 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5952 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5612 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6028 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2112 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5608 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3132 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3052 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5160 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5116 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5200 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3832 --field-trial-handle=1728,i,15878063386661403905,4564018414801660869,131072 /prefetch:8
  2⤵
  PID:3900
- C:\Users\Admin\Downloads\RegFuck.exe
  "C:\Users\Admin\Downloads\RegFuck.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - Modifies firewall policy service
  - Modifies security service
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Boot or Logon Autostart Execution: Active Setup
  - Boot or Logon Autostart Execution: Port Monitors
  - Event Triggered Execution: Image File Execution Options Injection
  - Manipulates Digital Signatures
  - Server Software Component: Terminal Services DLL
  - Sets service image path in registry
  - Uses Session Manager for persistence
  - Boot or Logon Autostart Execution: Print Processors
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Modifies system executable filetype association
  - Checks whether UAC is enabled
  - Maps connected drives based on registry
  - Modifies WinLogon
  - Checks system information in the registry
  - Sets desktop wallpaper using registry
  - Event Triggered Execution: Netsh Helper DLL
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies Control Panel
  - Modifies Internet Explorer Protected Mode
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Modifies system certificate store
  - System policy modification
  PID:2844

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3764

C:\Windows\System32\InputMethod\CHS\ChsIME.exe
C:\Windows\System32\InputMethod\CHS\ChsIME.exe -Embedding
1⤵
PID:3760

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a86055 /state1:0x41c64e6d
1⤵
PID:4076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a89055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:3364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {515980c3-57fe-4c1e-a561-730dd256ab98} -Embedding
1⤵
PID:4928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a89855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:4832

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a8c055 /state1:0x41c64e6d
1⤵
PID:1252

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a8c855 /state1:0x41c64e6d
1⤵
PID:1224

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a8e055 /state1:0x41c64e6d
1⤵
PID:1824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a8e855 /state1:0x41c64e6d
1⤵
PID:4132

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a8f055 /state1:0x41c64e6d
1⤵
PID:1928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a8f855 /state1:0x41c64e6d
1⤵
PID:4128

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a90055 /state1:0x41c64e6d
1⤵
PID:4976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a90855 /state1:0x41c64e6d
1⤵
PID:4772

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a91055 /state1:0x41c64e6d
1⤵
PID:4116

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a91855 /state1:0x41c64e6d
1⤵
PID:4732

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a92055 /state1:0x41c64e6d
1⤵
PID:5008

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a92855 /state1:0x41c64e6d
1⤵
PID:4264

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a93055 /state1:0x41c64e6d
1⤵
PID:1768

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a93855 /state1:0x41c64e6d
1⤵
PID:1544

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a94055 /state1:0x41c64e6d
1⤵
PID:3300

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a94855 /state1:0x41c64e6d
1⤵
PID:840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a95055 /state1:0x41c64e6d
1⤵
PID:4620

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a95855 /state1:0x41c64e6d
1⤵
PID:68

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a96055 /state1:0x41c64e6d
1⤵
PID:4444

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a96855 /state1:0x41c64e6d
1⤵
PID:2728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a97055 /state1:0x41c64e6d
1⤵
PID:3516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a97855 /state1:0x41c64e6d
1⤵
PID:428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a98055 /state1:0x41c64e6d
1⤵
PID:4944

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a98855 /state1:0x41c64e6d
1⤵
PID:4748

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a99055 /state1:0x41c64e6d
1⤵
PID:1400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a99855 /state1:0x41c64e6d
1⤵
PID:208

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9a055 /state1:0x41c64e6d
1⤵
PID:4332

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9a855 /state1:0x41c64e6d
1⤵
PID:1444

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9b055 /state1:0x41c64e6d
1⤵
PID:4268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9b855 /state1:0x41c64e6d
1⤵
PID:4228

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9c055 /state1:0x41c64e6d
1⤵
PID:4252

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9c855 /state1:0x41c64e6d
1⤵
PID:1388

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9d055 /state1:0x41c64e6d
1⤵
PID:3800

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9d855 /state1:0x41c64e6d
1⤵
PID:1548

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9e055 /state1:0x41c64e6d
1⤵
PID:3360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9e855 /state1:0x41c64e6d
1⤵
PID:4744

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9f055 /state1:0x41c64e6d
1⤵
PID:4424

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a9f855 /state1:0x41c64e6d
1⤵
PID:3220

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa0055 /state1:0x41c64e6d
1⤵
PID:1432

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa0855 /state1:0x41c64e6d
1⤵
PID:1800

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa1055 /state1:0x41c64e6d
1⤵
PID:3848

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa1855 /state1:0x41c64e6d
1⤵
PID:2004

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa2055 /state1:0x41c64e6d
1⤵
PID:2028

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa2855 /state1:0x41c64e6d
1⤵
PID:5072

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa3055 /state1:0x41c64e6d
1⤵
PID:1348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa3855 /state1:0x41c64e6d
1⤵
PID:4960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa4055 /state1:0x41c64e6d
1⤵
PID:4916

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa4855 /state1:0x41c64e6d
1⤵
PID:4316

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa5055 /state1:0x41c64e6d
1⤵
PID:1908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa5855 /state1:0x41c64e6d
1⤵
PID:2616

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa6055 /state1:0x41c64e6d
1⤵
PID:3796

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa6855 /state1:0x41c64e6d
1⤵
PID:2852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa7055 /state1:0x41c64e6d
1⤵
PID:1744

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa7855 /state1:0x41c64e6d
1⤵
PID:3664

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa8055 /state1:0x41c64e6d
1⤵
PID:4112

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa8855 /state1:0x41c64e6d
1⤵
PID:3580

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa9055 /state1:0x41c64e6d
1⤵
PID:2480

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aa9855 /state1:0x41c64e6d
1⤵
PID:3692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aaa055 /state1:0x41c64e6d
1⤵
PID:1840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aaa855 /state1:0x41c64e6d
1⤵
PID:3832

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aab055 /state1:0x41c64e6d
1⤵
PID:3944

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aab855 /state1:0x41c64e6d
1⤵
PID:3956

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aac055 /state1:0x41c64e6d
1⤵
PID:3964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aac855 /state1:0x41c64e6d
1⤵
PID:3684

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aad055 /state1:0x41c64e6d
1⤵
PID:700

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aad855 /state1:0x41c64e6d
1⤵
PID:1884

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aae055 /state1:0x41c64e6d
1⤵
PID:352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aae855 /state1:0x41c64e6d
1⤵
PID:3676

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aaf055 /state1:0x41c64e6d
1⤵
PID:4040

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aaf855 /state1:0x41c64e6d
1⤵
PID:2856

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab0055 /state1:0x41c64e6d
1⤵
PID:4468

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab0855 /state1:0x41c64e6d
1⤵
PID:1096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab1055 /state1:0x41c64e6d
1⤵
PID:1940

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab1855 /state1:0x41c64e6d
1⤵
PID:1424

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab2055 /state1:0x41c64e6d
1⤵
PID:3948

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab2855 /state1:0x41c64e6d
1⤵
PID:3372

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab3055 /state1:0x41c64e6d
1⤵
PID:3904

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab3855 /state1:0x41c64e6d
1⤵
PID:3736

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab4055 /state1:0x41c64e6d
1⤵
PID:4940

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab4855 /state1:0x41c64e6d
1⤵
PID:2860

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab5055 /state1:0x41c64e6d
1⤵
PID:1688

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab5855 /state1:0x41c64e6d
1⤵
PID:1804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab6055 /state1:0x41c64e6d
1⤵
PID:1020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab6855 /state1:0x41c64e6d
1⤵
PID:3464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab7055 /state1:0x41c64e6d
1⤵
PID:2836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab7855 /state1:0x41c64e6d
1⤵
PID:1288

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab8055 /state1:0x41c64e6d
1⤵
PID:308

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab8855 /state1:0x41c64e6d
1⤵
PID:5036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab9055 /state1:0x41c64e6d
1⤵
PID:660

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ab9855 /state1:0x41c64e6d
1⤵
PID:3784

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aba055 /state1:0x41c64e6d
1⤵
PID:4320

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aba855 /state1:0x41c64e6d
1⤵
PID:4708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3abb055 /state1:0x41c64e6d
1⤵
PID:3768

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3abb855 /state1:0x41c64e6d
1⤵
PID:3532

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3abc055 /state1:0x41c64e6d
1⤵
PID:4896

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3abc855 /state1:0x41c64e6d
1⤵
PID:1360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3abd055 /state1:0x41c64e6d
1⤵
PID:1932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3abd855 /state1:0x41c64e6d
1⤵
PID:2788

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3abe055 /state1:0x41c64e6d
1⤵
PID:3808

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3abe855 /state1:0x41c64e6d
1⤵
PID:904

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3abf055 /state1:0x41c64e6d
1⤵
PID:2120

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3abf855 /state1:0x41c64e6d
1⤵
PID:3024

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a40055 /state1:0x41c64e6d
1⤵
PID:4720

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a40855 /state1:0x41c64e6d
1⤵
PID:652

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a41055 /state1:0x41c64e6d
1⤵
PID:3396

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a41855 /state1:0x41c64e6d
1⤵
PID:3520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a42055 /state1:0x41c64e6d
1⤵
PID:4564

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a42855 /state1:0x41c64e6d
1⤵
PID:3828

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a43055 /state1:0x41c64e6d
1⤵
PID:3040

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a43855 /state1:0x41c64e6d
1⤵
PID:1356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a44055 /state1:0x41c64e6d
1⤵
PID:2596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a44855 /state1:0x41c64e6d
1⤵
PID:3268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a45055 /state1:0x41c64e6d
1⤵
PID:3880

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a45855 /state1:0x41c64e6d
1⤵
PID:1868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a46055 /state1:0x41c64e6d
1⤵
PID:3624

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a46855 /state1:0x41c64e6d
1⤵
PID:2772

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a47055 /state1:0x41c64e6d
1⤵
PID:1420

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a47855 /state1:0x41c64e6d
1⤵
PID:4376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a48055 /state1:0x41c64e6d
1⤵
PID:4904

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a48855 /state1:0x41c64e6d
1⤵
PID:2840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a49055 /state1:0x41c64e6d
1⤵
PID:4984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a49855 /state1:0x41c64e6d
1⤵
PID:3320

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4a055 /state1:0x41c64e6d
1⤵
PID:2388

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4a855 /state1:0x41c64e6d
1⤵
PID:3884

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4b055 /state1:0x41c64e6d
1⤵
PID:5012

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4b855 /state1:0x41c64e6d
1⤵
PID:2552

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4c055 /state1:0x41c64e6d
1⤵
PID:724

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4c855 /state1:0x41c64e6d
1⤵
PID:3244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4d055 /state1:0x41c64e6d
1⤵
PID:616

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4d855 /state1:0x41c64e6d
1⤵
PID:204

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4e055 /state1:0x41c64e6d
1⤵
PID:3312

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4e855 /state1:0x41c64e6d
1⤵
PID:5040

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4f055 /state1:0x41c64e6d
1⤵
PID:5064

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a4f855 /state1:0x41c64e6d
1⤵
PID:3864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a50055 /state1:0x41c64e6d
1⤵
PID:624

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a50855 /state1:0x41c64e6d
1⤵
PID:3600

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a51055 /state1:0x41c64e6d
1⤵
PID:688

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a51855 /state1:0x41c64e6d
1⤵
PID:3712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a52055 /state1:0x41c64e6d
1⤵
PID:4048

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a52855 /state1:0x41c64e6d
1⤵
PID:4400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a53055 /state1:0x41c64e6d
1⤵
PID:3656

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a53855 /state1:0x41c64e6d
1⤵
PID:1120

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a54055 /state1:0x41c64e6d
1⤵
PID:2328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a54855 /state1:0x41c64e6d
1⤵
PID:3492

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a55055 /state1:0x41c64e6d
1⤵
PID:2872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a55855 /state1:0x41c64e6d
1⤵
PID:4164

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a56055 /state1:0x41c64e6d
1⤵
PID:4072

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a56855 /state1:0x41c64e6d
1⤵
PID:1628

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a57055 /state1:0x41c64e6d
1⤵
PID:3376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a57855 /state1:0x41c64e6d
1⤵
PID:3812

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a58055 /state1:0x41c64e6d
1⤵
PID:2280

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a58855 /state1:0x41c64e6d
1⤵
PID:216

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a59055 /state1:0x41c64e6d
1⤵
PID:2916

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a59855 /state1:0x41c64e6d
1⤵
PID:4484

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5a055 /state1:0x41c64e6d
1⤵
PID:3688

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5a855 /state1:0x41c64e6d
1⤵
PID:3616

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5b055 /state1:0x41c64e6d
1⤵
PID:3740

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5b855 /state1:0x41c64e6d
1⤵
PID:3752

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5c055 /state1:0x41c64e6d
1⤵
PID:3732

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5c855 /state1:0x41c64e6d
1⤵
PID:3820

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5d055 /state1:0x41c64e6d
1⤵
PID:3728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5d855 /state1:0x41c64e6d
1⤵
PID:3596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5e055 /state1:0x41c64e6d
1⤵
PID:3568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5e855 /state1:0x41c64e6d
1⤵
PID:1848

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5f055 /state1:0x41c64e6d
1⤵
PID:4488

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a5f855 /state1:0x41c64e6d
1⤵
PID:760

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a60055 /state1:0x41c64e6d
1⤵
PID:3484

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a60855 /state1:0x41c64e6d
1⤵
PID:2792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a61055 /state1:0x41c64e6d
1⤵
PID:2796

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a61855 /state1:0x41c64e6d
1⤵
PID:2736

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a62055 /state1:0x41c64e6d
1⤵
PID:1528

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a62855 /state1:0x41c64e6d
1⤵
PID:1004

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a63055 /state1:0x41c64e6d
1⤵
PID:2568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a63855 /state1:0x41c64e6d
1⤵
PID:368

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a64055 /state1:0x41c64e6d
1⤵
PID:2128

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a64855 /state1:0x41c64e6d
1⤵
PID:3860

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a65055 /state1:0x41c64e6d
1⤵
PID:2984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a65855 /state1:0x41c64e6d
1⤵
PID:4420

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a66055 /state1:0x41c64e6d
1⤵
PID:4956

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a66855 /state1:0x41c64e6d
1⤵
PID:1328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a67055 /state1:0x41c64e6d
1⤵
PID:4184

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a67855 /state1:0x41c64e6d
1⤵
PID:2300

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a68055 /state1:0x41c64e6d
1⤵
PID:3844

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a68855 /state1:0x41c64e6d
1⤵
PID:3764

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a69055 /state1:0x41c64e6d
1⤵
PID:704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a69855 /state1:0x41c64e6d
1⤵
PID:3060

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6a055 /state1:0x41c64e6d
1⤵
PID:932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6a855 /state1:0x41c64e6d
1⤵
PID:3708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6b055 /state1:0x41c64e6d
1⤵
PID:4260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6b855 /state1:0x41c64e6d
1⤵
PID:3640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6c055 /state1:0x41c64e6d
1⤵
PID:2676

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6c855 /state1:0x41c64e6d
1⤵
PID:764

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6d055 /state1:0x41c64e6d
1⤵
PID:4324

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6d855 /state1:0x41c64e6d
1⤵
PID:4428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6e055 /state1:0x41c64e6d
1⤵
PID:236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6e855 /state1:0x41c64e6d
1⤵
PID:2488

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6f055 /state1:0x41c64e6d
1⤵
PID:1428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a6f855 /state1:0x41c64e6d
1⤵
PID:3900

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a70055 /state1:0x41c64e6d
1⤵
PID:2804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a70855 /state1:0x41c64e6d
1⤵
PID:4036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a71055 /state1:0x41c64e6d
1⤵
PID:2828

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a71855 /state1:0x41c64e6d
1⤵
PID:4256

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a72055 /state1:0x41c64e6d
1⤵
PID:3368

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a72855 /state1:0x41c64e6d
1⤵
PID:3424

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a73055 /state1:0x41c64e6d
1⤵
PID:3432

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a73855 /state1:0x41c64e6d
1⤵
PID:4024

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a74055 /state1:0x41c64e6d
1⤵
PID:2304

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a74855 /state1:0x41c64e6d
1⤵
PID:3476

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a75055 /state1:0x41c64e6d
1⤵
PID:3496

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a75855 /state1:0x41c64e6d
1⤵
PID:3652

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a76055 /state1:0x41c64e6d
1⤵
PID:3536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a76855 /state1:0x41c64e6d
1⤵
PID:3468

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a77055 /state1:0x41c64e6d
1⤵
PID:3896

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a77855 /state1:0x41c64e6d
1⤵
PID:3916

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a78055 /state1:0x41c64e6d
1⤵
PID:1876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a78855 /state1:0x41c64e6d
1⤵
PID:4000

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a79055 /state1:0x41c64e6d
1⤵
PID:4448

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a79855 /state1:0x41c64e6d
1⤵
PID:4512

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7a055 /state1:0x41c64e6d
1⤵
PID:3344

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7a855 /state1:0x41c64e6d
1⤵
PID:3388

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7b055 /state1:0x41c64e6d
1⤵
PID:4312

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7b855 /state1:0x41c64e6d
1⤵
PID:4340

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7c055 /state1:0x41c64e6d
1⤵
PID:3540

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7c855 /state1:0x41c64e6d
1⤵
PID:3452

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7d055 /state1:0x41c64e6d
1⤵
PID:4088

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7d855 /state1:0x41c64e6d
1⤵
PID:4356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7e055 /state1:0x41c64e6d
1⤵
PID:4700

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7e855 /state1:0x41c64e6d
1⤵
PID:4892

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7f055 /state1:0x41c64e6d
1⤵
PID:3524

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a7f855 /state1:0x41c64e6d
1⤵
PID:3004

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a00055 /state1:0x41c64e6d
1⤵
PID:2996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a00855 /state1:0x41c64e6d
1⤵
PID:3716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a01055 /state1:0x41c64e6d
1⤵
PID:4060

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a01855 /state1:0x41c64e6d
1⤵
PID:2020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a02055 /state1:0x41c64e6d
1⤵
PID:1308

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a02855 /state1:0x41c64e6d
1⤵
PID:2816

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a03055 /state1:0x41c64e6d
1⤵
PID:372

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a03855 /state1:0x41c64e6d
1⤵
PID:1296

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a04055 /state1:0x41c64e6d
1⤵
PID:436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a04855 /state1:0x41c64e6d
1⤵
PID:1652

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a05055 /state1:0x41c64e6d
1⤵
PID:2868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a05855 /state1:0x41c64e6d
1⤵
PID:400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a06055 /state1:0x41c64e6d
1⤵
PID:4996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a06855 /state1:0x41c64e6d
1⤵
PID:2820

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a07055 /state1:0x41c64e6d
1⤵
PID:4832

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a07855 /state1:0x41c64e6d
1⤵
PID:2632

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a08055 /state1:0x41c64e6d
1⤵
PID:1248

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a08855 /state1:0x41c64e6d
1⤵
PID:3840

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a09055 /state1:0x41c64e6d
1⤵
PID:4988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a09855 /state1:0x41c64e6d
1⤵
PID:4752

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0a055 /state1:0x41c64e6d
1⤵
PID:2140

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0a855 /state1:0x41c64e6d
1⤵
PID:4968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0b055 /state1:0x41c64e6d
1⤵
PID:2316

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0b855 /state1:0x41c64e6d
1⤵
PID:4740

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0c055 /state1:0x41c64e6d
1⤵
PID:5108

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0c855 /state1:0x41c64e6d
1⤵
PID:4236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0d055 /state1:0x41c64e6d
1⤵
PID:2812

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0d855 /state1:0x41c64e6d
1⤵
PID:5056

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0e055 /state1:0x41c64e6d
1⤵
PID:1664

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0e855 /state1:0x41c64e6d
1⤵
PID:2472

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0f055 /state1:0x41c64e6d
1⤵
PID:3224

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a0f855 /state1:0x41c64e6d
1⤵
PID:3196

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a10055 /state1:0x41c64e6d
1⤵
PID:2476

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a10855 /state1:0x41c64e6d
1⤵
PID:3308

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a11055 /state1:0x41c64e6d
1⤵
PID:3264

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a11855 /state1:0x41c64e6d
1⤵
PID:3556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a12055 /state1:0x41c64e6d
1⤵
PID:3316

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a12855 /state1:0x41c64e6d
1⤵
PID:2312

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a13055 /state1:0x41c64e6d
1⤵
PID:2544

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a13855 /state1:0x41c64e6d
1⤵
PID:3172

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a14055 /state1:0x41c64e6d
1⤵
PID:2344

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a14855 /state1:0x41c64e6d
1⤵
PID:3792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a15055 /state1:0x41c64e6d
1⤵
PID:2500

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a15855 /state1:0x41c64e6d
1⤵
PID:3152

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a16055 /state1:0x41c64e6d
1⤵
PID:3228

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a16855 /state1:0x41c64e6d
1⤵
PID:3240

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a17055 /state1:0x41c64e6d
1⤵
PID:4328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a17855 /state1:0x41c64e6d
1⤵
PID:2896

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a18055 /state1:0x41c64e6d
1⤵
PID:3488

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a18855 /state1:0x41c64e6d
1⤵
PID:2184

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a19055 /state1:0x41c64e6d
1⤵
PID:804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a19855 /state1:0x41c64e6d
1⤵
PID:812

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1a055 /state1:0x41c64e6d
1⤵
PID:816

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1a855 /state1:0x41c64e6d
1⤵
PID:3064

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1b055 /state1:0x41c64e6d
1⤵
PID:3992

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1b855 /state1:0x41c64e6d
1⤵
PID:4812

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1c055 /state1:0x41c64e6d
1⤵
PID:3984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1c855 /state1:0x41c64e6d
1⤵
PID:4352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1d055 /state1:0x41c64e6d
1⤵
PID:2604

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1d855 /state1:0x41c64e6d
1⤵
PID:3104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1e055 /state1:0x41c64e6d
1⤵
PID:4248

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1e855 /state1:0x41c64e6d
1⤵
PID:1252

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1f055 /state1:0x41c64e6d
1⤵
PID:588

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a1f855 /state1:0x41c64e6d
1⤵
PID:3076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a20055 /state1:0x41c64e6d
1⤵
PID:3096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a20855 /state1:0x41c64e6d
1⤵
PID:1224

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a21055 /state1:0x41c64e6d
1⤵
PID:632

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a21855 /state1:0x41c64e6d
1⤵
PID:3296

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a22055 /state1:0x41c64e6d
1⤵
PID:2988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a22855 /state1:0x41c64e6d
1⤵
PID:3160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a23055 /state1:0x41c64e6d
1⤵
PID:3276

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a23855 /state1:0x41c64e6d
1⤵
PID:2340

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a24055 /state1:0x41c64e6d
1⤵
PID:1076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a24855 /state1:0x41c64e6d
1⤵
PID:4888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a25055 /state1:0x41c64e6d
1⤵
PID:4140

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a25855 /state1:0x41c64e6d
1⤵
PID:4920

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a26055 /state1:0x41c64e6d
1⤵
PID:2976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a26855 /state1:0x41c64e6d
1⤵
PID:3324

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a27055 /state1:0x41c64e6d
1⤵
PID:1824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a27855 /state1:0x41c64e6d
1⤵
PID:2236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a28055 /state1:0x41c64e6d
1⤵
PID:4712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a28855 /state1:0x41c64e6d
1⤵
PID:4192

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a29055 /state1:0x41c64e6d
1⤵
PID:2356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a29855 /state1:0x41c64e6d
1⤵
PID:696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2a055 /state1:0x41c64e6d
1⤵
PID:4716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2a855 /state1:0x41c64e6d
1⤵
PID:4924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2b055 /state1:0x41c64e6d
1⤵
PID:4580

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2b855 /state1:0x41c64e6d
1⤵
PID:524

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2c055 /state1:0x41c64e6d
1⤵
PID:32

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2c855 /state1:0x41c64e6d
1⤵
PID:596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2d055 /state1:0x41c64e6d
1⤵
PID:3448

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2d855 /state1:0x41c64e6d
1⤵
PID:3500

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2e055 /state1:0x41c64e6d
1⤵
PID:380

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2e855 /state1:0x41c64e6d
1⤵
PID:4504

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2f055 /state1:0x41c64e6d
1⤵
PID:2512

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a2f855 /state1:0x41c64e6d
1⤵
PID:2516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a30055 /state1:0x41c64e6d
1⤵
PID:3356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a30855 /state1:0x41c64e6d
1⤵
PID:2268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a31055 /state1:0x41c64e6d
1⤵
PID:1604

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a31855 /state1:0x41c64e6d
1⤵
PID:2752

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a32055 /state1:0x41c64e6d
1⤵
PID:3384

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a32855 /state1:0x41c64e6d
1⤵
PID:2332

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a33055 /state1:0x41c64e6d
1⤵
PID:4220

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a33855 /state1:0x41c64e6d
1⤵
PID:2932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a34055 /state1:0x41c64e6d
1⤵
PID:4980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a34855 /state1:0x41c64e6d
1⤵
PID:3008

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a35055 /state1:0x41c64e6d
1⤵
PID:1456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a35855 /state1:0x41c64e6d
1⤵
PID:1904

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a36055 /state1:0x41c64e6d
1⤵
PID:1556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a36855 /state1:0x41c64e6d
1⤵
PID:4360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a37055 /state1:0x41c64e6d
1⤵
PID:4244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a37855 /state1:0x41c64e6d
1⤵
PID:3508

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a38055 /state1:0x41c64e6d
1⤵
PID:4516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a38855 /state1:0x41c64e6d
1⤵
PID:2392

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a39055 /state1:0x41c64e6d
1⤵
PID:4664

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a39855 /state1:0x41c64e6d
1⤵
PID:3000

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3a055 /state1:0x41c64e6d
1⤵
PID:3824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3a855 /state1:0x41c64e6d
1⤵
PID:5084

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3b055 /state1:0x41c64e6d
1⤵
PID:1520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3b855 /state1:0x41c64e6d
1⤵
PID:836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3c055 /state1:0x41c64e6d
1⤵
PID:2260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3c855 /state1:0x41c64e6d
1⤵
PID:4020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3d055 /state1:0x41c64e6d
1⤵
PID:4568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3d855 /state1:0x41c64e6d
1⤵
PID:2052

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3e055 /state1:0x41c64e6d
1⤵
PID:1988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3e855 /state1:0x41c64e6d
1⤵
PID:4672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3f055 /state1:0x41c64e6d
1⤵
PID:392

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a3f855 /state1:0x41c64e6d
1⤵
PID:3720

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c0055 /state1:0x41c64e6d
1⤵
PID:1596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c0855 /state1:0x41c64e6d
1⤵
PID:2716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c1055 /state1:0x41c64e6d
1⤵
PID:3696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c1855 /state1:0x41c64e6d
1⤵
PID:2876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c2055 /state1:0x41c64e6d
1⤵
PID:1284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c2855 /state1:0x41c64e6d
1⤵
PID:3672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c3055 /state1:0x41c64e6d
1⤵
PID:4336

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c3855 /state1:0x41c64e6d
1⤵
PID:3924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c4055 /state1:0x41c64e6d
1⤵
PID:3952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c4855 /state1:0x41c64e6d
1⤵
PID:3960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c5055 /state1:0x41c64e6d
1⤵
PID:3704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c5855 /state1:0x41c64e6d
1⤵
PID:3644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c6055 /state1:0x41c64e6d
1⤵
PID:360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c6855 /state1:0x41c64e6d
1⤵
PID:440

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c7055 /state1:0x41c64e6d
1⤵
PID:60

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c7855 /state1:0x41c64e6d
1⤵
PID:2944

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c8055 /state1:0x41c64e6d
1⤵
PID:4824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c8855 /state1:0x41c64e6d
1⤵
PID:2228

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c9055 /state1:0x41c64e6d
1⤵
PID:2208

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39c9855 /state1:0x41c64e6d
1⤵
PID:1148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ca055 /state1:0x41c64e6d
1⤵
PID:4792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ca855 /state1:0x41c64e6d
1⤵
PID:2536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39cb055 /state1:0x41c64e6d
1⤵
PID:3576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39cb855 /state1:0x41c64e6d
1⤵
PID:2068

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39cc055 /state1:0x41c64e6d
1⤵
PID:5104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39cc855 /state1:0x41c64e6d
1⤵
PID:5000

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39cd055 /state1:0x41c64e6d
1⤵
PID:1536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39cd855 /state1:0x41c64e6d
1⤵
PID:3724

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ce055 /state1:0x41c64e6d
1⤵
PID:4084

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ce855 /state1:0x41c64e6d
1⤵
PID:3648

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39cf055 /state1:0x41c64e6d
1⤵
PID:4436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39cf855 /state1:0x41c64e6d
1⤵
PID:4080

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d0055 /state1:0x41c64e6d
1⤵
PID:4196

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d0855 /state1:0x41c64e6d
1⤵
PID:4156

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d1055 /state1:0x41c64e6d
1⤵
PID:4776

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d1855 /state1:0x41c64e6d
1⤵
PID:1588

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d2055 /state1:0x41c64e6d
1⤵
PID:4172

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d2855 /state1:0x41c64e6d
1⤵
PID:4556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d3055 /state1:0x41c64e6d
1⤵
PID:3192

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d3855 /state1:0x41c64e6d
1⤵
PID:2408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d4055 /state1:0x41c64e6d
1⤵
PID:1540

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d4855 /state1:0x41c64e6d
1⤵
PID:2400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d5055 /state1:0x41c64e6d
1⤵
PID:1312

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d5855 /state1:0x41c64e6d
1⤵
PID:3188

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d6055 /state1:0x41c64e6d
1⤵
PID:1716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d6855 /state1:0x41c64e6d
1⤵
PID:2116

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d7055 /state1:0x41c64e6d
1⤵
PID:2844

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d7855 /state1:0x41c64e6d
1⤵
PID:2888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d8055 /state1:0x41c64e6d
1⤵
PID:880

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d8855 /state1:0x41c64e6d
1⤵
PID:3056

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d9055 /state1:0x41c64e6d
1⤵
PID:884

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d9855 /state1:0x41c64e6d
1⤵
PID:2176

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39da055 /state1:0x41c64e6d
1⤵
PID:3512

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39da855 /state1:0x41c64e6d
1⤵
PID:3872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39db055 /state1:0x41c64e6d
1⤵
PID:2284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39db855 /state1:0x41c64e6d
1⤵
PID:4148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39dc055 /state1:0x41c64e6d
1⤵
PID:4168

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39dc855 /state1:0x41c64e6d
1⤵
PID:2680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39dd055 /state1:0x41c64e6d
1⤵
PID:3020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39dd855 /state1:0x41c64e6d
1⤵
PID:4068

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39de055 /state1:0x41c64e6d
1⤵
PID:1796

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39de855 /state1:0x41c64e6d
1⤵
PID:2364

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39df055 /state1:0x41c64e6d
1⤵
PID:3908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39df855 /state1:0x41c64e6d
1⤵
PID:2460

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e0055 /state1:0x41c64e6d
1⤵
PID:668

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e0855 /state1:0x41c64e6d
1⤵
PID:5052

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e1055 /state1:0x41c64e6d
1⤵
PID:4104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e1855 /state1:0x41c64e6d
1⤵
PID:3628

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e2055 /state1:0x41c64e6d
1⤵
PID:4396

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e2855 /state1:0x41c64e6d
1⤵
PID:1324

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e3055 /state1:0x41c64e6d
1⤵
PID:4480

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e3855 /state1:0x41c64e6d
1⤵
PID:3816

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e4055 /state1:0x41c64e6d
1⤵
PID:3304

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e4855 /state1:0x41c64e6d
1⤵
PID:4948

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e5055 /state1:0x41c64e6d
1⤵
PID:2520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e5855 /state1:0x41c64e6d
1⤵
PID:2092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e6055 /state1:0x41c64e6d
1⤵
PID:2712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e6855 /state1:0x41c64e6d
1⤵
PID:5044

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e7055 /state1:0x41c64e6d
1⤵
PID:4936

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e7855 /state1:0x41c64e6d
1⤵
PID:4964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e8055 /state1:0x41c64e6d
1⤵
PID:1176

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e8855 /state1:0x41c64e6d
1⤵
PID:2864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e9055 /state1:0x41c64e6d
1⤵
PID:4576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39e9855 /state1:0x41c64e6d
1⤵
PID:1048

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ea055 /state1:0x41c64e6d
1⤵
PID:3680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ea855 /state1:0x41c64e6d
1⤵
PID:2192

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39eb055 /state1:0x41c64e6d
1⤵
PID:376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39eb855 /state1:0x41c64e6d
1⤵
PID:4384

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ec055 /state1:0x41c64e6d
1⤵
PID:3876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ec855 /state1:0x41c64e6d
1⤵
PID:3380

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ed055 /state1:0x41c64e6d
1⤵
PID:348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ed855 /state1:0x41c64e6d
1⤵
PID:3892

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ee055 /state1:0x41c64e6d
1⤵
PID:3148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ee855 /state1:0x41c64e6d
1⤵
PID:3660

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ef055 /state1:0x41c64e6d
1⤵
PID:5032

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ef855 /state1:0x41c64e6d
1⤵
PID:968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f0055 /state1:0x41c64e6d
1⤵
PID:3612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f0855 /state1:0x41c64e6d
1⤵
PID:4464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f1055 /state1:0x41c64e6d
1⤵
PID:212

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f1855 /state1:0x41c64e6d
1⤵
PID:408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f2055 /state1:0x41c64e6d
1⤵
PID:2124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f2855 /state1:0x41c64e6d
1⤵
PID:3608

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f3055 /state1:0x41c64e6d
1⤵
PID:3700

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f3855 /state1:0x41c64e6d
1⤵
PID:3744

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f4055 /state1:0x41c64e6d
1⤵
PID:3748

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f4855 /state1:0x41c64e6d
1⤵
PID:3756

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f5055 /state1:0x41c64e6d
1⤵
PID:2296

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f5855 /state1:0x41c64e6d
1⤵
PID:3544

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f6055 /state1:0x41c64e6d
1⤵
PID:4692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f6855 /state1:0x41c64e6d
1⤵
PID:3572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f7055 /state1:0x41c64e6d
1⤵
PID:1160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f7855 /state1:0x41c64e6d
1⤵
PID:1896

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f8055 /state1:0x41c64e6d
1⤵
PID:4200

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f8855 /state1:0x41c64e6d
1⤵
PID:2232

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f9055 /state1:0x41c64e6d
1⤵
PID:3928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39f9855 /state1:0x41c64e6d
1⤵
PID:3776

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39fa055 /state1:0x41c64e6d
1⤵
PID:1724

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39fa855 /state1:0x41c64e6d
1⤵
PID:828

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39fb055 /state1:0x41c64e6d
1⤵
PID:3504

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39fb855 /state1:0x41c64e6d
1⤵
PID:2456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39fc055 /state1:0x41c64e6d
1⤵
PID:4272

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39fc855 /state1:0x41c64e6d
1⤵
PID:5092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39fd055 /state1:0x41c64e6d
1⤵
PID:3868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39fd855 /state1:0x41c64e6d
1⤵
PID:3968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39fe055 /state1:0x41c64e6d
1⤵
PID:4120

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39fe855 /state1:0x41c64e6d
1⤵
PID:768

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ff055 /state1:0x41c64e6d
1⤵
PID:1268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ff855 /state1:0x41c64e6d
1⤵
PID:2780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3980055 /state1:0x41c64e6d
1⤵
PID:4572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3980855 /state1:0x41c64e6d
1⤵
PID:4160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3981055 /state1:0x41c64e6d
1⤵
PID:3028

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3981855 /state1:0x41c64e6d
1⤵
PID:1648

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3982055 /state1:0x41c64e6d
1⤵
PID:1128

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3982855 /state1:0x41c64e6d
1⤵
PID:3856

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3983055 /state1:0x41c64e6d
1⤵
PID:1164

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3983855 /state1:0x41c64e6d
1⤵
PID:4076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3984055 /state1:0x41c64e6d
1⤵
PID:3480

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3984855 /state1:0x41c64e6d
1⤵
PID:4604

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3985055 /state1:0x41c64e6d
1⤵
PID:2428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3985855 /state1:0x41c64e6d
1⤵
PID:1640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3986055 /state1:0x41c64e6d
1⤵
PID:4928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3986855 /state1:0x41c64e6d
1⤵
PID:4472

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3987055 /state1:0x41c64e6d
1⤵
PID:2548

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3987855 /state1:0x41c64e6d
1⤵
PID:4972

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3988055 /state1:0x41c64e6d
1⤵
PID:4536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3988855 /state1:0x41c64e6d
1⤵
PID:2784

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3989055 /state1:0x41c64e6d
1⤵
PID:5020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3989855 /state1:0x41c64e6d
1⤵
PID:2592

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398a055 /state1:0x41c64e6d
1⤵
PID:2824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398a855 /state1:0x41c64e6d
1⤵
PID:1136

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398b055 /state1:0x41c64e6d
1⤵
PID:3392

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398b855 /state1:0x41c64e6d
1⤵
PID:3436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398c055 /state1:0x41c64e6d
1⤵
PID:3348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398c855 /state1:0x41c64e6d
1⤵
PID:3408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398d055 /state1:0x41c64e6d
1⤵
PID:2132

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398d855 /state1:0x41c64e6d
1⤵
PID:2708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398e055 /state1:0x41c64e6d
1⤵
PID:420

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398e855 /state1:0x41c64e6d
1⤵
PID:3528

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398f055 /state1:0x41c64e6d
1⤵
PID:3836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa398f855 /state1:0x41c64e6d
1⤵
PID:3548

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3990055 /state1:0x41c64e6d
1⤵
PID:3912

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3990855 /state1:0x41c64e6d
1⤵
PID:3980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3991055 /state1:0x41c64e6d
1⤵
PID:3888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3991855 /state1:0x41c64e6d
1⤵
PID:4032

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3992055 /state1:0x41c64e6d
1⤵
PID:3804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3992855 /state1:0x41c64e6d
1⤵
PID:2444

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3993055 /state1:0x41c64e6d
1⤵
PID:4520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3993855 /state1:0x41c64e6d
1⤵
PID:4028

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3994055 /state1:0x41c64e6d
1⤵
PID:4372

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3994855 /state1:0x41c64e6d
1⤵
PID:928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3995055 /state1:0x41c64e6d
1⤵
PID:3328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3995855 /state1:0x41c64e6d
1⤵
PID:4524

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3996055 /state1:0x41c64e6d
1⤵
PID:2532

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3996855 /state1:0x41c64e6d
1⤵
PID:344

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3997055 /state1:0x41c64e6d
1⤵
PID:1888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3997855 /state1:0x41c64e6d
1⤵
PID:3352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3998055 /state1:0x41c64e6d
1⤵
PID:3440

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3998855 /state1:0x41c64e6d
1⤵
PID:4016

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3999055 /state1:0x41c64e6d
1⤵
PID:3012

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3999855 /state1:0x41c64e6d
1⤵
PID:3460

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399a055 /state1:0x41c64e6d
1⤵
PID:592

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399a855 /state1:0x41c64e6d
1⤵
PID:3404

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399b055 /state1:0x41c64e6d
1⤵
PID:3364

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399b855 /state1:0x41c64e6d
1⤵
PID:4460

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399c055 /state1:0x41c64e6d
1⤵
PID:4560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399c855 /state1:0x41c64e6d
1⤵
PID:4780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399d055 /state1:0x41c64e6d
1⤵
PID:4608

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399d855 /state1:0x41c64e6d
1⤵
PID:2088

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399e055 /state1:0x41c64e6d
1⤵
PID:2952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399e855 /state1:0x41c64e6d
1⤵
PID:2272

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399f055 /state1:0x41c64e6d
1⤵
PID:1780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa399f855 /state1:0x41c64e6d
1⤵
PID:1300

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a0055 /state1:0x41c64e6d
1⤵
PID:2560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a0855 /state1:0x41c64e6d
1⤵
PID:4704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a1055 /state1:0x41c64e6d
1⤵
PID:2556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a1855 /state1:0x41c64e6d
1⤵
PID:3932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a2055 /state1:0x41c64e6d
1⤵
PID:508

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a2855 /state1:0x41c64e6d
1⤵
PID:792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a3055 /state1:0x41c64e6d
1⤵
PID:2880

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a3855 /state1:0x41c64e6d
1⤵
PID:520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a4055 /state1:0x41c64e6d
1⤵
PID:1316

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a4855 /state1:0x41c64e6d
1⤵
PID:3760

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a5055 /state1:0x41c64e6d
1⤵
PID:5096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a5855 /state1:0x41c64e6d
1⤵
PID:4136

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a6055 /state1:0x41c64e6d
1⤵
PID:1260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a6855 /state1:0x41c64e6d
1⤵
PID:1756

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a7055 /state1:0x41c64e6d
1⤵
PID:4440

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a7855 /state1:0x41c64e6d
1⤵
PID:708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a8055 /state1:0x41c64e6d
1⤵
PID:3208

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a8855 /state1:0x41c64e6d
1⤵
PID:3256

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a9055 /state1:0x41c64e6d
1⤵
PID:2620

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a9855 /state1:0x41c64e6d
1⤵
PID:3560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39aa055 /state1:0x41c64e6d
1⤵
PID:4368

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39aa855 /state1:0x41c64e6d
1⤵
PID:3272

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ab055 /state1:0x41c64e6d
1⤵
PID:1124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ab855 /state1:0x41c64e6d
1⤵
PID:4932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ac055 /state1:0x41c64e6d
1⤵
PID:3176

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ac855 /state1:0x41c64e6d
1⤵
PID:2740

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ad055 /state1:0x41c64e6d
1⤵
PID:4584

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ad855 /state1:0x41c64e6d
1⤵
PID:2440

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ae055 /state1:0x41c64e6d
1⤵
PID:4540

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ae855 /state1:0x41c64e6d
1⤵
PID:3200

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39af055 /state1:0x41c64e6d
1⤵
PID:3236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39af855 /state1:0x41c64e6d
1⤵
PID:3456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b0055 /state1:0x41c64e6d
1⤵
PID:3588

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b0855 /state1:0x41c64e6d
1⤵
PID:2168

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b1055 /state1:0x41c64e6d
1⤵
PID:2360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b1855 /state1:0x41c64e6d
1⤵
PID:740

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b2055 /state1:0x41c64e6d
1⤵
PID:808

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b2855 /state1:0x41c64e6d
1⤵
PID:4728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b3055 /state1:0x41c64e6d
1⤵
PID:732

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b3855 /state1:0x41c64e6d
1⤵
PID:8

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b4055 /state1:0x41c64e6d
1⤵
PID:772

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b4855 /state1:0x41c64e6d
1⤵
PID:4188

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b5055 /state1:0x41c64e6d
1⤵
PID:4812

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b5855 /state1:0x41c64e6d
1⤵
PID:3984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b6055 /state1:0x41c64e6d
1⤵
PID:4352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b6855 /state1:0x41c64e6d
1⤵
PID:2604

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b7055 /state1:0x41c64e6d
1⤵
PID:3104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b7855 /state1:0x41c64e6d
1⤵
PID:4248

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b8055 /state1:0x41c64e6d
1⤵
PID:1252

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b8855 /state1:0x41c64e6d
1⤵
PID:588

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b9055 /state1:0x41c64e6d
1⤵
PID:3076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39b9855 /state1:0x41c64e6d
1⤵
PID:3096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ba055 /state1:0x41c64e6d
1⤵
PID:1224

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ba855 /state1:0x41c64e6d
1⤵
PID:632

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39bb055 /state1:0x41c64e6d
1⤵
PID:3296

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39bb855 /state1:0x41c64e6d
1⤵
PID:2988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39bc055 /state1:0x41c64e6d
1⤵
PID:3160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39bc855 /state1:0x41c64e6d
1⤵
PID:3276

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39bd055 /state1:0x41c64e6d
1⤵
PID:2340

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39bd855 /state1:0x41c64e6d
1⤵
PID:1076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39be055 /state1:0x41c64e6d
1⤵
PID:4888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39be855 /state1:0x41c64e6d
1⤵
PID:4140

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39bf055 /state1:0x41c64e6d
1⤵
PID:4920

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39bf855 /state1:0x41c64e6d
1⤵
PID:2976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3940055 /state1:0x41c64e6d
1⤵
PID:3324

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3940855 /state1:0x41c64e6d
1⤵
PID:1824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3941055 /state1:0x41c64e6d
1⤵
PID:2236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3941855 /state1:0x41c64e6d
1⤵
PID:4712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3942055 /state1:0x41c64e6d
1⤵
PID:4192

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3942855 /state1:0x41c64e6d
1⤵
PID:2356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3943055 /state1:0x41c64e6d
1⤵
PID:696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3943855 /state1:0x41c64e6d
1⤵
PID:4716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3944055 /state1:0x41c64e6d
1⤵
PID:4924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3944855 /state1:0x41c64e6d
1⤵
PID:4580

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3945055 /state1:0x41c64e6d
1⤵
PID:524

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3945855 /state1:0x41c64e6d
1⤵
PID:32

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3946055 /state1:0x41c64e6d
1⤵
PID:596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3946855 /state1:0x41c64e6d
1⤵
PID:3448

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3947055 /state1:0x41c64e6d
1⤵
PID:3500

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3947855 /state1:0x41c64e6d
1⤵
PID:380

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3948055 /state1:0x41c64e6d
1⤵
PID:4504

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3948855 /state1:0x41c64e6d
1⤵
PID:2512

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3949055 /state1:0x41c64e6d
1⤵
PID:2516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3949855 /state1:0x41c64e6d
1⤵
PID:3356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394a055 /state1:0x41c64e6d
1⤵
PID:2268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394a855 /state1:0x41c64e6d
1⤵
PID:1604

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394b055 /state1:0x41c64e6d
1⤵
PID:2752

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394b855 /state1:0x41c64e6d
1⤵
PID:3384

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394c055 /state1:0x41c64e6d
1⤵
PID:2332

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394c855 /state1:0x41c64e6d
1⤵
PID:4220

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394d055 /state1:0x41c64e6d
1⤵
PID:2932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394d855 /state1:0x41c64e6d
1⤵
PID:4980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394e055 /state1:0x41c64e6d
1⤵
PID:3008

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394e855 /state1:0x41c64e6d
1⤵
PID:1456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394f055 /state1:0x41c64e6d
1⤵
PID:1904

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394f855 /state1:0x41c64e6d
1⤵
PID:1556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3950055 /state1:0x41c64e6d
1⤵
PID:4360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3950855 /state1:0x41c64e6d
1⤵
PID:4244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3951055 /state1:0x41c64e6d
1⤵
PID:3508

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3951855 /state1:0x41c64e6d
1⤵
PID:4516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3952055 /state1:0x41c64e6d
1⤵
PID:2392

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3952855 /state1:0x41c64e6d
1⤵
PID:4664

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3953055 /state1:0x41c64e6d
1⤵
PID:3000

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3953855 /state1:0x41c64e6d
1⤵
PID:3824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3954055 /state1:0x41c64e6d
1⤵
PID:5084

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3954855 /state1:0x41c64e6d
1⤵
PID:1520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3955055 /state1:0x41c64e6d
1⤵
PID:836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3955855 /state1:0x41c64e6d
1⤵
PID:2260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3956055 /state1:0x41c64e6d
1⤵
PID:4020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3956855 /state1:0x41c64e6d
1⤵
PID:4568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3957055 /state1:0x41c64e6d
1⤵
PID:2052

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3957855 /state1:0x41c64e6d
1⤵
PID:1988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3958055 /state1:0x41c64e6d
1⤵
PID:4672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3958855 /state1:0x41c64e6d
1⤵
PID:392

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3959055 /state1:0x41c64e6d
1⤵
PID:3720

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3959855 /state1:0x41c64e6d
1⤵
PID:1596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395a055 /state1:0x41c64e6d
1⤵
PID:2716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395a855 /state1:0x41c64e6d
1⤵
PID:3696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395b055 /state1:0x41c64e6d
1⤵
PID:2876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395b855 /state1:0x41c64e6d
1⤵
PID:1284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395c055 /state1:0x41c64e6d
1⤵
PID:3672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395c855 /state1:0x41c64e6d
1⤵
PID:4336

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395d055 /state1:0x41c64e6d
1⤵
PID:3924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395d855 /state1:0x41c64e6d
1⤵
PID:3952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395e055 /state1:0x41c64e6d
1⤵
PID:3960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395e855 /state1:0x41c64e6d
1⤵
PID:3704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395f055 /state1:0x41c64e6d
1⤵
PID:3644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa395f855 /state1:0x41c64e6d
1⤵
PID:360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3960055 /state1:0x41c64e6d
1⤵
PID:440

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3960855 /state1:0x41c64e6d
1⤵
PID:60

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3961055 /state1:0x41c64e6d
1⤵
PID:2944

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3961855 /state1:0x41c64e6d
1⤵
PID:4824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3962055 /state1:0x41c64e6d
1⤵
PID:2228

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3962855 /state1:0x41c64e6d
1⤵
PID:2208

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3963055 /state1:0x41c64e6d
1⤵
PID:1148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3963855 /state1:0x41c64e6d
1⤵
PID:4792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3964055 /state1:0x41c64e6d
1⤵
PID:2536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3964855 /state1:0x41c64e6d
1⤵
PID:3576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3965055 /state1:0x41c64e6d
1⤵
PID:2068

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3965855 /state1:0x41c64e6d
1⤵
PID:5104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3966055 /state1:0x41c64e6d
1⤵
PID:5000

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3966855 /state1:0x41c64e6d
1⤵
PID:1536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3967055 /state1:0x41c64e6d
1⤵
PID:3724

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3967855 /state1:0x41c64e6d
1⤵
PID:4084

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3968055 /state1:0x41c64e6d
1⤵
PID:3648

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3968855 /state1:0x41c64e6d
1⤵
PID:4436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3969055 /state1:0x41c64e6d
1⤵
PID:4080

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3969855 /state1:0x41c64e6d
1⤵
PID:4196

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396a055 /state1:0x41c64e6d
1⤵
PID:4156

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396a855 /state1:0x41c64e6d
1⤵
PID:4776

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396b055 /state1:0x41c64e6d
1⤵
PID:1588

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396b855 /state1:0x41c64e6d
1⤵
PID:4172

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396c055 /state1:0x41c64e6d
1⤵
PID:4556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396c855 /state1:0x41c64e6d
1⤵
PID:3192

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396d055 /state1:0x41c64e6d
1⤵
PID:2408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396d855 /state1:0x41c64e6d
1⤵
PID:1540

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396e055 /state1:0x41c64e6d
1⤵
PID:2400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396e855 /state1:0x41c64e6d
1⤵
PID:1312

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396f055 /state1:0x41c64e6d
1⤵
PID:3188

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa396f855 /state1:0x41c64e6d
1⤵
PID:1716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3970055 /state1:0x41c64e6d
1⤵
PID:2116

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3970855 /state1:0x41c64e6d
1⤵
PID:2844

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3971055 /state1:0x41c64e6d
1⤵
PID:2888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3971855 /state1:0x41c64e6d
1⤵
PID:880

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3972055 /state1:0x41c64e6d
1⤵
PID:3056

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3972855 /state1:0x41c64e6d
1⤵
PID:884

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3973055 /state1:0x41c64e6d
1⤵
PID:2176

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3973855 /state1:0x41c64e6d
1⤵
PID:3512

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3974055 /state1:0x41c64e6d
1⤵
PID:3872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3974855 /state1:0x41c64e6d
1⤵
PID:2284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3975055 /state1:0x41c64e6d
1⤵
PID:4148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3975855 /state1:0x41c64e6d
1⤵
PID:4168

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3976055 /state1:0x41c64e6d
1⤵
PID:2680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3976855 /state1:0x41c64e6d
1⤵
PID:3020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3977055 /state1:0x41c64e6d
1⤵
PID:4068

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3977855 /state1:0x41c64e6d
1⤵
PID:1796

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3978055 /state1:0x41c64e6d
1⤵
PID:2364

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3978855 /state1:0x41c64e6d
1⤵
PID:3908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3979055 /state1:0x41c64e6d
1⤵
PID:2460

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3979855 /state1:0x41c64e6d
1⤵
PID:668

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397a055 /state1:0x41c64e6d
1⤵
PID:5052

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397a855 /state1:0x41c64e6d
1⤵
PID:4104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397b055 /state1:0x41c64e6d
1⤵
PID:3628

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397b855 /state1:0x41c64e6d
1⤵
PID:4396

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397c055 /state1:0x41c64e6d
1⤵
PID:1324

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397c855 /state1:0x41c64e6d
1⤵
PID:4480

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397d055 /state1:0x41c64e6d
1⤵
PID:3816

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397d855 /state1:0x41c64e6d
1⤵
PID:3304

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397e055 /state1:0x41c64e6d
1⤵
PID:4948

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397e855 /state1:0x41c64e6d
1⤵
PID:2520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397f055 /state1:0x41c64e6d
1⤵
PID:2092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa397f855 /state1:0x41c64e6d
1⤵
PID:2712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3900055 /state1:0x41c64e6d
1⤵
PID:5044

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3900855 /state1:0x41c64e6d
1⤵
PID:4936

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3901055 /state1:0x41c64e6d
1⤵
PID:4964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3901855 /state1:0x41c64e6d
1⤵
PID:1176

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3902055 /state1:0x41c64e6d
1⤵
PID:2864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3902855 /state1:0x41c64e6d
1⤵
PID:4576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3903055 /state1:0x41c64e6d
1⤵
PID:1048

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3903855 /state1:0x41c64e6d
1⤵
PID:3680

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3904055 /state1:0x41c64e6d
1⤵
PID:2192

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3904855 /state1:0x41c64e6d
1⤵
PID:376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3905055 /state1:0x41c64e6d
1⤵
PID:4384

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3905855 /state1:0x41c64e6d
1⤵
PID:3876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3906055 /state1:0x41c64e6d
1⤵
PID:3380

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3906855 /state1:0x41c64e6d
1⤵
PID:348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3907055 /state1:0x41c64e6d
1⤵
PID:3892

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3907855 /state1:0x41c64e6d
1⤵
PID:3148

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3908055 /state1:0x41c64e6d
1⤵
PID:3660

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3908855 /state1:0x41c64e6d
1⤵
PID:5032

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3909055 /state1:0x41c64e6d
1⤵
PID:968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3909855 /state1:0x41c64e6d
1⤵
PID:3612

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390a055 /state1:0x41c64e6d
1⤵
PID:4464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390a855 /state1:0x41c64e6d
1⤵
PID:212

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390b055 /state1:0x41c64e6d
1⤵
PID:408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390b855 /state1:0x41c64e6d
1⤵
PID:2124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390c055 /state1:0x41c64e6d
1⤵
PID:3608

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390c855 /state1:0x41c64e6d
1⤵
PID:3700

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390d055 /state1:0x41c64e6d
1⤵
PID:3744

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390d855 /state1:0x41c64e6d
1⤵
PID:3748

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390e055 /state1:0x41c64e6d
1⤵
PID:3756

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390e855 /state1:0x41c64e6d
1⤵
PID:2296

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390f055 /state1:0x41c64e6d
1⤵
PID:3544

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390f855 /state1:0x41c64e6d
1⤵
PID:4692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3910055 /state1:0x41c64e6d
1⤵
PID:3572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3910855 /state1:0x41c64e6d
1⤵
PID:1160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3911055 /state1:0x41c64e6d
1⤵
PID:1896

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3911855 /state1:0x41c64e6d
1⤵
PID:4200

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3912055 /state1:0x41c64e6d
1⤵
PID:2232

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3912855 /state1:0x41c64e6d
1⤵
PID:3928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3913055 /state1:0x41c64e6d
1⤵
PID:3776

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3913855 /state1:0x41c64e6d
1⤵
PID:1724

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3914055 /state1:0x41c64e6d
1⤵
PID:828

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3914855 /state1:0x41c64e6d
1⤵
PID:3504

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3915055 /state1:0x41c64e6d
1⤵
PID:2456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3915855 /state1:0x41c64e6d
1⤵
PID:4272

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3916055 /state1:0x41c64e6d
1⤵
PID:5092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3916855 /state1:0x41c64e6d
1⤵
PID:3868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3917055 /state1:0x41c64e6d
1⤵
PID:3968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3917855 /state1:0x41c64e6d
1⤵
PID:4120

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3918055 /state1:0x41c64e6d
1⤵
PID:768

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3918855 /state1:0x41c64e6d
1⤵
PID:1268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3919055 /state1:0x41c64e6d
1⤵
PID:2780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3919855 /state1:0x41c64e6d
1⤵
PID:4572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391a055 /state1:0x41c64e6d
1⤵
PID:4160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391a855 /state1:0x41c64e6d
1⤵
PID:3028

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391b055 /state1:0x41c64e6d
1⤵
PID:1648

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391b855 /state1:0x41c64e6d
1⤵
PID:1128

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391c055 /state1:0x41c64e6d
1⤵
PID:3856

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391c855 /state1:0x41c64e6d
1⤵
PID:1164

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391d055 /state1:0x41c64e6d
1⤵
PID:4076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391d855 /state1:0x41c64e6d
1⤵
PID:3480

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391e055 /state1:0x41c64e6d
1⤵
PID:4604

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391e855 /state1:0x41c64e6d
1⤵
PID:2428

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391f055 /state1:0x41c64e6d
1⤵
PID:1640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa391f855 /state1:0x41c64e6d
1⤵
PID:4928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3920055 /state1:0x41c64e6d
1⤵
PID:4472

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3920855 /state1:0x41c64e6d
1⤵
PID:2548

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3921055 /state1:0x41c64e6d
1⤵
PID:4972

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3921855 /state1:0x41c64e6d
1⤵
PID:4536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3922055 /state1:0x41c64e6d
1⤵
PID:2784

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3922855 /state1:0x41c64e6d
1⤵
PID:5020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3923055 /state1:0x41c64e6d
1⤵
PID:2592

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3923855 /state1:0x41c64e6d
1⤵
PID:2824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3924055 /state1:0x41c64e6d
1⤵
PID:1136

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3924855 /state1:0x41c64e6d
1⤵
PID:3392

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3925055 /state1:0x41c64e6d
1⤵
PID:3436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3925855 /state1:0x41c64e6d
1⤵
PID:3348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3926055 /state1:0x41c64e6d
1⤵
PID:3408

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3926855 /state1:0x41c64e6d
1⤵
PID:2132

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3927055 /state1:0x41c64e6d
1⤵
PID:2708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3927855 /state1:0x41c64e6d
1⤵
PID:420

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3928055 /state1:0x41c64e6d
1⤵
PID:3528

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3928855 /state1:0x41c64e6d
1⤵
PID:3836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3929055 /state1:0x41c64e6d
1⤵
PID:3548

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3929855 /state1:0x41c64e6d
1⤵
PID:3912

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392a055 /state1:0x41c64e6d
1⤵
PID:3980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392a855 /state1:0x41c64e6d
1⤵
PID:3888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392b055 /state1:0x41c64e6d
1⤵
PID:4032

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392b855 /state1:0x41c64e6d
1⤵
PID:3804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392c055 /state1:0x41c64e6d
1⤵
PID:2444

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392c855 /state1:0x41c64e6d
1⤵
PID:4520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392d055 /state1:0x41c64e6d
1⤵
PID:4028

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392d855 /state1:0x41c64e6d
1⤵
PID:4372

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392e055 /state1:0x41c64e6d
1⤵
PID:928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392e855 /state1:0x41c64e6d
1⤵
PID:3328

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392f055 /state1:0x41c64e6d
1⤵
PID:4524

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa392f855 /state1:0x41c64e6d
1⤵
PID:2532

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3930055 /state1:0x41c64e6d
1⤵
PID:344

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3930855 /state1:0x41c64e6d
1⤵
PID:1888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3931055 /state1:0x41c64e6d
1⤵
PID:3352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3931855 /state1:0x41c64e6d
1⤵
PID:3440

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3932055 /state1:0x41c64e6d
1⤵
PID:4016

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3932855 /state1:0x41c64e6d
1⤵
PID:3012

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3933055 /state1:0x41c64e6d
1⤵
PID:3460

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3933855 /state1:0x41c64e6d
1⤵
PID:592

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3934055 /state1:0x41c64e6d
1⤵
PID:3404

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3934855 /state1:0x41c64e6d
1⤵
PID:3364

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3935055 /state1:0x41c64e6d
1⤵
PID:4460

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3935855 /state1:0x41c64e6d
1⤵
PID:4560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3936055 /state1:0x41c64e6d
1⤵
PID:4780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3936855 /state1:0x41c64e6d
1⤵
PID:4608

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3937055 /state1:0x41c64e6d
1⤵
PID:2088

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3937855 /state1:0x41c64e6d
1⤵
PID:2952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3938055 /state1:0x41c64e6d
1⤵
PID:2272

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3938855 /state1:0x41c64e6d
1⤵
PID:1780

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3939055 /state1:0x41c64e6d
1⤵
PID:1300

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3939855 /state1:0x41c64e6d
1⤵
PID:2560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393a055 /state1:0x41c64e6d
1⤵
PID:4704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393a855 /state1:0x41c64e6d
1⤵
PID:2556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393b055 /state1:0x41c64e6d
1⤵
PID:3932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393b855 /state1:0x41c64e6d
1⤵
PID:508

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393c055 /state1:0x41c64e6d
1⤵
PID:792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393c855 /state1:0x41c64e6d
1⤵
PID:2880

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393d055 /state1:0x41c64e6d
1⤵
PID:520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393d855 /state1:0x41c64e6d
1⤵
PID:1316

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393e055 /state1:0x41c64e6d
1⤵
PID:3760

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393e855 /state1:0x41c64e6d
1⤵
PID:5096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393f055 /state1:0x41c64e6d
1⤵
PID:4136

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa393f855 /state1:0x41c64e6d
1⤵
PID:1260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c0055 /state1:0x41c64e6d
1⤵
PID:1756

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c0855 /state1:0x41c64e6d
1⤵
PID:4440

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c1055 /state1:0x41c64e6d
1⤵
PID:708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c1855 /state1:0x41c64e6d
1⤵
PID:3208

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c2055 /state1:0x41c64e6d
1⤵
PID:3256

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c2855 /state1:0x41c64e6d
1⤵
PID:2620

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c3055 /state1:0x41c64e6d
1⤵
PID:3560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c3855 /state1:0x41c64e6d
1⤵
PID:4368

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c4055 /state1:0x41c64e6d
1⤵
PID:3272

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c4855 /state1:0x41c64e6d
1⤵
PID:1124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c5055 /state1:0x41c64e6d
1⤵
PID:4932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c5855 /state1:0x41c64e6d
1⤵
PID:3176

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c6055 /state1:0x41c64e6d
1⤵
PID:2740

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c6855 /state1:0x41c64e6d
1⤵
PID:4584

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c7055 /state1:0x41c64e6d
1⤵
PID:2440

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c7855 /state1:0x41c64e6d
1⤵
PID:4540

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c8055 /state1:0x41c64e6d
1⤵
PID:3200

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c8855 /state1:0x41c64e6d
1⤵
PID:3236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c9055 /state1:0x41c64e6d
1⤵
PID:3456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38c9855 /state1:0x41c64e6d
1⤵
PID:3588

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ca055 /state1:0x41c64e6d
1⤵
PID:2168

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ca855 /state1:0x41c64e6d
1⤵
PID:2360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38cb055 /state1:0x41c64e6d
1⤵
PID:740

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38cb855 /state1:0x41c64e6d
1⤵
PID:808

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38cc055 /state1:0x41c64e6d
1⤵
PID:4728

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38cc855 /state1:0x41c64e6d
1⤵
PID:732

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38cd055 /state1:0x41c64e6d
1⤵
PID:8

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38cd855 /state1:0x41c64e6d
1⤵
PID:772

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ce055 /state1:0x41c64e6d
1⤵
PID:4188

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ce855 /state1:0x41c64e6d
1⤵
PID:4812

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38cf055 /state1:0x41c64e6d
1⤵
PID:3984

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38cf855 /state1:0x41c64e6d
1⤵
PID:4352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d0055 /state1:0x41c64e6d
1⤵
PID:2604

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d0855 /state1:0x41c64e6d
1⤵
PID:3104

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d1055 /state1:0x41c64e6d
1⤵
PID:4248

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d1855 /state1:0x41c64e6d
1⤵
PID:1252

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d2055 /state1:0x41c64e6d
1⤵
PID:588

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d2855 /state1:0x41c64e6d
1⤵
PID:3076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d3055 /state1:0x41c64e6d
1⤵
PID:3096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d3855 /state1:0x41c64e6d
1⤵
PID:1224

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d4055 /state1:0x41c64e6d
1⤵
PID:632

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d4855 /state1:0x41c64e6d
1⤵
PID:3296

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d5055 /state1:0x41c64e6d
1⤵
PID:2988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d5855 /state1:0x41c64e6d
1⤵
PID:3160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d6055 /state1:0x41c64e6d
1⤵
PID:3276

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d6855 /state1:0x41c64e6d
1⤵
PID:2340

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d7055 /state1:0x41c64e6d
1⤵
PID:1076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d7855 /state1:0x41c64e6d
1⤵
PID:4888

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d8055 /state1:0x41c64e6d
1⤵
PID:4140

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d8855 /state1:0x41c64e6d
1⤵
PID:4920

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d9055 /state1:0x41c64e6d
1⤵
PID:2976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38d9855 /state1:0x41c64e6d
1⤵
PID:3324

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38da055 /state1:0x41c64e6d
1⤵
PID:1824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38da855 /state1:0x41c64e6d
1⤵
PID:2236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38db055 /state1:0x41c64e6d
1⤵
PID:4712

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38db855 /state1:0x41c64e6d
1⤵
PID:4192

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38dc055 /state1:0x41c64e6d
1⤵
PID:2356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38dc855 /state1:0x41c64e6d
1⤵
PID:696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38dd055 /state1:0x41c64e6d
1⤵
PID:4716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38dd855 /state1:0x41c64e6d
1⤵
PID:4924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38de055 /state1:0x41c64e6d
1⤵
PID:4580

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38de855 /state1:0x41c64e6d
1⤵
PID:524

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38df055 /state1:0x41c64e6d
1⤵
PID:32

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38df855 /state1:0x41c64e6d
1⤵
PID:596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e0055 /state1:0x41c64e6d
1⤵
PID:3448

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e0855 /state1:0x41c64e6d
1⤵
PID:3500

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e1055 /state1:0x41c64e6d
1⤵
PID:380

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e1855 /state1:0x41c64e6d
1⤵
PID:4504

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e2055 /state1:0x41c64e6d
1⤵
PID:2512

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e2855 /state1:0x41c64e6d
1⤵
PID:2516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e3055 /state1:0x41c64e6d
1⤵
PID:3356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e3855 /state1:0x41c64e6d
1⤵
PID:2268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e4055 /state1:0x41c64e6d
1⤵
PID:1604

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e4855 /state1:0x41c64e6d
1⤵
PID:2752

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e5055 /state1:0x41c64e6d
1⤵
PID:3384

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e5855 /state1:0x41c64e6d
1⤵
PID:2332

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e6055 /state1:0x41c64e6d
1⤵
PID:4220

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e6855 /state1:0x41c64e6d
1⤵
PID:2932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e7055 /state1:0x41c64e6d
1⤵
PID:4980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e7855 /state1:0x41c64e6d
1⤵
PID:3008

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e8055 /state1:0x41c64e6d
1⤵
PID:1456

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e8855 /state1:0x41c64e6d
1⤵
PID:1904

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e9055 /state1:0x41c64e6d
1⤵
PID:1556

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38e9855 /state1:0x41c64e6d
1⤵
PID:4360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ea055 /state1:0x41c64e6d
1⤵
PID:4244

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ea855 /state1:0x41c64e6d
1⤵
PID:3508

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38eb055 /state1:0x41c64e6d
1⤵
PID:4516

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38eb855 /state1:0x41c64e6d
1⤵
PID:2392

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ec055 /state1:0x41c64e6d
1⤵
PID:4664

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ec855 /state1:0x41c64e6d
1⤵
PID:3000

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ed055 /state1:0x41c64e6d
1⤵
PID:3824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ed855 /state1:0x41c64e6d
1⤵
PID:5084

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ee055 /state1:0x41c64e6d
1⤵
PID:1520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ee855 /state1:0x41c64e6d
1⤵
PID:836

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ef055 /state1:0x41c64e6d
1⤵
PID:2260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38ef855 /state1:0x41c64e6d
1⤵
PID:4020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f0055 /state1:0x41c64e6d
1⤵
PID:4568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f0855 /state1:0x41c64e6d
1⤵
PID:2052

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f1055 /state1:0x41c64e6d
1⤵
PID:1988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f1855 /state1:0x41c64e6d
1⤵
PID:4672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f2055 /state1:0x41c64e6d
1⤵
PID:392

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f2855 /state1:0x41c64e6d
1⤵
PID:3720

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f3055 /state1:0x41c64e6d
1⤵
PID:1596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f3855 /state1:0x41c64e6d
1⤵
PID:2716

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f4055 /state1:0x41c64e6d
1⤵
PID:3696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f4855 /state1:0x41c64e6d
1⤵
PID:2876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f5055 /state1:0x41c64e6d
1⤵
PID:1284

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f5855 /state1:0x41c64e6d
1⤵
PID:3672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f6055 /state1:0x41c64e6d
1⤵
PID:4336

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f6855 /state1:0x41c64e6d
1⤵
PID:3924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f7055 /state1:0x41c64e6d
1⤵
PID:3952

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f7855 /state1:0x41c64e6d
1⤵
PID:3960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f8055 /state1:0x41c64e6d
1⤵
PID:3704

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f8855 /state1:0x41c64e6d
1⤵
PID:3644

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f9055 /state1:0x41c64e6d
1⤵
PID:360

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa38f9855 /state1:0x41c64e6d
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Port Monitors

T1547.010

Print Processors

T1547.012

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Port Monitors

T1547.010

Print Processors

T1547.012

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\49873d78-e237-4bb3-b99c-def1047b3f63.tmp

Filesize
5KB

MD5
8bc276944965a5f6dfa44e69efe8cb89

SHA1
f45881031c24b7d14a9d970af7d4329886c83aff

SHA256
de677d70140a7a7dba6331da1906afc0e420a5d5d70ceda983da6f76b1845ddc

SHA512
5547ced9656e327cf9fdaf19b0021cfd875785b8dbaae0a85adc0a0a53584a696e52088e1e36851386c9560775fa633a7aba71da98ba5b098bc066a0ae661190

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
69KB

MD5
7d5e1b1b9e9321b9e89504f2c2153b10

SHA1
37847cc4c1d46d16265e0e4659e6b5611d62b935

SHA256
adbd44258f3952a53d9c99303e034d87c5c4f66c5c431910b1823bb3dd0326af

SHA512
6f3dc2c523127a58def4364a56c3daa0b2d532891d06f6432ad89b740ee87eacacfcea6fa62a6785e6b9844d404baee4ea4a73606841769ab2dfc5f0efe40989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f

Filesize
41KB

MD5
3358e831188c51a7d8c6be54efafc248

SHA1
4b909f88f7b6d0a633824e354185748474a902a5

SHA256
c4cd0c2e26c152032764362954c276c86bd51e525a742d1f86b3e4f860f360ff

SHA512
c96a6aae518d99be0c184c70be83a6a21fca3dab82f028567b224d7ac547c5ef40f0553d56f006b53168f9bba1637fdec8cf79175fd03c9c954a16c62a9c935e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
1.2MB

MD5
b55b8baf9ced2da93c17f6b749734870

SHA1
b7a0adbe14b12fd8f7bc3fbc27a5611693057cec

SHA256
38f98d8fffec9928c61be37a6d4a3da72e027dfc239b53d784964cc922a201a4

SHA512
69c98fb523179d002566ec88bfcd12800ec0154ef76efc017d05c1dc5f2ea479e5ced0e9c6158a2e8546f88fe19d58a3627bbea546e4ab6905f4f340767fffe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
e8e9f940a45f80ce47ff3a44a17845fe

SHA1
097538032f391bee2b5dbcd99f8742245f09f63c

SHA256
64813a7ae2426fc0188ec2ca47550bc685515bdaf9d06e3c60baecbe0bc1dfc4

SHA512
ff711987775c6594ab5836859edd6d8c6428f7bde733c5014dd0fee0fb15a0336d529cf5c5511aeae4290930e4724292c86ba36888d8b5acf77db42250640a8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a67be8f06f911e0b8d39710772fa1bff

SHA1
79e46b1e1ddb51945e69807e4cd4ea063b472676

SHA256
cfe13a788ef6a96fc2e63f0db4a10991489be02af326920cd47c027ef62ec834

SHA512
58b427e875817479329d2b6b74199f0b1e89f5c5e309c046efbad82a402a59fa6909577776bbd2e27b218da2a699eda239a9115dc9b29f1231fdd64322ff15b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
45afe19817fe1850851aa1c8bd123fa9

SHA1
20ccee26605bed1f47918d23f48886626118a6ec

SHA256
b7d5a1536bd18df351b3b50855df328937c29b4dc138c97783f16e450422d7b7

SHA512
1c954167cda48b34946afed63d31c287f9fb81341f19dd3cd01a66bdeaf5ca03bff5444ee9758db695964e036a5b904bc17a24e70800fca11d30a751b13a438e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
2a739a7e96070de257f81ec3d379df52

SHA1
109c27c9d6d499840578866248ee072637194aab

SHA256
37dd2e7e05288646bad2f8b49332bf68f16a1d8115ebe7d0b959c7c55d328b83

SHA512
b264f9ce10c0c5740b520ee7553c2e998b5cb067642558a6467e39c27b04b53e8121e6a31bdd7c6e9b6066e17f9279ae7b698dd57d678e89e76f863990d157cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
09adbc381d2a89a6687570c8d97214ec

SHA1
7213851bb5fad3daf4de093df4d2219d430c7341

SHA256
39ee2f641281c0587a658774ad198f0281aa9255ee2bb76f4eb1d4c09299c595

SHA512
dd1e755567f0937b9cc2bcbca3cc440e01791365b185ac20f4dc5b3476f5adb5f2e0e646e64905c0289ae412874bd8fea4f6724058dd008651b36457e809298d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c894545df950626cbf5f883931bba7f1

SHA1
1ab7c453dc6a89f4433b573c9d280d136e25493c

SHA256
137dea33c7f20d7de4d77e01d2bf00e1fa2a0dc1d87dadcadb13a980348c3f99

SHA512
1dbd8d580e69691404463c5245f82dafbc6aa387334d7e551d433ea41ff2b4fbb7df52c4a0157a6cff28108483be7edbd57413a000b0f4d05e6b67065df7dc25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3d332191342772857f8b115389066952

SHA1
8910d49c3f4c6d41730b9b5df6c6995b500af26d

SHA256
02c552b22aa1bbaf02a63e20dbe25d48a3d5c6b88b7bab7e0dc1fdb398b4faa0

SHA512
e9061ada0bab41f717f061579f415f7820f8e82c5fbca21f3ebdd64a9577060761141559ff80850fbeb53634e4844dc1440fa878315fc042d09440dbaba7c2a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
d665cf461f0433a3b247aadafe48066b

SHA1
1789e48c0a70297feb65a7f6600dc554224219d9

SHA256
6666a79895caed854faeb119dc13f664d03d53a40b2bd03554c1489db9fe62ff

SHA512
fc5f5c3399afcb9058649ff8725a66f05687b68a34728f8ec942fa28d7c9bd454453237585a5882d2269ffeb8169f5f62f657be0e2d585134547280ad365870b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
367B

MD5
36f801132e6102117d5d54c3334ceebc

SHA1
22940dd57ab3b4fabc6ac1b1dc2da772d678a8d5

SHA256
78a7f9e874923cd2807b327a70616b94f82d5b770747dde7f5b4898c7fe10781

SHA512
b8d60a4039c05347afe8e8cd48b8e4a5f6aafa1a71dc401d473abd11dd0ec3ec6d16726ad90f9994e7b185fe512662d496975208c6973b50dfb0f161589bd305

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
871B

MD5
0a8e5164328f3d8d844040cb52cb1993

SHA1
380485da57f4351420bc113e5a45894e1890897a

SHA256
00f5cae5616edb133b0b73e25b7892cd0e1cc3b3f1d11147234089423e632ca2

SHA512
c744c53ab195e6d92eac1a85d4e9093e281a4cf9a6109fbe50eaade269e72e2e75f5235a5961126cf2cfc7c204c69d6cb50059015b43467ba3686948132593ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
871B

MD5
e9768f238f0349e83ad646215b2b20cd

SHA1
800ccd64fb338f281109be8226855629c6e86227

SHA256
aa5aa93a106079426025c657e8b620074d0adcf7c07f6c930aa112e8390be470

SHA512
8ebe44584214d820a1b7d47b04c6aac49f97e7a2187fa8dc040126aa941ed0ef6bad706df428dcc4b1c63f90dcb2e187379f5bb13d4a59034c2062a533c3d172

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
367B

MD5
bda6f915909e84c185a35f2c410fa25d

SHA1
4521d0e955a1bbe6c605dc24d380dd1e6b61a337

SHA256
7ba46a60525dea0b224e2e5d9061147dd1f75a9eb6070b04f41e14a3dda34348

SHA512
1a279e143ff31370aa084888053b09a1a39cb2ee83645bfb14d4bc5e6181e449f616d93e3900ebb8f7f69ca0f60f503f592b55c32874c9590b1066f1c97e1189

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3dc2aa7eb5a55ab67835434a40acd739

SHA1
f8f22e19e1fe61f0ba638136462c142e379f00c2

SHA256
5a5f26bc41d9cf840745dfee605d7e6ff97f3f56911196ff2fcaf305c633a031

SHA512
8f4718935f768ff75e926a8af4e180f7756e012d537ab0f8b32e6ce67161a61fae0bcf66b8ad90eb276fd4d0266aa42fd05138c67f150c7451ae224463c87e02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
12442c708c6ae4c19110add3513147af

SHA1
0f9f89a21c8697ee276cac051d8088cbac1b221b

SHA256
a68a2a52ba57f9613ebc1cd0296bfd06e3d2798af6a2d0156fc741156be521b3

SHA512
d050b5c49e2f0834fca25f2f94e437a1338161643416bba429d82135b71333f7f50f93fab55418583c3750c1d775b0767e901af89873b34f94ca7cacf0dd4182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a293509b07a137d0ed649dbf9ff3d80

SHA1
43b59f9cdd71333481ef9e67084357465640fcc9

SHA256
bb983cd4ba209c10b3b32ac83f41308dcd9648b70469e4472fc94019961ea320

SHA512
6f5bfddbfe4a12d47cd30e46964a2f18247e21cf59263789414e48c72eed5f1ab75704506ea134019d4745679f6ef7d06b9cff47411fae10a5ee4aeb02b98d60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ab28e1cb0015cf8a90f4626297cfc569

SHA1
7e67ca05c74f69ad2dc7857271ba0297854c8a20

SHA256
929b7cd1701425bb893f08e6bef298ccbee740c2b23e30df25ce71c9431f4bc0

SHA512
1cce8a2c08e89c0eb9324f2bf06adfdac33ce1ee63ea592d6499d34a4652e0349136bed0133e332dba2ae310cdb69fc938c6729d330367c4f4b995d2ac7f9d07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2174d582f996d4c6fc8553e59d22b546

SHA1
4cd2a2de9ce0e35bfbe6e6f39b0de5bf4453c894

SHA256
ddc698c9906abab91a16268a922148d394b5875b131c02bec949620e6c9d1a31

SHA512
9eeded02c59a99aea91d58ad13fd4461bde4942fbdfd414ac39dd22d51c4121333b0d99a7aa47d1520f979f72d9f8cbf4406254bd42e7987dffaf21fdd1cf2e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a5723231a1cd102e123833c49e73ab6a

SHA1
3699a3ed1dfed64c97f558c901adf6361a179b93

SHA256
84f1462cc83fa2af4bd14cb051004f011b861dd543183bac9480446cc41432ef

SHA512
1808003360924e6fa3d384b01f2a3399e629a917bf051ae828b6e9ac3c7973161da0e5c61a21b9790a709c1bdadaa283d96b36d9fd35ee13bd4f4dd15b2ee2ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e3ce18318a64cc04a0cb3045ca8d4b31

SHA1
8a7c23b80c6f9942942831ad3abee3a3da042c8d

SHA256
ac8a4f3365c9cf56c2e45d7f5742519902014462a2a12762d96fab10b5da152d

SHA512
57c510a88b467709c0e539ca86c30c08133a23a732d2154be327328f6990c37046a08a0fd0e04088c328ee2f9aed8bfd9d25ec1aafafe3ffc1dfbfc4c0b8fd63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
eba9ff2f2cdd131ad7949fdbb7d7df77

SHA1
918f0e4fc99b538fa5f6ab76d66688e2f4a546a2

SHA256
d9743cfd208b4539f622f50cda77ed83889b64ae94fe615fe9e6719553564865

SHA512
61bffebc29ba6f6f81dc2bc722f2a4c44b771f96da598d07eeafb2e27d3602c0fe54d496b88c68415f705eefc5eb5809fa40ffe55f64a7fc2570a0f7be6ee789

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
daa07debfd5b7215e323ba0f08282f6e

SHA1
0bb528cad849675c586329972259adca1da4bf09

SHA256
831c3af910eb35fc2fb91d8506109f0ad4ae50bc04b9b45d347fa8e29ba074a9

SHA512
98256ee757aeae2106fc2abb89fd123571801deb2302614a7e3cf5a1c77798f8398e690a3771cbb360897150ede3afd47bb4294125aeef6a4d85d4926de4e831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
12855d6bb7fd8ef66b9bdcf8eec20c6e

SHA1
4f5eea8182e4e22e9c03d70b6fa42b09068ce884

SHA256
4ec3584e2b4bd3cd23ca259b101565f48b14a86d1b3502d6802fe8ed42f7fe5b

SHA512
7f62d3c270c1207bdf5bb13cd6cc690cb7e0bfc40c4b174f0389abd7040b52c0a25f48a83be0b8850655cb683c1236fa026628181f0e24ff2801817159d58c89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
fd4756fb373e03a4c0e87156982b5b2f

SHA1
c4d665d4117c5514d63a8378dcd10050c0c049fd

SHA256
e7d868f9125fe1bf0c960eec0057bb4fcae2c9b1bdc0b6acf02f03586f23b09c

SHA512
e97325e65e6c3171c10a3c450e69704aa0526f2bfcb9ad68a5b32332543594ae384709d497c0d8885f1a09dd1288f80d107759741042c1b87f67fc2d1bf7a545

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
287KB

MD5
0631345d5784d6a33a60b2a552813dfe

SHA1
c6532fad053774ab11c949baa44139adf80abe29

SHA256
22aef385bdf1d774493067dc2f2bf5baf2f68709b6000d5c6c34a8a1c13a5791

SHA512
3ace6c5082ed10a4ff7cb13ecb917036bc78601aea57fa649c7afa6d57ec625f5d0ac639acc73ca9f3830f22b891eb9b32e345cdb484d30b62a709008c39cc72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
287KB

MD5
0a6cd074d5ea11c1cd5089f744d0f176

SHA1
9d95cb2e16b83470e5c7bb96a4bbfecc850c35cd

SHA256
75836b3bb705746d0ea71ce5979cc4e0a351c966450283a920ca471a364f00bc

SHA512
ff0e44402fbb2da3df8a0086ac0f5baf9a0018174ae19d696dead7bf93d4df27d65065bdc820dbdfa1e596346b685fd89837e9d9e025a8275814d650e565fbbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
287KB

MD5
f667a3ffddb7b2676ceec30b1649bd87

SHA1
2e27c8a95d427f6eb20d1e0d275e441b890063cd

SHA256
8a891877859fce6cdc5b229e301a15b92a2a240fa7ee4c2e1d0b6dcabf2aaab1

SHA512
803c88593b34001d2c170edb2198343dc6a59e778b72b1b4065a806b9a080293f7ce2311dc4a5415aaea6159e60e6d344fbee37296cf3383a05daa9e3300c655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
287KB

MD5
6bbbe06c16103ac586e41122db05d306

SHA1
bdc7eebb244334ec14d757ccdbde203c07cbdb0c

SHA256
b58f3edc5cf48399baf0bd570f4539709d7b403f6543765bd95b863bd7637e1b

SHA512
bd434a0ffc66037ca620ebe6865067039fa33de1f22060c37678e3939afdf7bc2a9209037db3a0fa97a4632c286d408cd507871bfc7d9e0d73a2fde054dee275

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
95KB

MD5
9272399b9455a8718f55fa3dc81a2fee

SHA1
9c612782e4efc1efafbb657b0361367ea02d4cd8

SHA256
c487fbe2bfd2d154af098b289f49bb1d5c6455f51f5c5fbcfc6b222fa3afbb1d

SHA512
034e8e02a56ba2ed4f1b1992071f4f15553ecfcb8423fde1fd5751ab1377d99bd8e197fcb5818d5b5df7c508c7cbe0531a30da3a5dd8c4992051709e3bbb82ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe593cf0.TMP

Filesize
93KB

MD5
c45845992e9c8467b384d18734ea7dfa

SHA1
be94a463e0b9323dda7e53b8fed38fa164826f8d

SHA256
43ce0d0a2d7938d3abbbcb5ae9ffea3dd7588e6d8c9d5e45a5fb6c2901e7b0b7

SHA512
4c14d170de725251ca4431c95e4c61ad6eebf1731ebf410ab71355e6c2421f02cc8a168cd03cfeba1d15466c037de9855e50a8e350883b7597d55dbf72d8ccef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 115732.crdownload

Filesize
42KB

MD5
51149066a9ad438c816619ef0de7a0bd

SHA1
4f153e673d3f3763f3881eb969034bc5e0d8530b

SHA256
5ed108674b29709483871f48c307a11739c0c5bfe834770e348a5ce939e89032

SHA512
388f3263bfe6657a9d7bc32d49994294530cecfa172a1900f3a89d71215be38218d7168b4d6315f73089df3ab169d949d7db870097dbb1065663b557e5ad6928

Download Submit
memory/2844-693-0x00007FFE92333000-0x00007FFE92334000-memory.dmp

Filesize
4KB

Download
memory/2844-694-0x00000274DDB10000-0x00000274DDB20000-memory.dmp

Filesize
64KB

Download
memory/2844-831-0x00007FFE92333000-0x00007FFE92334000-memory.dmp

Filesize
4KB

Download