Rufus 3.8 | Infected with malware?

Status
Not open for further replies.

plat1098

Level 25
Verified
Sep 13, 2018
1,497
13,028
Wow! I just used this myself but it was clean. Would you consider to submit a query to the developer if the mystery remains unsolved? An email link is located under the FAQ box.


I'm VERY interested in the outcome.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,495
46,283
Considering the extrem low detection on VT, personal if curious enough I would simply submit the file direct to a few major AV vendors.

I could be wrong but, I doubt they would report back anything else then a FP ( false positive ).
 

silversurfer

Level 76
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,609
71,841
AnyRun isn't always right about "really" malicious activity/behavior of files, for example below:


WS.png
 

MacDefender

Level 14
Verified
Oct 13, 2019
699
6,589
What does “execution parents” actually indicate on VT?

I downloaded the same Rufus binary and saw no evidence of it containing or executing any of the other referenced executables. I do agree the parents all seem actually malicious but this almost sounds like the parents are other binaries that VT have analyzed that happen to be malicious, and they happen to launch Rufus as part of the evil work they do.

All the other analysis looks like FP’s.... Rufus’s code for formatting external USBs makes it look inherently suspicious since it’s a double whammy of manipulating external drives and being able to make bootable things like root kits. They are hosted on CDNs that also are used by malware.
 

RoboMan

Level 33
Verified
Content Creator
Jun 24, 2016
2,238
21,659
AnyRun isn't always right about "really" malicious activity/behavior of files, for example below:


View attachment 228057
Yes, you may be right. Still, the mystery remains: why on earth modify this key?

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1FF61BDF-5074-4284-B85A-81C9C5A68D21}Machine\Software\Policies\Microsoft\Windows Defender

And change AntiSpyware to disabled?
I do agree the parents all seem actually malicious but this almost sounds like the parents are other binaries that VT have analyzed that happen to be malicious, and they happen to launch Rufus as part of the evil work they do.
I agree this was the very first thing I thought and asked everybody here in this forum.

I wanna clarify I do not intend to be right about anything said here, I just dropped what seemed to be suspicious hoping we can all come to a conclusion.

EDIT: Is anyone able to test the file in a VM with Windows Defender and check via gpedit if the antispyware key was set to disabled?
 

MacDefender

Level 14
Verified
Oct 13, 2019
699
6,589
Yes, you may be right. Still, the mystery remains: why on earth modify this key?

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1FF61BDF-5074-4284-B85A-81C9C5A68D21}Machine\Software\Policies\Microsoft\Windows Defender

And change AntiSpyware to disabled?

I agree this was the very first thing I thought and asked everybody here in this forum.

I wanna clarify I do not intend to be right about anything said here, I just dropped what seemed to be suspicious hoping we can all come to a conclusion.

EDIT: Is anyone able to test the file in a VM with Windows Defender and check via gpedit if the antispyware key was set to disabled?

Tried this in a Windows VM then on a bare metal test machine. Rufus tries to disable autorun using group policies (NoDriveTypeAutorun). It tries to disable this at the beginning of time and restores it to its previous setting on the exit path.

It also performs a bit of testing to see if Controlled Folder Access (Windows Defender antiransomware) is enabled by default (this is via PowerShell). I don't see any references to it trying to change the antispyware key, and the binary itself is not particularly obfuscated.... Note that all the source code is also available at pbatard/rufus and you can inspect the SetLGP() function's source code.

So yeah it seems like it does some stuff that an analysis tool might find suspicious but it seems to do so with decent intentions. As far as the sandbox analysis, my best guess would be that the sandbox environment disables Windows Defender in order to not have it interfere with malware analysis. And the Rufus code to disable autorun via Group Policy interacts badly with that, and causes them to flag it as Rufus turning off Windows Defender.


EDIT: I should mention, the binary downloaded from their website is UPX-packed. Not evil by nature but that usually does cause malware analysis tools to be suspicious.
 
Last edited:

MacDefender

Level 14
Verified
Oct 13, 2019
699
6,589
Exciting/interesting development:

I unpacked Rufus 3.8 (using upx -d) and repacked it at a different compression level. That alone triggered a few behavior blockers:

F-Secure: "W32/Malware!DeepGuard!pg" : Blocked before Rufus even has a chance to request elevated privileges
Emsisoft: "Suspicious behavior SystemPolicies": Blocked after Rufus already asked for elevated privileges and I approved
Norton Internet Security on aggressive heuristics: Nothing

Not surprisingly, the act of poking around group policies is suspicious. I suspect most AV programs explicitly whitelist Rufus as good.

It is very interesting though that F-Secure flagged this binary on execution before it even started doing anything. F-Secure doesn't flag it on static scan though. Note their documentation for DeepGuard says:
A file or program has triggered a DeepGuard heuristic detection because it performs (or contains instructions for) actions similar to known trojans.

Repacked Rufus on VT: VirusTotal
 
Last edited:

I Walk MY Way

Level 1
May 27, 2013
49
144
4:19:58 Starting Install Tracker service...
14:19:58 Service version: 0x105
14:19:58 Starting 'rufus-3.8.exe'...
14:19:58 Installation monitor started
14:19:58 Create File C:\Users\a\AppData\Local\Temp\Ruf7BED.tmp
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}User
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion\Policies
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput\[@]AllowLinguisticDataCollection
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\InputPersonalization
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\InputPersonalization\[@]AllowInputPersonalization
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\InputPersonalization\[@]RestrictImplicitTextCollection
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\InputPersonalization\[@]RestrictImplicitInkCollection
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Internet Explorer
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Internet Explorer\SQM
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Internet Explorer\SQM\[@]DisableCustomerImprovementProgram
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Messenger
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Messenger\Client
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Messenger\Client\[@]CEIP
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\SearchCompanion
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\SearchCompanion\[@]DisableContentFileUpdates
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\SQMClient
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\SQMClient\Windows
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\SQMClient\Windows\[@]CEIPEnable
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AdvertisingInfo
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AdvertisingInfo\[@]DisabledByGroupPolicy
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppCompat
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppCompat\[@]DisableUAR
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppCompat\[@]DisableInventory
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessAccountInfo
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessCalendar
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessCallHistory
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessContacts
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessEmail
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessGazeInput
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessLocation
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessMessaging
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessNotifications
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessPhone
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessRadios
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessTasks
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessTrustedDevices
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsGetDiagnosticInfo
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsRunInBackground
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsSyncWithDevices
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsActivateWithVoice
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsActivateWithVoiceAboveLock
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\CloudContent
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\CloudContent\[@]DisableWindowsConsumerFeatures
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\DataCollection
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\DataCollection\[@]AllowTelemetry
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\DataCollection\[@]AllowDeviceNameInTelemetry
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\OneDrive
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\OneDrive\[@]DisableFileSyncNGSC
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\[@]DisableQueryRemoteServer
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\SettingSync
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\SettingSync\[@]DisableSettingSync
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\System
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\System\[@]PublishUserActivities
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\System\[@]UploadUserActivities
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\System\[@]EnableActivityFeed
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\System\[@]AllowCrossDeviceClipboard
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\WDI
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\[@]ScenarioExecutionEnabled
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\Windows Error Reporting
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\Windows Error Reporting\[@]Disabled
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\Windows Search
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\Windows Search\[@]AllowCortana
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\Windows Search\[@]AllowSearchToUseLocation
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\[@]NoDriveTypeAutorun
14:19:58 Create File C:\Windows\SysWOW64\rufus.ini~
14:19:58 Create File C:\Windows\SysWOW64\rufus.ini~
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}User
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion\Policies
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\[@]NoDriveTypeAutorun
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput\[@]AllowLinguisticDataCollection
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\InputPersonalization
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\InputPersonalization\[@]AllowInputPersonalization
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\InputPersonalization\[@]RestrictImplicitTextCollection
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\InputPersonalization\[@]RestrictImplicitInkCollection
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Internet Explorer
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Internet Explorer\SQM
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Internet Explorer\SQM\[@]DisableCustomerImprovementProgram
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Messenger
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Messenger\Client
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Messenger\Client\[@]CEIP
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\SearchCompanion
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\SearchCompanion\[@]DisableContentFileUpdates
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\SQMClient
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\SQMClient\Windows
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\SQMClient\Windows\[@]CEIPEnable
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AdvertisingInfo
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AdvertisingInfo\[@]DisabledByGroupPolicy
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppCompat
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppCompat\[@]DisableUAR
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppCompat\[@]DisableInventory
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessAccountInfo
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessCalendar
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessCallHistory
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessContacts
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessEmail
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessGazeInput
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessLocation
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessMessaging
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessNotifications
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessPhone
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessRadios
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessTasks
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessTrustedDevices
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsGetDiagnosticInfo
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsRunInBackground
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsSyncWithDevices
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsActivateWithVoice
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsActivateWithVoiceAboveLock
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\CloudContent
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\CloudContent\[@]DisableWindowsConsumerFeatures
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\DataCollection
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\DataCollection\[@]AllowTelemetry
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\DataCollection\[@]AllowDeviceNameInTelemetry
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\OneDrive
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\OneDrive\[@]DisableFileSyncNGSC
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\[@]DisableQueryRemoteServer
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\SettingSync
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\SettingSync\[@]DisableSettingSync
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\System
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\System\[@]PublishUserActivities
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\System\[@]UploadUserActivities
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\System\[@]EnableActivityFeed
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\System\[@]AllowCrossDeviceClipboard
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\WDI
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\[@]ScenarioExecutionEnabled
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\Windows Error Reporting
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\Windows Error Reporting\[@]Disabled
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\Windows Search
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\Windows Search\[@]AllowCortana
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\Windows Search\[@]AllowSearchToUseLocation
14:20:12 Process Killed C:\Users\a\Downloads\rufus-3.8.exe
14:20:12 All installation processes are finished
14:20:12 Setup is completed
14:20:12 Tracking service is stopped
14:20:12 Analyzing installation, please wait...
14:20:13 0 installation entries detected
 
Last edited by a moderator:

MacDefender

Level 14
Verified
Oct 13, 2019
699
6,589
4:19:58 Starting Install Tracker service...
14:19:58 Service version: 0x105
14:19:58 Starting 'rufus-3.8.exe'...
14:19:58 Installation monitor started
14:19:58 Create File C:\Users\a\AppData\Local\Temp\Ruf7BED.tmp
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}User
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion\Policies
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput\[@]AllowLinguisticDataCollection
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\InputPersonalization
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\InputPersonalization\[@]AllowInputPersonalization
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\InputPersonalization\[@]RestrictImplicitTextCollection
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\InputPersonalization\[@]RestrictImplicitInkCollection
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Internet Explorer
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Internet Explorer\SQM
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Internet Explorer\SQM\[@]DisableCustomerImprovementProgram
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Messenger
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Messenger\Client
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Messenger\Client\[@]CEIP
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\SearchCompanion
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\SearchCompanion\[@]DisableContentFileUpdates
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\SQMClient
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\SQMClient\Windows
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\SQMClient\Windows\[@]CEIPEnable
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AdvertisingInfo
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AdvertisingInfo\[@]DisabledByGroupPolicy
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppCompat
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppCompat\[@]DisableUAR
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppCompat\[@]DisableInventory
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessAccountInfo
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessCalendar
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessCallHistory
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessContacts
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessEmail
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessGazeInput
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessLocation
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessMessaging
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessNotifications
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessPhone
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessRadios
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessTasks
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessTrustedDevices
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsGetDiagnosticInfo
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsRunInBackground
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsSyncWithDevices
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsActivateWithVoice
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsActivateWithVoiceAboveLock
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\CloudContent
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\CloudContent\[@]DisableWindowsConsumerFeatures
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\DataCollection
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\DataCollection\[@]AllowTelemetry
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\DataCollection\[@]AllowDeviceNameInTelemetry
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\OneDrive
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\OneDrive\[@]DisableFileSyncNGSC
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\[@]DisableQueryRemoteServer
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\SettingSync
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\SettingSync\[@]DisableSettingSync
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\System
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\System\[@]PublishUserActivities
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\System\[@]UploadUserActivities
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\System\[@]EnableActivityFeed
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\System\[@]AllowCrossDeviceClipboard
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\WDI
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\[@]ScenarioExecutionEnabled
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\Windows Error Reporting
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\Windows Error Reporting\[@]Disabled
14:19:58 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\Windows Search
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\Windows Search\[@]AllowCortana
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Policies\Microsoft\Windows\Windows Search\[@]AllowSearchToUseLocation
14:19:58 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{806750EC-501E-4A31-8325-39A7D4B95562}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\[@]NoDriveTypeAutorun
14:19:58 Create File C:\Windows\SysWOW64\rufus.ini~
14:19:58 Create File C:\Windows\SysWOW64\rufus.ini~
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}User
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion\Policies
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\[@]NoDriveTypeAutorun
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput\[@]AllowLinguisticDataCollection
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\InputPersonalization
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\InputPersonalization\[@]AllowInputPersonalization
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\InputPersonalization\[@]RestrictImplicitTextCollection
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\InputPersonalization\[@]RestrictImplicitInkCollection
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Internet Explorer
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Internet Explorer\SQM
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Internet Explorer\SQM\[@]DisableCustomerImprovementProgram
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Messenger
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Messenger\Client
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Messenger\Client\[@]CEIP
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\SearchCompanion
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\SearchCompanion\[@]DisableContentFileUpdates
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\SQMClient
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\SQMClient\Windows
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\SQMClient\Windows\[@]CEIPEnable
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AdvertisingInfo
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AdvertisingInfo\[@]DisabledByGroupPolicy
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppCompat
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppCompat\[@]DisableUAR
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppCompat\[@]DisableInventory
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessAccountInfo
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessCalendar
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessCallHistory
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessContacts
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessEmail
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessGazeInput
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessLocation
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessMessaging
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessNotifications
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessPhone
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessRadios
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessTasks
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsAccessTrustedDevices
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsGetDiagnosticInfo
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsRunInBackground
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsSyncWithDevices
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsActivateWithVoice
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\AppPrivacy\[@]LetAppsActivateWithVoiceAboveLock
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\CloudContent
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\CloudContent\[@]DisableWindowsConsumerFeatures
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\DataCollection
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\DataCollection\[@]AllowTelemetry
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\DataCollection\[@]AllowDeviceNameInTelemetry
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\OneDrive
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\OneDrive\[@]DisableFileSyncNGSC
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\[@]DisableQueryRemoteServer
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\SettingSync
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\SettingSync\[@]DisableSettingSync
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\System
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\System\[@]PublishUserActivities
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\System\[@]UploadUserActivities
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\System\[@]EnableActivityFeed
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\System\[@]AllowCrossDeviceClipboard
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\WDI
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\[@]ScenarioExecutionEnabled
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\Windows Error Reporting
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\Windows Error Reporting\[@]Disabled
14:20:10 Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\Windows Search
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\Windows Search\[@]AllowCortana
14:20:10 Set Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3A3FF7BE-32C4-4C8E-A589-09B461E68107}Machine\Software\Policies\Microsoft\Windows\Windows Search\[@]AllowSearchToUseLocation
14:20:12 Process Killed C:\Users\a\Downloads\rufus-3.8.exe
14:20:12 All installation processes are finished
14:20:12 Setup is completed
14:20:12 Tracking service is stopped
14:20:12 Analyzing installation, please wait...
14:20:13 0 installation entries detected
Interesting! Looks like attempting to set one key via that API also results in all of the default values being populated into the registry as well?
Looking at the code there does seem to be a Rufus.ini setting you can set to bypass the group policy Autorun disable. Not sure it’s worthwhile though.

This has been an excellent demonstration of the role of cloud whitelisting by file hash for behavior blockers... this kind of behavior is absolutely one I would expect a good BB to flag as suspicious. And this app is one that I would expect a low FP BB to whitelist.
 

Akeo

New Member
Jul 13, 2012
2
14
Rufus developer here. I've only found this thread now, but I feel the need to respond to it.

MacDefender's analysis is pretty much spot on. We ask Windows (thought Group Policies, because this is what Microsoft recommends rather than poking the registry directly) to temporarily disable autorun, so that users don't get pestered with a "What do you want to do with this drive" every time they plug a drive.

With regards to Controlled Access Folder, we need to detect this, because if Controlled Access Folder is enabled, you can't repartition or format an USB drive, so rather than let a user ponder why this doesn't work, we'd rather tell them explicitly that this is because Controlled Access is enabled, and that, if they want to use Rufus, they need to disable it, at least temporarily.

I'm also seeing puzzlement at VirusTotal indicating that there exists a parent that is riddled with malware, but then you have to understand what the parent-child relationship means as far as VirusTotal is concerned: it means that the child executable was once found in a parent executable.

This means that someone can pretty much take any legitimate application (e.g. notepad.exe), embed it in a executable that extracts & run it (so that it appears like the real deal) while performing some more nefarious activities, and you will have VirusTotal report that they have a parent for Microsoft's genuine notepad.exe that is completely malicious.

In other words, it's not because you see an infected parent that it means that the child application is malware. With the success of Rufus, some less than respectable people have been trying to create executable packages that embed the official version of Rufus, along with some malware, and tried to make it look as if it was the official version. So of course, this crap gets detected by AntiVirus software, and you get a parentage relationship from the official Rufus, even as the latter is clean.

I also have to say that there has yet to be a release of Rufus that hasn't seen false positives, which is rather annoying, but I guess that's what you get from trying to do advanced stuff in order to help your users, rather than limit yourself to displaying a nice bunch of colours in a limited userspace corner, which apparently is what the lesser AntiVirus solution seem to expect all applications to do... Right now, it seems some Malware analysis tools have found nothing better than declare Rufus as adware, which I suspect might have to do with us creating a rufus.com (which is a domain we neither own or have anything to do with, since the only official domain is rufus.ie) application for commandline users, in order to work around Microsoft's super sucky behaviours when it comes to satisfying both GUI and console users.

Oh, and since I'm here, I'm not gonna pass an opportunity to point people who might be interested in the various security steps we are taking to ensure that you can trust the official Rufus download not to do something malicious behind your back at having a look at our Security Page.
 

ednsinf

New Member
Aug 19, 2021
1
0
As a daily rutine on context-scanning or analyzing with VT every executable I download, this got my attention. I was trying to create a bootable USB with Rufus.

VirusTotal threw this: GrayWare/Win32.Generic

View attachment 227978

Yeah, I know what you are thinking. 1/60 is definitely a false positive.

Well, on the third analysis section (relations) on Rufus 3.8, content of the executable was sandboxed and tested, where it ended with the parent executable Win32 EXE d9da5ddf53b891f94b0a78ed043645ea.virus.

View attachment 227979

After opening the parent executable contained in Rufus 3.8, it's found a compilation of all these beauties.

View attachment 227981

Opinions?
 
Status
Not open for further replies.
Top