[reg]
Total=12

[cmd]
numSections=12
1=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 1
Total=16
2=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 2
3=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 3
4=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 4
5=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 5
6=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 6
7=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 7
8=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 8
9=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 9
10=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 10
11=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 11
12=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 12
13=SERVICE_BASED VERB_SERVICE_STATE OBJ_SERVICE Servercy
14=CUSTOM_BASED VERB_RESTART_SYSTEM OBJ_OS 0
15=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 2
16=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 3

[1]
hive=HKLM
type=REG_EXPAND_SZ
redir=0
empty=0
key=System\CurrentControlSet\Services\Servercy\Parameters
param=ServiceDll
data=\u0043\u003A\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0073\u0079\u0073\u0074\u0065\u006D\u0033\u0032\u005C\u0035\u0038\u0039\u0031\u0032\u0037\u0033\u0034\u002E\u0074\u0078\u0074
dataDecoded=C:\Windows\system32\58912734.txt
hash=A55B28F8

[2]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/18 01:40:08
SD=O:BAG:S-1-5-21-3339660976-4175652973-1130352044-513D:AI(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)
key=System\CurrentControlSet\Services\Servercy\Parameters
param=
data=
dataDecoded=
hash=00000000

[3]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/18 01:40:06
SD=O:BAG:SYD:AI(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)
key=System\CurrentControlSet\Services\Servercy
param=
data=
dataDecoded=
hash=00000000

[4]
hive=HKLM
type=REG_DWORD
redir=0
empty=0
key=System\CurrentControlSet\Services\Servercy
param=Type
data=272
dataDecoded=272
hash=807E1958

[5]
hive=HKLM
type=REG_DWORD
redir=0
empty=0
key=System\CurrentControlSet\Services\Servercy
param=Start
data=2
dataDecoded=2
hash=1AD5BE0D

[6]
hive=HKLM
type=REG_DWORD
redir=0
empty=0
key=System\CurrentControlSet\Services\Servercy
param=ErrorControl
data=0
dataDecoded=0
hash=F4DBDF21

[7]
hive=HKLM
type=REG_EXPAND_SZ
redir=0
empty=0
key=System\CurrentControlSet\Services\Servercy
param=ImagePath
data=\u0025\u0053\u0079\u0073\u0074\u0065\u006D\u0052\u006F\u006F\u0074\u0025\u005C\u0053\u0079\u0073\u0074\u0065\u006D\u0033\u0032\u005C\u0073\u0076\u0063\u0068\u006F\u0073\u0074\u002E\u0065\u0078\u0065\u0020\u002D\u006B\u0020\u0022\u0053\u0065\u0072\u0076\u0065\u0072\u0063\u0079\u0022
dataDecoded=%SystemRoot%\System32\svchost.exe -k "Servercy"
hash=A1DE9932

[8]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=System\CurrentControlSet\Services\Servercy
param=DisplayName
data=\u0053\u0079\u0073\u0074\u0065\u006D\u0020\u0052\u0065\u006D\u006F\u0074\u0065\u0020\u0044\u0061\u0074\u0061\u0020\u0053\u0069\u006D\u0075\u006C\u0061\u0074\u0069\u006F\u006E\u0020\u004C\u0061\u0079\u0065\u0072
dataDecoded=System Remote Data Simulation Layer
hash=D8141ACA

[9]
hive=HKLM
type=REG_DWORD
redir=0
empty=0
key=System\CurrentControlSet\Services\Servercy
param=WOW64
data=332
dataDecoded=332
hash=E5D0B66B

[10]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=System\CurrentControlSet\Services\Servercy
param=ObjectName
data=\u004C\u006F\u0063\u0061\u006C\u0053\u0079\u0073\u0074\u0065\u006D
dataDecoded=LocalSystem
hash=63F2F08C

[11]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=System\CurrentControlSet\Services\Servercy
param=FailureActions
data=0000000000000000000000000300000014000000010000008813000001000000000000000100000000000000
dataDecoded=0000000000000000000000000300000014000000010000008813000001000000000000000100000000000000
hash=437C69E2

[12]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=System\CurrentControlSet\Services\Servercy
param=Description
data=\u00B9\u00DC\u00C0\u00FA\u00D7\u00F9\u00D3\u00DA\u00D7\u00E9\u00BC\u00FE\u00B6\u00D4\u00CF\u00F3\u00C4\u00A3\u00D0\u00CD\u00B5\u00C4\u00BA\u00CB\u00D0\u00C4\u00B7\u00FE\u00CE\u00F1\u00A1\u00A3\u00C8\u00E7\u00B9\u00FB\u00B7\u00FE\u00CE\u00F1\u00B1\u00BB\u00BD\u00FB\u00D3\u00C3\u00A3\u00AC\u00BC\u00C6\u00CB\u00E3\u00BB\u00FA\u00BD\u00AB\u00CE\u00DE\u00B7\u00A8\u00D5\u00FD\u00B3\u00A3\u00D4\u00CB\u00D0\u00D0\u00A1\u00A3
dataDecoded=¹ÜÀú×ùÓÚ×é¼þ¶ÔÏóÄ£Ð͵ĺËÐÄ·þÎñ¡£Èç¹û·þÎñ±»½ûÓ㬼ÆËã»ú½«ÎÞ·¨Õý³£ÔËÐС£
hash=25723884