[files] Total=2 [cmd] numSections=16 1=FILE_BASED VERB_FILE_COPY OBJ_FILE 1 Total=19 2=FILE_BASED VERB_FILE_COPY OBJ_FILE 2 3=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 3 4=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 4 5=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 5 6=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 6 7=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 7 8=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 8 9=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 9 10=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 10 11=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 11 12=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 12 13=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 13 14=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 14 15=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 15 16=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 16 17=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 3 18=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 4 19=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 13 [1] name=cmd.exe.bak orig=%SystemRoot%\system32\cmd.exe DateA=2024/06/17 10:10:23 SD=O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2)S:AI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) attrib=32 DateC=2021/04/19 09:14:31 DateM=2021/04/19 09:14:31 hash=9A6D094D [2] name=Collection.bak orig=%SystemRoot%\System32\Tasks\Microsoft\Windows\Software Inventory Logging\Collection DateA=2021/03/31 11:08:57 SD=O:BAG:S-1-5-21-397955417-626881126-188441444-513D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FR;;;BU) attrib=32 DateC=2021/03/31 11:08:57 DateM=2021/03/31 11:08:57 hash=FEF07401 [reg] Total=14 [3] hive=HKLM type=REG_SZ redir=0 empty=-1 DateM=2018/09/15 00:21:17 SD=O:BAG:S-1-5-21-397955417-626881126-188441444-513D:AI(A;OICIID;CCSWRPSDRC;;;BA)(A;OICIID;KA;;;SY) key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F18F5E68-77A7-46E1-A701-BF6716337296} param= data= dataDecoded= hash=00000000 [4] hive=HKLM type=REG_SZ redir=0 empty=-1 DateM=2021/03/31 11:08:57 SD=O:BAG:S-1-5-21-397955417-626881126-188441444-513D:AI(A;OICIID;CCSWRPSDRC;;;BA)(A;OICIID;KA;;;SY) key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F18F5E68-77A7-46E1-A701-BF6716337296} param= data= dataDecoded= hash=00000000 [5] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F18F5E68-77A7-46E1-A701-BF6716337296} param=Path data=\u005C\u004D\u0069\u0063\u0072\u006F\u0073\u006F\u0066\u0074\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0053\u006F\u0066\u0074\u0077\u0061\u0072\u0065\u0020\u0049\u006E\u0076\u0065\u006E\u0074\u006F\u0072\u0079\u0020\u004C\u006F\u0067\u0067\u0069\u006E\u0067\u005C\u0043\u006F\u006C\u006C\u0065\u0063\u0074\u0069\u006F\u006E dataDecoded=\Microsoft\Windows\Software Inventory Logging\Collection hash=A430082F [6] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F18F5E68-77A7-46E1-A701-BF6716337296} param=Hash data=E2F0A002C8DC839937F50F39091F38A7B3CD055EC4E573DFC88F875EFC77DDC3 dataDecoded=E2F0A002C8DC839937F50F39091F38A7B3CD055EC4E573DFC88F875EFC77DDC3 hash=9B53C581 [7] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F18F5E68-77A7-46E1-A701-BF6716337296} param=Version data=\u0031\u002E\u0030 dataDecoded=1.0 hash=22A043A1 [8] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F18F5E68-77A7-46E1-A701-BF6716337296} param=SecurityDescriptor data=\u0044\u003A\u0050\u0028\u0041\u003B\u003B\u0046\u0041\u003B\u003B\u003B\u0042\u0041\u0029\u0028\u0041\u003B\u003B\u0046\u0041\u003B\u003B\u003B\u0053\u0059\u0029\u0028\u0041\u003B\u003B\u0046\u0052\u003B\u003B\u003B\u0042\u0055\u0029 dataDecoded=D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FR;;;BU) hash=B79E823F [9] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F18F5E68-77A7-46E1-A701-BF6716337296} param=URI data=\u005C\u004D\u0069\u0063\u0072\u006F\u0073\u006F\u0066\u0074\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0053\u006F\u0066\u0074\u0077\u0061\u0072\u0065\u0020\u0049\u006E\u0076\u0065\u006E\u0074\u006F\u0072\u0079\u0020\u004C\u006F\u0067\u0067\u0069\u006E\u0067\u005C\u0043\u006F\u006C\u006C\u0065\u0063\u0074\u0069\u006F\u006E dataDecoded=\Microsoft\Windows\Software Inventory Logging\Collection hash=A430082F [10] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F18F5E68-77A7-46E1-A701-BF6716337296} param=Triggers data=170000000000000001070100000001000078BA4A0454BF01002B9CBCF1010000FFFFFFFFFFFFFFFF7820824248484848693B8E254848484818000000484848484C006F00630061006C00530079007300740065006D00000000000000484848480048484848484848004848484848484805000000484848480C000000484848480101000000000005120000004848484800000000484848482C0000004848484800000000FFFFFFFF58020000FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848DDDD00000000000001070100000001000078BA4A0454BF010000000000000000000000000000000000000000000000000000000000000000100E000000000000FFFFFFFF000000000000000000000000000124BA0100000008070000000000000000000048484848 dataDecoded=170000000000000001070100000001000078BA4A0454BF01002B9CBCF1010000FFFFFFFFFFFFFFFF7820824248484848693B8E254848484818000000484848484C006F00630061006C00530079007300740065006D00000000000000484848480048484848484848004848484848484805000000484848480C000000484848480101000000000005120000004848484800000000484848482C0000004848484800000000FFFFFFFF58020000FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848DDDD00000000000001070100000001000078BA4A0454BF010000000000000000000000000000000000000000000000000000000000000000100E000000000000FFFFFFFF000000000000000000000000000124BA0100000008070000000000000000000048484848 hash=3E76E70F [11] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F18F5E68-77A7-46E1-A701-BF6716337296} param=Actions data=0300160000004C006F00630061006C00530079007300740065006D006666000000003A0000002500730079007300740065006D0072006F006F00740025005C00730079007300740065006D00330032005C0063006D0064002E00650078006500680000002F00640020002F00630020002500730079007300740065006D0072006F006F00740025005C00730079007300740065006D00330032005C00730069006C0063006F006C006C006500630074006F0072002E0063006D00640020007000750062006C00690073006800000000000000 dataDecoded=0300160000004C006F00630061006C00530079007300740065006D006666000000003A0000002500730079007300740065006D0072006F006F00740025005C00730079007300740065006D00330032005C0063006D0064002E00650078006500680000002F00640020002F00630020002500730079007300740065006D0072006F006F00740025005C00730079007300740065006D00330032005C00730069006C0063006F006C006C006500630074006F0072002E0063006D00640020007000750062006C00690073006800000000000000 hash=D880E845 [12] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F18F5E68-77A7-46E1-A701-BF6716337296} param=DynamicInfo data=03000000648713EB5826D701000000000000000000000000000000000000000000000000 dataDecoded=03000000648713EB5826D701000000000000000000000000000000000000000000000000 hash=7D010366 [13] hive=HKLM type=REG_SZ redir=0 empty=-1 DateM=2018/09/15 00:21:17 SD=O:BAG:S-1-5-21-397955417-626881126-188441444-513D:AI(A;OICIID;CCSWRPSDRC;;;BA)(A;OICIID;KA;;;SY) key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Software Inventory Logging\Collection param= data= dataDecoded= hash=00000000 [14] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Software Inventory Logging\Collection param=SD data=0100049C6000000070000000000000001400000002004C000300000000001800FF011F000102000000000005200000002002000000001400FF011F00010100000000000512000000000018008900120001020000000000052000000021020000010200000000000520000000200200000105000000000005150000005951B81766725D2564633B0B01020000 dataDecoded=0100049C6000000070000000000000001400000002004C000300000000001800FF011F000102000000000005200000002002000000001400FF011F00010100000000000512000000000018008900120001020000000000052000000021020000010200000000000520000000200200000105000000000005150000005951B81766725D2564633B0B01020000 hash=8BC689DA [15] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Software Inventory Logging\Collection param=Id data=\u007B\u0046\u0031\u0038\u0046\u0035\u0045\u0036\u0038\u002D\u0037\u0037\u0041\u0037\u002D\u0034\u0036\u0045\u0031\u002D\u0041\u0037\u0030\u0031\u002D\u0042\u0046\u0036\u0037\u0031\u0036\u0033\u0033\u0037\u0032\u0039\u0036\u007D dataDecoded={F18F5E68-77A7-46E1-A701-BF6716337296} hash=B19481AF [16] hive=HKLM type=REG_DWORD redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Software Inventory Logging\Collection param=Index data=3 dataDecoded=3 hash=6DD28E9B