[files]
Total=2

[cmd]
numSections=14
1=FILE_BASED VERB_FILE_COPY OBJ_FILE 1
Total=17
2=FILE_BASED VERB_FILE_COPY OBJ_FILE 2
3=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 3
4=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 4
5=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 5
6=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 6
7=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 7
8=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 8
9=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 9
10=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 10
11=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 11
12=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 12
13=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 13
14=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 14
15=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 3
16=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 4
17=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 11

[1]
name=javaw.exe.bak
orig=%APPDATA%\XenoManager\javaw.exe
DateA=2024/06/17 22:12:14
SD=O:BAG:S-1-5-21-3339660976-4175652973-1130352044-513D:(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;LA)
attrib=32
DateC=2024/06/17 22:12:14
DateM=2024/06/17 22:12:06
hash=7CD9F6A2

[2]
name=sihost.bak
orig=%SystemRoot%\System32\Tasks\sihost
DateA=2024/06/17 22:12:19
SD=O:BAG:S-1-5-21-3339660976-4175652973-1130352044-513D:AI(A;;FR;;;LA)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FA;;;BA)
attrib=32
DateC=2024/06/17 22:12:19
DateM=2024/06/17 22:12:19
hash=6CD157A9

[reg]
Total=12

[3]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/17 22:12:19
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3BEB5EBD-7AF8-470A-AAB9-0648B23EA94A}
param=
data=
dataDecoded=
hash=00000000

[4]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/17 22:12:19
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3BEB5EBD-7AF8-470A-AAB9-0648B23EA94A}
param=
data=
dataDecoded=
hash=00000000

[5]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3BEB5EBD-7AF8-470A-AAB9-0648B23EA94A}
param=Path
data=\u005C\u0073\u0069\u0068\u006F\u0073\u0074
dataDecoded=\sihost
hash=848E697C

[6]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3BEB5EBD-7AF8-470A-AAB9-0648B23EA94A}
param=Hash
data=5EFC184ADDEB65858B76E228BA4146F3FCEF0F72792D569A45C3DFA287CAEE37
dataDecoded=5EFC184ADDEB65858B76E228BA4146F3FCEF0F72792D569A45C3DFA287CAEE37
hash=D9CC460A

[7]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3BEB5EBD-7AF8-470A-AAB9-0648B23EA94A}
param=URI
data=\u005C\u0073\u0069\u0068\u006F\u0073\u0074
dataDecoded=\sihost
hash=848E697C

[8]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3BEB5EBD-7AF8-470A-AAB9-0648B23EA94A}
param=Triggers
data=1700000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF280541434848484810B33726484848480E0000004848484841007500740068006F0072000000484800000000484848480048484848484848004848484848484801000000484848481C00000048484848010500000000000515000000B02E0FC76D68E3F8ACCD5F43F4010000484848483400000048484848530051004C005300450052005600450052005C00410064006D0069006E006900730074007200610074006F007200000000000000484848482C0000004848484800000000FFFFFFFF00000000FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848AAAA000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF00000000FFFFFFFF000000000000000000000000007F000001FFFFFF00000000000000000000000000000000484848480148484848484848
dataDecoded=1700000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF280541434848484810B33726484848480E0000004848484841007500740068006F0072000000484800000000484848480048484848484848004848484848484801000000484848481C00000048484848010500000000000515000000B02E0FC76D68E3F8ACCD5F43F4010000484848483400000048484848530051004C005300450052005600450052005C00410064006D0069006E006900730074007200610074006F007200000000000000484848482C0000004848484800000000FFFFFFFF00000000FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848AAAA000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF00000000FFFFFFFF000000000000000000000000007F000001FFFFFF00000000000000000000000000000000484848480148484848484848
hash=BFC9FAC6

[9]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3BEB5EBD-7AF8-470A-AAB9-0648B23EA94A}
param=Actions
data=03000C00000041007500740068006F0072006666000000007800000043003A005C00550073006500720073005C00410064006D0069006E006900730074007200610074006F0072005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C00580065006E006F004D0061006E0061006700650072005C006A0061007600610077002E0065007800650000000000000000000000
dataDecoded=03000C00000041007500740068006F0072006666000000007800000043003A005C00550073006500720073005C00410064006D0069006E006900730074007200610074006F0072005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C00580065006E006F004D0061006E0061006700650072005C006A0061007600610077002E0065007800650000000000000000000000
hash=6E06E332

[10]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3BEB5EBD-7AF8-470A-AAB9-0648B23EA94A}
param=DynamicInfo
data=0300000076AFFC173EC1DA01000000000000000000000000000000000000000000000000
dataDecoded=0300000076AFFC173EC1DA01000000000000000000000000000000000000000000000000
hash=9E3C2049

[11]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/17 22:12:19
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\sihost
param=
data=
dataDecoded=
hash=00000000

[12]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\sihost
param=SD
data=01000480880000009800000000000000140000000200740004000000001018009F011F0001020000000000052000000020020000001014009F011F0001010000000000051200000000101800FF011F00010200000000000520000000200200000000240089001200010500000000000515000000B02E0FC76D68E3F8ACCD5F43F40100000000000001020000000000052000000020020000010500000000000515000000B02E0FC76D68E3F8ACCD5F4301020000
dataDecoded=01000480880000009800000000000000140000000200740004000000001018009F011F0001020000000000052000000020020000001014009F011F0001010000000000051200000000101800FF011F00010200000000000520000000200200000000240089001200010500000000000515000000B02E0FC76D68E3F8ACCD5F43F40100000000000001020000000000052000000020020000010500000000000515000000B02E0FC76D68E3F8ACCD5F4301020000
hash=53A04762

[13]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\sihost
param=Id
data=\u007B\u0033\u0042\u0045\u0042\u0035\u0045\u0042\u0044\u002D\u0037\u0041\u0046\u0038\u002D\u0034\u0037\u0030\u0041\u002D\u0041\u0041\u0042\u0039\u002D\u0030\u0036\u0034\u0038\u0042\u0032\u0033\u0045\u0041\u0039\u0034\u0041\u007D
dataDecoded={3BEB5EBD-7AF8-470A-AAB9-0648B23EA94A}
hash=45104741

[14]
hive=HKLM
type=REG_DWORD
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\sihost
param=Index
data=2
dataDecoded=2
hash=1AD5BE0D