[files] Total=1 [cmd] numSections=16 1=FILE_BASED VERB_FILE_COPY OBJ_FILE 1 Total=21 2=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 2 3=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 3 4=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 4 5=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 5 6=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 6 7=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 7 8=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 8 9=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 9 10=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 10 11=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 11 12=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 12 13=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 13 14=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 14 15=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 15 16=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 16 17=SERVICE_BASED VERB_SERVICE_STATE OBJ_SERVICE netipers 18=CUSTOM_BASED VERB_RESTART_SYSTEM OBJ_OS 0 19=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 5 20=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 7 21=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 8 [1] name=svchost.exe.bak orig=%SystemRoot%\IME\svchost.exe DateA=2018/04/02 03:03:55 SD=O:SYG:SYD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2) attrib=38 DateC=2018/04/02 03:03:55 DateM=2018/04/02 03:02:44 hash=3FB164A9 [reg] Total=15 [2] hive=HKLM type=REG_EXPAND_SZ redir=0 empty=0 key=System\CurrentControlSet\Services\netipers\Parameters param=Application data=\u0043\u003A\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0069\u006D\u0065\u005C\u0074\u0061\u0073\u006B\u006D\u0067\u0072\u002E\u0065\u0078\u0065 dataDecoded=C:\Windows\ime\taskmgr.exe hash=8EC60A63 [3] hive=HKLM type=REG_EXPAND_SZ redir=0 empty=0 key=System\CurrentControlSet\Services\netipers\Parameters param=AppParameters data= dataDecoded= hash=00000000 [4] hive=HKLM type=REG_EXPAND_SZ redir=0 empty=0 key=System\CurrentControlSet\Services\netipers\Parameters param=AppDirectory data=\u0043\u003A\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0069\u006D\u0065 dataDecoded=C:\Windows\ime hash=922EE635 [5] hive=HKLM type=REG_SZ redir=0 empty=-1 DateM=2024/06/18 02:12:09 SD=O:SYG:SYD:AI(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681) key=System\CurrentControlSet\Services\netipers\Parameters param= data= dataDecoded= hash=00000000 [6] hive=HKLM type=REG_SZ redir=0 empty=0 key=System\CurrentControlSet\Services\netipers\Parameters\AppExit param= data=\u0052\u0065\u0073\u0074\u0061\u0072\u0074 dataDecoded=Restart hash=991ED169 [7] hive=HKLM type=REG_SZ redir=0 empty=0 DateM=2024/06/18 02:12:09 SD=O:SYG:SYD:AI(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681) key=System\CurrentControlSet\Services\netipers\Parameters\AppExit param= data=\u0052\u0065\u0073\u0074\u0061\u0072\u0074 dataDecoded=Restart hash=991ED169 [8] hive=HKLM type=REG_SZ redir=0 empty=-1 DateM=2024/06/18 02:12:09 SD=O:BAG:SYD:AI(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681) key=System\CurrentControlSet\Services\netipers param= data= dataDecoded= hash=00000000 [9] hive=HKLM type=REG_DWORD redir=0 empty=0 key=System\CurrentControlSet\Services\netipers param=Type data=16 dataDecoded=16 hash=483E80D4 [10] hive=HKLM type=REG_DWORD redir=0 empty=0 key=System\CurrentControlSet\Services\netipers param=Start data=2 dataDecoded=2 hash=1AD5BE0D [11] hive=HKLM type=REG_DWORD redir=0 empty=0 key=System\CurrentControlSet\Services\netipers param=ErrorControl data=1 dataDecoded=1 hash=83DCEFB7 [12] hive=HKLM type=REG_EXPAND_SZ redir=0 empty=0 key=System\CurrentControlSet\Services\netipers param=ImagePath data=\u0043\u003A\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0049\u004D\u0045\u005C\u0073\u0076\u0063\u0068\u006F\u0073\u0074\u002E\u0065\u0078\u0065 dataDecoded=C:\Windows\IME\svchost.exe hash=D04BB25B [13] hive=HKLM type=REG_SZ redir=0 empty=0 key=System\CurrentControlSet\Services\netipers param=DisplayName data=\u006E\u0065\u0074\u0069\u0070\u0065\u0072\u0073 dataDecoded=netipers hash=C52189C5 [14] hive=HKLM type=REG_SZ redir=0 empty=0 key=System\CurrentControlSet\Services\netipers param=ObjectName data=\u004C\u006F\u0063\u0061\u006C\u0053\u0079\u0073\u0074\u0065\u006D dataDecoded=LocalSystem hash=63F2F08C [15] hive=HKLM type=REG_DWORD redir=0 empty=0 key=System\CurrentControlSet\Services\netipers param=DelayedAutostart data=0 dataDecoded=0 hash=F4DBDF21 [16] hive=HKLM type=REG_DWORD redir=0 empty=0 key=System\CurrentControlSet\Services\netipers param=FailureActionsOnNonCrashFailures data=1 dataDecoded=1 hash=83DCEFB7