[files]
Total=2

[cmd]
numSections=15
1=FILE_BASED VERB_FILE_COPY OBJ_FILE 1
Total=18
2=FILE_BASED VERB_FILE_COPY OBJ_FILE 2
3=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 3
4=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 4
5=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 5
6=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 6
7=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 7
8=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 8
9=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 9
10=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 10
11=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 11
12=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 12
13=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 13
14=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 14
15=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 15
16=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 3
17=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 4
18=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 12

[1]
name=mshta.exe.bak
orig=%SystemRoot%\System32\mshta.exe
DateA=2018/09/15 00:12:47
SD=O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2)S:AI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
attrib=32
DateC=2018/09/15 00:12:47
DateM=2018/09/15 00:12:47
hash=A001F7EF

[2]
name=AccessProtection.bak
orig=%SystemRoot%\System32\Tasks\Network\AccessProtection
DateA=2024/06/18 22:05:58
SD=O:BAG:S-1-5-21-3339660976-4175652973-1130352044-513D:AI(A;;FR;;;LA)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FA;;;BA)
attrib=32
DateC=2024/06/18 22:05:58
DateM=2024/06/18 22:05:58
hash=6BBC8BA4

[reg]
Total=13

[3]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/18 22:05:58
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3C6D517E-AF7B-44A8-B48F-5041CC69C9D5}
param=
data=
dataDecoded=
hash=00000000

[4]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/19 16:27:58
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C6D517E-AF7B-44A8-B48F-5041CC69C9D5}
param=
data=
dataDecoded=
hash=00000000

[5]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C6D517E-AF7B-44A8-B48F-5041CC69C9D5}
param=Path
data=\u005C\u004E\u0065\u0074\u0077\u006F\u0072\u006B\u005C\u0041\u0063\u0063\u0065\u0073\u0073\u0050\u0072\u006F\u0074\u0065\u0063\u0074\u0069\u006F\u006E
dataDecoded=\Network\AccessProtection
hash=B053AE14

[6]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C6D517E-AF7B-44A8-B48F-5041CC69C9D5}
param=Hash
data=64D608C57667682860D6223CC839FE39CCF14AC7900DB1108F0A63644CEC65BB
dataDecoded=64D608C57667682860D6223CC839FE39CCF14AC7900DB1108F0A63644CEC65BB
hash=852BFC93

[7]
hive=HKLM
type=REG_DWORD
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C6D517E-AF7B-44A8-B48F-5041CC69C9D5}
param=Schema
data=65538
dataDecoded=65538
hash=D17F487D

[8]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C6D517E-AF7B-44A8-B48F-5041CC69C9D5}
param=URI
data=\u005C\u004E\u0065\u0074\u0077\u006F\u0072\u006B\u005C\u0041\u0063\u0063\u0065\u0073\u0073\u0050\u0072\u006F\u0074\u0065\u0063\u0074\u0069\u006F\u006E
dataDecoded=\Network\AccessProtection
hash=B053AE14

[9]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C6D517E-AF7B-44A8-B48F-5041CC69C9D5}
param=Triggers
data=1700000000000000010706000000120000E79CB2CBC1DA010007060000001200FFFFFFFFFFFFFFFF3821C14248484848D5BD7742484848480E0000004848484841007500740068006F0072000000484800000000484848480048484848484848004848484848484801000000484848481C00000048484848010500000000000515000000B02E0FC76D68E3F8ACCD5F43F4010000484848483400000048484848530051004C005300450052005600450052005C00410064006D0069006E006900730074007200610074006F007200000000000000484848482C0000004848484858020000100E000080F40300FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848DDDD000000000000010706000000120000E79CB2CBC1DA0100000000000000000000000000000000000000000000000000000000000000007800000000000000FFFFFFFF0000000000000000000000000001484B01000000000000000AE800000000000048484848
dataDecoded=1700000000000000010706000000120000E79CB2CBC1DA010007060000001200FFFFFFFFFFFFFFFF3821C14248484848D5BD7742484848480E0000004848484841007500740068006F0072000000484800000000484848480048484848484848004848484848484801000000484848481C00000048484848010500000000000515000000B02E0FC76D68E3F8ACCD5F43F4010000484848483400000048484848530051004C005300450052005600450052005C00410064006D0069006E006900730074007200610074006F007200000000000000484848482C0000004848484858020000100E000080F40300FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848DDDD000000000000010706000000120000E79CB2CBC1DA0100000000000000000000000000000000000000000000000000000000000000007800000000000000FFFFFFFF0000000000000000000000000001484B01000000000000000AE800000000000048484848
hash=25F21BF0

[10]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C6D517E-AF7B-44A8-B48F-5041CC69C9D5}
param=Actions
data=03000C00000041007500740068006F0072006666000000003A00000043003A005C00570069006E0064006F00770073005C00530079007300740065006D00330032005C006D0073006800740061002E006500780065005C00000043003A005C00500072006F006700720061006D0044006100740061005C0073006300720069007000740073005C00520065006D006F007400650041007300730069007300740061006E00630065005300760063002E00680074006100000000000000
dataDecoded=03000C00000041007500740068006F0072006666000000003A00000043003A005C00570069006E0064006F00770073005C00530079007300740065006D00330032005C006D0073006800740061002E006500780065005C00000043003A005C00500072006F006700720061006D0044006100740061005C0073006300720069007000740073005C00520065006D006F007400650041007300730069007300740061006E00630065005300760063002E00680074006100000000000000
hash=A2D0E7C3

[11]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C6D517E-AF7B-44A8-B48F-5041CC69C9D5}
param=DynamicInfo
data=03000000F80F1E5F06C2DA0146122852A0C2DA0100000000E010078041C93B04A0C2DA01
dataDecoded=03000000F80F1E5F06C2DA0146122852A0C2DA0100000000E010078041C93B04A0C2DA01
hash=45C7841C

[12]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/18 22:05:58
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Network\AccessProtection
param=
data=
dataDecoded=
hash=00000000

[13]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Network\AccessProtection
param=SD
data=01000480880000009800000000000000140000000200740004000000001018009F011F0001020000000000052000000020020000001014009F011F0001010000000000051200000000101800FF011F00010200000000000520000000200200000000240089001200010500000000000515000000B02E0FC76D68E3F8ACCD5F43F40100000000000001020000000000052000000020020000010500000000000515000000B02E0FC76D68E3F8ACCD5F4301020000
dataDecoded=01000480880000009800000000000000140000000200740004000000001018009F011F0001020000000000052000000020020000001014009F011F0001010000000000051200000000101800FF011F00010200000000000520000000200200000000240089001200010500000000000515000000B02E0FC76D68E3F8ACCD5F43F40100000000000001020000000000052000000020020000010500000000000515000000B02E0FC76D68E3F8ACCD5F4301020000
hash=53A04762

[14]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Network\AccessProtection
param=Id
data=\u007B\u0033\u0043\u0036\u0044\u0035\u0031\u0037\u0045\u002D\u0041\u0046\u0037\u0042\u002D\u0034\u0034\u0041\u0038\u002D\u0042\u0034\u0038\u0046\u002D\u0035\u0030\u0034\u0031\u0043\u0043\u0036\u0039\u0043\u0039\u0044\u0035\u007D
dataDecoded={3C6D517E-AF7B-44A8-B48F-5041CC69C9D5}
hash=182D7B2E

[15]
hive=HKLM
type=REG_DWORD
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Network\AccessProtection
param=Index
data=3
dataDecoded=3
hash=6DD28E9B