Malware Sample Analysis
In this blog post-in-progress I am going to analyze the malware sample sha256:cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57 and provide beginner-friendly resources to start with malware analysis. Let's get started!
Filename: cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe
Internal (Original) Name: dwm.exe
Size: 243,361 bytes
Time/date stamp: Thu Jan 01 18:12:16 1970 (UTC)
Compiler: MinGW(GCC: (GNU) 4.8.2)
MD5: 8b282ef8f441ccceb707a9ee04a541
SHA-256: cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57
Imphash: 79CF8CA8DD4DAD9D47E49BEB5C9BBD50
Ssdeep: 6144:oeLc9VV0liQ9KM5uVEgqz/ZnMmwqFlYiJB:owcDV0lilM5MqVMwbYiP
capa.exe cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe
capa very verbose output
md5 8b282ef8f441ccceb707a9ee04a5413e sha1 10fc5bbd2f801251d1228e6b3b35d24c6e018162 sha256 cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57 path C:/Users/husky/Desktop/cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe timestamp 2024-12-27 19:17:53.970541 capa version 7.4.0 os windows format pe arch i386 analysis static extractor VivisectFeatureExtractor base address 0x400000 rules C:/Users/husky/AppData/Local/Temp/_MEI70002/rules function count 186 library function count 0 total feature count 10683 allocate or change RW memory (library rule) author 0x534a@mailbox.org, @mr-tz scope basic block mbc Memory::Allocate Memory [C0007] basic block @ 0x404916 in function 0x4048C0 and: or: match: change memory protection @ 0x404916 or: api: VirtualProtect @ 0x404935 or: number: 0x4 = PAGE_READWRITE @ 0x404956 change memory protection (2 matches, only showing first match of library rule) author @mr-tz scope basic block mbc Memory::Change Memory Protection [C0008] basic block @ 0x404916 in function 0x4048C0 or: api: VirtualProtect @ 0x404935 contain loop (55 matches, only showing first match of library rule) author moritz.raabe@mandiant.com scope function function @ 0x4013E0 or: characteristic: loop @ 0x4013E0 create or open file (2 matches, only showing first match of library rule) author michael.hunhoff@mandiant.com, joakim@intezer.com scope basic block mbc File System::Create File [C0016] basic block @ 0x402FB0 in function 0x402FB0 or: api: fopen @ 0x402FC7, 0x40304E delay execution (library rule) author michael.hunhoff@mandiant.com, @ramen0x3f scope basic block mbc Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution [B0003.003] references https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions, https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp basic block @ 0x40A4E0 in function 0x40A4C0 or: and: os: windows or: api: Sleep @ 0x40A4E7 contain obfuscated stackstrings (17 matches) namespace anti-analysis/obfuscation/string/stackstring author moritz.raabe@mandiant.com scope basic block att&ck Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] mbc Anti-Static Analysis::Executable Code Obfuscation::Argument Obfuscation [B0032.020], Anti-Static Analysis::Executable Code Obfuscation::Stack Strings [B0032.017] basic block @ 0x4017B0 in function 0x4017B0 characteristic: stack string @ 0x4017B0 basic block @ 0x4019FC in function 0x4019D0 characteristic: stack string @ 0x4019FC basic block @ 0x401A55 in function 0x4019D0 characteristic: stack string @ 0x401A55 basic block @ 0x401B4A in function 0x4019D0 characteristic: stack string @ 0x401B4A basic block @ 0x401CDC in function 0x4019D0 characteristic: stack string @ 0x401CDC basic block @ 0x401E1B in function 0x4019D0 characteristic: stack string @ 0x401E1B basic block @ 0x401FF8 in function 0x401F00 characteristic: stack string @ 0x401FF8 basic block @ 0x40215D in function 0x401F00 characteristic: stack string @ 0x40215D basic block @ 0x40230D in function 0x401F00 characteristic: stack string @ 0x40230D basic block @ 0x4025BE in function 0x401F00 characteristic: stack string @ 0x4025BE basic block @ 0x402820 in function 0x402820 characteristic: stack string @ 0x402820 basic block @ 0x403080 in function 0x403080 characteristic: stack string @ 0x403080 basic block @ 0x403360 in function 0x403360 characteristic: stack string @ 0x403360 basic block @ 0x403640 in function 0x403640 characteristic: stack string @ 0x403640 basic block @ 0x40381B in function 0x403640 characteristic: stack string @ 0x40381B basic block @ 0x403DD0 in function 0x403DD0 characteristic: stack string @ 0x403DD0 basic block @ 0x40B75E in function 0x40B710 characteristic: stack string @ 0x40B75E compiled with MinGW for Windows namespace compiler/mingw author william.ballenthin@mandiant.com scope file and: string: "Mingw runtime failure:" @ file+0xB7E8 string: "_Jv_RegisterClasses" = from GCC @ file+0xB237 encode data using XOR namespace data-manipulation/encoding/xor author moritz.raabe@mandiant.com scope basic block att&ck Defense Evasion::Obfuscated Files or Information [T1027] mbc Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02], Data::Encode Data::XOR [C0026.002] basic block @ 0x407008 in function 0x406ED0 and: characteristic: tight loop @ 0x407008 characteristic: nzxor @ 0x407012 not: = filter for potential false positives or: or: = unsigned bitwise negation operation (~i) number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits or: = signed bitwise negation operation (~i) number: 0xFFFFFFF = bitwise negation for signed 32 bits number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits or: = Magic constants used in the implementation of strings functions. number: 0x7EFEFEFF = optimized string constant for 32 bits number: 0x81010101 = -0x81010101 = 0x7EFEFEFF number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF contain a thread local storage (.tls) section namespace executable/pe/section/tls author michael.hunhoff@mandiant.com scope file section: .tls @ 0x414000 extract resource via kernel32 functions namespace executable/resource author william.ballenthin@mandiant.com scope function function @ 0x403640 or: and: or: api: LoadResource @ 0x4039B4, 0x403A17, 0x403A7A, 0x403ADD, and 2 more... api: LockResource @ 0x403967, 0x4039BF, 0x403A22, 0x403A85, and 3 more... optional: api: GetModuleHandle @ 0x4036D2 api: SizeofResource @ 0x40399B, 0x4039FE, 0x403A61, 0x403AC4, and 2 more... accept command line arguments namespace host-interaction/cli author moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com scope function att&ck Execution::Command and Scripting Interpreter [T1059] mbc Execution::Command and Scripting Interpreter [E1059] function @ 0x404560 or: api: GetCommandLine @ 0x404576 query environment variable (2 matches) namespace host-interaction/environment-variable author michael.hunhoff@mandiant.com, @_re_fox scope function att&ck Discovery::System Information Discovery [T1082] mbc Discovery::System Information Discovery [E1082] function @ 0x403360 or: api: GetEnvironmentVariable @ 0x4035A4 function @ 0x4074A0 or: api: getenv @ 0x407500 get common file path namespace host-interaction/file-system author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] mbc Discovery::File and Directory Discovery [E1083] function @ 0x401F00 or: api: GetSystemDirectory @ 0x4024EB create directory namespace host-interaction/file-system/create author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function mbc File System::Create Directory [C0046] function @ 0x403080 or: api: CreateDirectory @ 0x4032DC, 0x4032EF get file size namespace host-interaction/file-system/meta author michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] mbc Discovery::File and Directory Discovery [E1083] function @ 0x401F00 or: api: GetFileSize @ 0x402320 set file attributes namespace host-interaction/file-system/meta author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope basic block att&ck Defense Evasion::File and Directory Permissions Modification [T1222] mbc File System::Set File Attributes [C0050] basic block @ 0x403080 in function 0x403080 or: api: SetFileAttributes @ 0x403302 read file on Windows (2 matches) namespace host-interaction/file-system/read author moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com scope function mbc File System::Read File [C0051] function @ 0x401F00 or: and: os: windows or: api: ReadFile @ 0x4023D8 function @ 0x402FB0 or: and: os: windows or: api: fread @ 0x403033 write file on Windows (2 matches) namespace host-interaction/file-system/write author william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com scope function mbc File System::Writes File [C0052] function @ 0x402FB0 or: and: os: windows optional: basic block: or: number: 0x2 = FILE_WRITE_DATA @ 0x402FCC match: create or open file @ 0x402FB0 or: api: fopen @ 0x402FC7, 0x40304E or: api: fwrite @ 0x403068 function @ 0x404870 or: and: os: windows or: api: fwrite @ 0x40489C check Internet connectivity via WinINet (2 matches) namespace host-interaction/network/connectivity author matthew.williams@mandiant.com, michael.hunhoff@mandiant.com scope basic block att&ck Discovery::System Network Configuration Discovery::Internet Connection Discovery [T1016.001] basic block @ 0x4041BB in function 0x403DD0 or: and: or: api: InternetCheckConnection @ 0x4041EE, 0x404219 optional: instruction: and: mnemonic: cmp @ 0x40423C or: number: 0x1 = TRUE @ 0x40423C basic block @ 0x404246 in function 0x403DD0 or: and: or: api: InternetCheckConnection @ 0x40425D get thread local storage value namespace host-interaction/process author michael.hunhoff@mandiant.com scope function function @ 0x404C30 and: api: TlsGetValue @ 0x404C56 allocate or change RWX memory namespace host-interaction/process/inject author @mr-tz scope basic block mbc Memory::Allocate Memory [C0007] basic block @ 0x404916 in function 0x4048C0 and: or: match: change memory protection @ 0x404916 or: api: VirtualProtect @ 0x404935 or: number: 0x40 = PAGE_EXECUTE_READWRITE @ 0x404920 enumerate processes namespace host-interaction/process/list author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function att&ck Discovery::Process Discovery [T1057], Discovery::Software Discovery [T1518] function @ 0x402820 or: and: api: Process32First @ 0x402A1E api: Process32Next @ 0x402CA7 link function at runtime on Windows (7 matches) namespace linking/runtime-linking author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope instruction att&ck Execution::Shared Modules [T1129] instruction @ 0x401329 and: os: windows or: api: GetProcAddress @ 0x401329 instruction @ 0x401374 and: os: windows or: api: GetProcAddress @ 0x401374 instruction @ 0x4013B9 and: os: windows or: api: GetProcAddress @ 0x4013B9 instruction @ 0x401D8E and: os: windows or: api: GetProcAddress @ 0x401D8E instruction @ 0x401E90 and: os: windows or: api: GetProcAddress @ 0x401E90 instruction @ 0x401FC9 and: os: windows or: api: GetProcAddress @ 0x401FC9 instruction @ 0x402558 and: os: windows or: api: GetProcAddress @ 0x402558 resolve function by parsing PE exports (2 matches) namespace load-code/pe author sara-rn scope function function @ 0x401760 and: os: windows or: mnemonic: movzx @ 0x401798 and: offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x401769 or: and: arch: i386 offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x40176C 3 or more: offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x401770, 0x401795 offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x401765, 0x401785 offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x40177E offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40179E function @ 0x4074A0 and: os: windows or: characteristic: loop @ 0x4074A0 mnemonic: movzx @ 0x407569, 0x407592, 0x4075A0, 0x407617, and 20 more... and: offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4074DD or: and: arch: i386 offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x4074F0 3 or more: offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x40755D, 0x4075A6, 0x4075FB, 0x407608, and 22 more... offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x407750, 0x407758, 0x4077D3, 0x407803, and 10 more... offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x407698, 0x40769C, 0x40775E, 0x407762, and 18 more... offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x407571, 0x407A2C, 0x407A34, 0x407A49, and 7 more... offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40752C, 0x407CEE create shortcut via IShellLink namespace persistence author matthew.williams@mandiant.com scope function att&ck Persistence::Boot or Logon Autostart Execution::Shortcut Modification [T1547.009] references https://docs.microsoft.com/en-us/windows/win32/shell/links#creating-a-shortcut-and-a-folder-shortcut-to-a-file function @ 0x402E10 and: offset: 0x50 = psl->SetPath @ 0x402EAB offset: 0x18 = ppf->Save @ 0x402F78 api: CoCreateInstance @ 0x402E52 bytes: 0114020000000000c000000000000046 = CLSID_ShellLink @ 0x402E4B bytes: 0b01000000000000c000000000000046 = IID_IPersistFile @ 0x402F13 or: bytes: f914020000000000c000000000000046 = IID_IShellLinkW @ 0x402E33
=======================================
Strings of interest
---------------------------------------
pestudio.exe detail - strings
GetEnvironmentVariable InternetCheckConnection VirtualProtect VirtualQuery FindFirstFile FindNextFile SetFileAttributes GetCurrentProcess Process32First Process32Next ShowWindow DeleteCriticalSection EnterCriticalSection InitializeCriticalSection InterlockedExchange LeaveCriticalSection LoadResource LockResource SizeofResource GetSystemDirectory WININET.DLL VirtualQuery failed for %d bytes at address %p LocalAlloc malloc memcpy FindClose GetFileSize ReadFile SHGetFolderPath CreateDirectory fclose fopen fputc fread fseek ftell fwrite ExitProcess TlsGetValue GetCommandLine Sleep SetUnhandledExceptionFilter GetProcAddress GetModuleFileName GetModuleHandle LoadLibrary GetLastError GetConsoleWindow !This program cannot be run in DOS mode. .CRT libgcc_s_dw2-1.dll libgcj-13.dll ekrn.exe egui.exe bitdefender_isecurity.exe uiSeAgnt.exe ccSvcHst.exe nis.exe ns.exe apvui.exe onlinent.exe PSUAMain.exe escanmon.exe escanpro.exe Tray.exe Prd.EventViewer.exe zatray.exe AkSA.exe \MsUpdte.exe https://en.wikipedia.org/wiki/Main_Page https://secure.comodo.net/CPS0C http://ocsp.comodoca.com0 dwm.exe 0@.bss ouemm/emm!!!!!!!!!!!!! Vtfs43/emm bewbqj43/emm Tifmm43/emm lfsofm43/emm __register_frame_info _Jv_RegisterClasses __deregister_frame_info %d is the largest prime factor ! --***** Mo~Ysy~og]e}<>Ncxoi~exsK aoxdof98$nff --*****------- --*****------ PfwSql`fppGFSSloj`z --*****------*** %d**** AVGUI bdagent gziface norton AvkTray AVKTray avp AvastUI avg V]cdne}y*_znk~o _Npvsgwf-omh ProgramData GjoeSftpvsdfB MpbeSftpvsdf MpdlSftpvsdf P}_dgkz\co}ElYoi~ced UjqwvboSqlwf`wF{ MwTqjwfUjqwvboNfnlqz Mingw runtime failure: Unknown pseudo relocation protocol version %d. Unknown pseudo relocation bit size %d. glob-1.0-mingw32 GCC: (GNU) 4.8.2 PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD Greater Manchester1 Salford1 COMODO CA Limited1#0! COMODO RSA Code Signing CA0 $4 THE HAYLOFT, FAR PEAK, NORTHLEACH,1(0& Accelerate Technologies Limited1(0& admin@acceleratetech.co.uk0 Desktop Window Manager 6.1.7600.16385 (win7_rtm.090713-1255) Microsoft Corporation. All rights reserved. 6WinUpdatr_ldrexe_19july.ex
floss.exe --no static -- cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe INFO: floss.results: SeDebugPrivilege INFO: floss.results: kernel32.dllW INFO: floss.results: LoadLibraryAW INFO: floss.results: LoadLibraryA INFO: floss.results: OpenProcessTokenW INFO: floss.results: Advapi32.dllW INFO: floss.results: LookupPrivilegeValueA INFO: floss.results: AdjustTokenPrivileges INFO: floss.results: kernel32.dll INFO: floss.results: LoadLibraryA INFO: floss.results: CreateToolhelp32Snapshot INFO: floss.results: kernel32.dll INFO: floss.results: LoadLibraryA INFO: floss.results: Shell32.dll INFO: floss.results: MsUpdte.exe INFO: floss.results: kernel32.dll INFO: floss.results: LoadLibraryA INFO: floss.results: Shell32.dll INFO: floss.results: kernel32.dll INFO: floss.results: LoadLibraryA INFO: floss.results: SizeofResource INFO: floss.results: kernel32.dll INFO: floss.results: LoadLibraryA INFO: floss.results: LoadLibraryA INFO: floss.results: GetSystemWow64DirectoryA INFO: floss.results: RPCRT4.dll INFO: floss.results: ZwUnmapViewOfSection INFO: floss.results: ntdll.dll INFO: floss.results: olea INFO: floss.results: t32.dll INFO: floss.results: Kock INFO: floss.results: kernel32.dll INFO: floss.results: gdi32.dll INFO: floss.results: mfc110 INFO: floss.results: .dll INFO: floss.results: advapi32.dll INFO: floss.results: r32.dll INFO: floss.results: msvcr110.dll INFO: floss.results: \Windows Update INFO: floss.results: shell32.dll INFO: floss.results: shlwapi.dll INFO: floss.results: ser32.dll INFO: floss.results: msvcrt.dll INFO: floss.results: efefefefefefefef INFO: floss.results: efefefef INFO: floss.results: User32.dll INFO: floss.results: kernel32.dll INFO: floss.results: CreateToolhelp32Snapshot INFO: floss.results: LoadLibraryA INFO: floss.results: ntdll.dll INFO: floss.results: kernel32.dll INFO: floss.results: VirtualAlloc INFO: floss.results: Infinity FLARE FLOSS RESULTS (version v3.1.1-0-g3cd3ee6) +------------------------+------------------------------------------------------------------------------------+ | file path | cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe | | identified language | unknown | | extracted strings | | | static strings | Disabled | | language strings | 0 (0 characters) | | stack strings | 24 | | tight strings | 0 | | decoded strings | 29 | +------------------------+------------------------------------------------------------------------------------+ ────────────────────────── FLOSS STACK STRINGS (24) ────────────────────────── SeDebugPrivilege kernel32.dllW LoadLibraryAW LoadLibraryA OpenProcessTokenW Advapi32.dllW LookupPrivilegeValueA AdjustTokenPrivileges kernel32.dll LoadLibraryA CreateToolhelp32Snapshot kernel32.dll LoadLibraryA Shell32.dll MsUpdte.exe kernel32.dll LoadLibraryA Shell32.dll kernel32.dll LoadLibraryA SizeofResource kernel32.dll LoadLibraryA LoadLibraryA ───────────────────────── FLOSS TIGHT STRINGS (0) ───────────────────────── ──────────────────────────── FLOSS DECODED STRINGS (29) ──────────────────────────── GetSystemWow64DirectoryA RPCRT4.dll ZwUnmapViewOfSection ntdll.dll olea t32.dll Kock kernel32.dll gdi32.dll mfc110 .dll advapi32.dll r32.dll msvcr110.dll \Windows Update shell32.dll shlwapi.dll ser32.dll msvcrt.dll efefefefefefefef efefefef User32.dll kernel32.dll CreateToolhelp32Snapshot LoadLibraryA ntdll.dll kernel32.dll VirtualAlloc Infinity
=======================================
Imports
---------------------------------------
=======================================
Exports
---------------------------------------
=======================================
Files and Registry keys created/modified/deleted
---------------------------------------
Initial detonation (w/wo Remnux and inetsim):
Malware creates a shortcut "Msupdte.lnk" in Startup directory, the shortcut targets C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b6.exe , Size:980 bytes , sha256:3cb51f5f44954ea08641c1a13da0c8838a92fdb7ff18a58a962a3402c1f451d4 No matches found on VT
Regshot Compare report
Regshot 1.9.1 x64 Unicode (beta r321) Comments: Datetime: 2024-12-30 21:27:32, 2024-12-30 21:39:43 Computer: DESKTOP-V64A5T1, DESKTOP-V64A5T1 Username: husky, husky ---------------------------------- Keys deleted: 6 ---------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances\ea27fe31-4467-484a-a717-ea736d21e980 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\CurrentState HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\CurrentState HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances\ea27fe31-4467-484a-a717-ea736d21e980 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F} HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F} ---------------------------------- Keys added: 8 ---------------------------------- HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0 HKLM\SOFTWARE\Microsoft\Provisioning\FirstBootRun HKLM\SOFTWARE\Microsoft\Provisioning\LogonTaskCompleted HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances\22386174-fd81-4e78-a42c-67d78ebebfaa HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances\22386174-fd81-4e78-a42c-67d78ebebfaa HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4} HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4} HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A01F4 ---------------------------------- Values deleted: 27 ---------------------------------- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3DC3855: 01 00 04 80 44 00 00 00 50 00 00 00 00 00 00 00 14 00 00 00 02 00 30 00 02 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 14 00 00 00 01 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 20 00 00 00 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\CurrentState\StateValue: 0x00000011 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\CurrentState\StateValue: 0x00000011 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\Priority: 0x01000000 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\CreationTime: 0x0000000067705308 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\Transient: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\IsPackaged: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\DeliveryType: 0x00000002 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\FilterXML: "" HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\RegistrationName: "SmsDropAcceptImmediate" HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\ApplicationName: "SmsRouter" HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\UserSid: "S-1-5-19" HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\LastNotifiedMessageId: 0xFFFFFFFFFFFFFFFF HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\LastAccessedMessageId: 0xFFFFFFFFFFFFFFFF HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\NotifyCount: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\Priority: 0x01000000 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\CreationTime: 0x0000000067705308 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\Transient: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\IsPackaged: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\DeliveryType: 0x00000002 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\FilterXML: " " HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\RegistrationName: "SmsDropAcceptImmediate" HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\ApplicationName: "SmsRouter" HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\UserSid: "S-1-5-19" HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\LastNotifiedMessageId: 0xFFFFFFFFFFFFFFFF HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\LastAccessedMessageId: 0xFFFFFFFFFFFFFFFF HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\NotifyCount: 0x00000000 ---------------------------------- Values added: 43 ---------------------------------- HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\go+EQwXwOk+jHmdV.0\NextSession: "loyJxHVRY0myuEU7.0" HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0\BeginTime: "2024-12-30 21:36:41" HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0\RebootCount: 0x00000000 HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0\State: "Completed" HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0\StateValue: 0x00000003 HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0\LastRunTime: "2024-12-30 21:37:52" HKLM\SOFTWARE\Microsoft\Provisioning\FirstBootRun\: 0x00000001 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\core_worker_succeeded: 01 00 00 00 00 00 00 00 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\core_worker_total: 01 00 00 00 00 00 00 00 HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe: 3C 21 1F EE 01 5B DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\Priority: 0x01000000 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\CreationTime: 0x0000000067731269 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\Transient: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\IsPackaged: 0x00000000 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\DeliveryType: 0x00000002 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\FilterXML: " " HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\RegistrationName: "SmsDropAcceptImmediate" HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\ApplicationName: "SmsRouter" HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\UserSid: "S-1-5-19" HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\LastNotifiedMessageId: 0xFFFFFFFFFFFFFFFF HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\LastAccessedMessageId: 0xFFFFFFFFFFFFFFFF HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\NotifyCount: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe: 3C 21 1F EE 01 5B DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\Priority: 0x01000000 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\CreationTime: 0x0000000067731269 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\Transient: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\IsPackaged: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\DeliveryType: 0x00000002 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\FilterXML: " " HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\RegistrationName: "SmsDropAcceptImmediate" HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\ApplicationName: "SmsRouter" HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\UserSid: "S-1-5-19" HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\LastNotifiedMessageId: 0xFFFFFFFFFFFFFFFF HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\LastAccessedMessageId: 0xFFFFFFFFFFFFFFFF HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\NotifyCount: 0x00000000 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched\C:\Tools\Regshot-x64-Unicode\Regshot-x64-Unicode.exe: 0x00000001 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\uhfxl\Qrfxgbc\fnzcyr\pp8867n5sq62o82r817nsp405807s88716960ns5744040999o619o126n9rps57.rkr: 00 00 00 00 01 00 00 00 01 00 00 00 4E 00 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 19 E3 C9 01 5B DB 01 00 00 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A01F4\VirtualDesktop: 10 00 00 00 30 30 44 56 51 61 8C 11 AD 69 F0 45 81 44 60 32 A1 4A 47 E3 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 A1 B6 03 00 FD 0E 04 00 01 00 00 00 00 00 00 00 00 00 00 0A 61 20 00 00 50 BB 64 ED DD AC D5 01 00 00 00 00 00 00 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe.FriendlyAppName: "Desktop Window Manager" HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe.ApplicationCompany: "Microsoft Corporation" HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe.FriendlyAppName: "Desktop Window Manager" HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe.ApplicationCompany: "Microsoft Corporation" ---------------------------------- Values modified: 115 ---------------------------------- HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State\LastSuccess: 0x08DD277EADC820AD HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State\LastSuccess: 0x08DD2922957C3ABA HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\AvgFragmentsPerFile: 0x00000064 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\AvgFragmentsPerFile: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\MovableFiles: 0x0000006A HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\MovableFiles: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\UnmovableFiles: 0x00000004 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\UnmovableFiles: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\DirectoryCount: 0x00000004 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\DirectoryCount: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\FreeSpaceCount: 0x000000000000000A HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\FreeSpaceCount: 0x0000000000000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\AvgFreeSpaceSize: 0x0000000000000383 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\AvgFreeSpaceSize: 0x0000000000000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\LargestFreeSpaceSize: 0x000000000000116C HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\LargestFreeSpaceSize: 0x0000000000000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\TotalMFTRecords: 0x000000FF HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\TotalMFTRecords: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\InUseMFTRecords: 0x000000FF HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\InUseMFTRecords: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\MFTFragmentCount: 0x00000001 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\MFTFragmentCount: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\TotalUsedClusters: 0x000000000076EC59 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\TotalUsedClusters: 0x00000000007A0C1B HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\AvgFragmentsPerFile: 0x00000064 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\AvgFragmentsPerFile: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\MovableFiles: 0x0001DAE1 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\MovableFiles: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\UnmovableFiles: 0x00000007 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\UnmovableFiles: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FragmentedFiles: 0x00000001 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FragmentedFiles: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FragmentedExtents: 0x0000000000000001 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FragmentedExtents: 0x0000000000000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\DirectoryCount: 0x00002593 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\DirectoryCount: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FreeSpaceCount: 0x0000000000000008 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FreeSpaceCount: 0x0000000000000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\AvgFreeSpaceSize: 0x00000000002F1CFD HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\AvgFreeSpaceSize: 0x0000000000000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\LargestFreeSpaceSize: 0x0000000000AE086D HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\LargestFreeSpaceSize: 0x0000000000000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\TotalMFTRecords: 0x0002C9FF HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\TotalMFTRecords: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\InUseMFTRecords: 0x0002C9FF HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\InUseMFTRecords: 0x00000000 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\MFTFragmentCount: 0x00000001 HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\MFTFragmentCount: 0x00000000 HKLM\SOFTWARE\Microsoft\MemoryDiagnostic\LastScanTime: 0x01DB595F1C57EF9F HKLM\SOFTWARE\Microsoft\MemoryDiagnostic\LastScanTime: 0x01DB5B02EA2CCA09 HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\LastLogTime: 0x01DB59573D3EA495 HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\LastLogTime: 0x01DB5B028A7B3446 HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\Render: 53 00 57 00 44 00 5C 00 4D 00 4D 00 44 00 45 00 56 00 41 00 50 00 49 00 5C 00 7B 00 30 00 2E 00 30 00 2E 00 30 00 2E 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 7D 00 2E 00 7B 00 36 00 36 00 61 00 37 00 38 00 66 00 38 00 32 00 2D 00 37 00 38 00 34 00 66 00 2D 00 34 00 64 00 66 00 31 00 2D 00 38 00 61 00 31 00 35 00 2D 00 63 00 35 00 38 00 35 00 61 00 33 00 64 00 64 00 35 00 64 00 39 00 63 00 7D 00 00 00 00 00 00 00 00 00 01 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EE 20 76 A6 D0 D7 30 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\Render: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\LastSession: "go+EQwXwOk+jHmdV.0" HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\LastSession: "loyJxHVRY0myuEU7.0" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepositoryStatus\DeploymentDatabaseStatisticsLastUpdated: 0x01DB59614C88C0E7 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepositoryStatus\DeploymentDatabaseStatisticsLastUpdated: 0x01DB5B02EB00F359 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepositoryStatus\MachineDatabaseStatisticsLastUpdated: 0x01DB595F1CFEB965 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepositoryStatus\MachineDatabaseStatisticsLastUpdated: 0x01DB5B02EAFC1FD0 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdHigh: 0x01DB5B00 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdHigh: 0x01DB5B02 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdLow: 0x99BB6834 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdLow: 0xEEFD7534 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Fcon\DU: 00 00 00 00 04 00 04 00 01 00 04 00 01 01 00 00 02 12 F8 00 72 ED 81 01 A5 AD CF 00 DB B4 EF 00 9D 01 02 00 00 00 01 1D 63 02 01 BF 1E 01 01 CF 2A 01 02 12 F8 00 02 1C 41 01 02 99 66 00 02 BC 94 01 02 E6 38 01 03 81 22 01 04 93 1A 01 05 61 0F 01 05 A9 46 02 05 D4 7F 00 08 8D 42 01 08 C7 89 01 09 05 55 02 09 92 F8 00 09 A3 36 01 09 EF 7D 00 0B CF 4E 02 0C 35 84 00 0C E9 C2 00 0D 37 C6 00 0D 78 79 00 0D A1 81 00 0D BE 82 01 0D D3 F9 00 0D DB 80 01 0E 01 3E 01 0E 96 3D 01 0E BA CD 00 0F 05 DE 00 0F 22 1F 02 10 96 86 00 11 42 C2 00 12 92 40 02 12 E5 F8 00 13 E9 78 00 15 B6 25 01 15 C0 4E 01 15 CE EB 00 16 7F 57 02 17 93 38 01 17 E4 4A 02 18 5A 6C 02 18 BD 45 02 18 EE 4B 02 19 C0 E2 00 1A 6B E2 01 1A 94 49 02 1B 42 78 00 1B 6F 61 02 1B F5 EF 00 1B F6 0B 00 1C 95 5C 00 1C A7 21 01 1D 49 12 01 1D 9D 11 02 1D C7 89 01 1E BD 45 02 1F 4E A8 00 1F DD 4E 02 20 18 F2 00 21 01 3E 01 21 77 7A 00 22 09 39 02 23 83 E7 01 23 CC 4F 01 24 6B 46 01 24 AC C7 00 25 3A D5 00 25 A0 43 02 25 BE 17 01 27 0C 36 02 27 69 12 01 27 DB 21 01 28 84 EB 01 28 A1 1B 01 29 19 41 01 29 20 3B 01 29 CC 10 01 29 E2 4E 02 2A 0E 39 01 2A 68 A9 00 2A B7 22 01 2A C7 DE 00 2B 24 99 00 2C 3D 81 00 2C D8 42 01 2D D8 F4 00 2E 80 1D 01 2F 34 FB 00 2F 95 46 01 30 50 25 01 31 17 5D 00 31 20 F9 01 31 48 4F 00 31 58 58 02 32 57 A4 00 32 D1 A7 00 32 D4 5F 01 33 99 A9 00 33 DF 5D 01 34 2E FE 01 35 E3 4D 02 36 BF 4A 02 36 E9 D2 00 3A 5D 93 00 3B CE 34 01 3C B3 52 00 3D 7F E6 00 3E 33 83 00 3E A5 FA 00 3E D9 CC 01 40 1A D5 01 40 56 F1 00 40 B0 2A 01 41 A8 76 00 41 A9 7A 01 42 1D 0B 01 42 26 4A 00 42 B3 AE 00 43 AB 21 01 44 B9 07 01 45 6D B6 00 46 1D 0B 01 46 48 B6 00 46 79 D1 00 46 C2 21 01 48 C2 4F 00 48 F9 A6 00 49 EA B7 00 4A AA 81 00 4A FF 5F 02 4B F5 4F 02 4C 37 FA 00 4C 41 B4 00 4C A7 70 00 4C B3 41 01 4C C8 4B 01 4C EC 3E 02 4E 12 24 01 4E 9F F0 00 4E E7 C1 00 4F 14 C2 00 4F 34 28 01 50 34 A5 00 50 EA 43 01 52 9F 4A 01 52 A7 AA 00 54 7A 52 00 54 B7 DC 00 55 5F 2A 01 57 AD 12 01 58 0B D0 00 58 20 18 01 59 0F 1C 01 59 1D F9 01 59 53 94 00 59 89 4D 01 5A 5E B5 00 5C 74 65 01 5C F4 31 02 5D 36 53 02 5E 65 27 01 5E B5 8D 01 5F 93 55 02 5F E9 2B 02 60 63 5B 02 60 CB 43 02 61 13 24 01 62 5A C6 01 62 91 35 02 63 96 77 00 64 D4 19 01 65 30 54 01 65 A6 9E 00 69 CC 4F 01 6A C9 DA 00 6D 3E 43 01 6D 56 E4 01 6E F8 41 01 6F B3 11 01 70 2A 07 01 70 52 E2 01 71 05 28 01 71 40 A3 00 72 3C 12 00 72 6E 4A 00 72 9B 37 01 72 A2 42 01 72 ED 81 01 73 45 45 02 75 A3 7E 00 75 AB 0A 01 76 BC 21 01 78 EF 64 00 79 9C 39 00 7A E3 93 01 7B 45 D5 00 7B 7E 3E 02 7B 9F EB 00 7B A8 D1 00 7C DB 98 00 7E 10 44 01 7F 88 CA 00 81 06 95 00 82 27 73 00 82 58 68 01 83 F1 60 00 84 4D 26 01 84 50 EB 00 84 DF DE 01 84 E6 83 00 85 12 4A 00 85 50 AE 00 86 7B 06 01 87 6A 49 01 87 92 17 01 87 B1 4D 01 87 D7 21 01 87 F0 25 01 89 97 F5 00 8A D3 00 02 8A FA E3 00 8B 4E 1D 01 8B 51 88 00 8B 9D A1 01 8B EE F2 00 8D 2F 3C 01 8D 85 07 02 8D 87 98 00 8E 78 A2 00 8E D6 DC 01 8F 08 55 02 8F 30 36 0 2 90 48 1F 01 90 52 2E 02 90 A6 A1 01 90 D5 D0 00 90 EE 37 01 91 23 D3 00 92 AB 60 02 93 86 61 00 93 CE 8C 01 95 0B FE 00 95 9B 51 00 95 9F 33 01 95 E1 DB 00 96 5D D2 00 97 57 5E 02 97 6A B6 00 97 74 8D 00 97 F6 C4 00 98 72 46 01 98 BF 37 01 99 FE F7 01 9B 2B DB 00 9C 47 41 01 9C 62 3A 01 9C 73 31 02 9C A4 EB 00 9C E0 A8 00 9D 9D 92 00 9E BB 0D 01 9E BC E9 01 9F 91 92 01 A0 2E 61 00 A0 5B 6A 02 A0 86 61 00 A0 CD 71 00 A1 89 C7 00 A1 F7 37 02 A2 05 06 00 A2 2E 1E 01 A2 93 1D 01 A3 E7 15 01 A4 58 02 00 A4 BA 37 01 A4 C0 08 02 A5 AD CF 00 A6 44 A6 00 A6 95 1D 01 A7 36 A8 00 A7 B8 AD 00 A9 17 06 02 A9 D9 C8 01 AD 73 BF 00 AD 74 12 02 AD D4 EC 00 AF A5 42 01 B1 CE 98 00 B2 91 DD 00 B2 AA 21 01 B3 92 FB 00 B3 BF 2D 01 B3 F6 23 02 B4 F9 EA 00 B5 5F 44 02 B7 4B 4C 02 B8 34 38 01 B8 67 3B 01 B9 1A F3 00 B9 9E C9 01 BA 25 80 01 BA F9 E9 00 BB 8E 8B 00 BB AE 7E 00 BC 5F 2A 01 BC FA 8D 00 BD 14 4C 02 BD 38 8F 00 BD 53 98 00 BE 0C AC 00 BE 7E 45 01 BE FD 22 01 BF 8E CE 00 C0 07 9A 00 C0 46 AD 00 C0 CC 99 00 C0 DB 49 01 C2 0C 5B 02 C2 61 0B 01 C2 D9 12 02 C3 3E A3 00 C3 6D 81 00 C3 99 F3 00 C4 66 27 01 C5 35 C9 00 C6 BE 42 01 C7 0B C2 00 C8 46 4E 00 C9 26 2D 01 C9 38 97 00 C9 53 F1 00 CA 23 B7 00 CA 99 CE 00 CB 74 DA 00 CC 49 56 00 CC EF EF 00 CD AD 05 01 CE AF 66 02 CF C2 94 00 D0 17 56 00 D0 72 5B 00 D1 9A 7B 00 D1 D2 A7 00 D3 82 61 00 D3 C6 39 02 D3 E8 8D 00 D6 F6 DE 00 D9 07 24 01 D9 3D AA 00 D9 C9 4D 02 DA 38 C8 01 DA FF 0E 00 DC 4D 5B 02 DD 1B 19 01 DF 0C 8E 01 DF 1F 80 01 DF 4D 1C 02 E0 3E E7 01 E1 7E 8C 00 E2 1B 56 00 E3 81 40 02 E4 2A 5E 00 E4 40 27 01 E4 69 C9 00 E5 4C 27 01 E6 3E 2B 0D E6 6C 81 00 E6 FC 54 02 E7 91 46 02 E7 A4 D9 00 E8 80 3F 02 E8 9A FD 00 E8 9E FA 00 E8 E0 95 01 E9 8C 0A 01 EC 8F 49 02 EC B9 22 01 ED 19 69 02 EF 79 8B 00 EF DA 58 02 F0 51 A5 00 F0 E0 B6 00 F1 7D 5F 00 F2 B4 FA 00 F2 B9 46 02 F3 08 DB 00 F3 28 21 01 F3 8B B5 00 F4 CC 3E 01 F5 48 B1 00 F5 50 0D 01 F5 D4 5C 02 F5 FB 75 01 F6 D5 D0 00 F7 12 5E 00 F7 D3 6F 00 F7 DA AD 01 F7 E8 91 01 F7 ED 6A 00 F7 EE 45 01 F9 77 8C 00 FA 36 53 02 FB 08 06 01 FC 02 30 02 FC 3A 47 01 FD 58 46 02 FD B0 D9 00 FF 34 00 02 FF 5C 5E 01 CA 00 06 00 00 00 00 47 F1 00 02 35 4F 01 02 A4 15 01 02 BD 7E 00 04 92 1E 01 05 37 C6 00 05 A4 3C 01 0A 29 D8 00 0B FF 5C 00 0C 5C 22 01 0C 81 40 01 0D 9A 03 01 0E 4D 7E 00 0F BA 9E 00 11 0F AA 00 11 7C 45 01 13 19 83 00 13 2F D3 00 14 AA FD 00 15 40 28 01 15 9A DB 00 15 BC B7 01 19 C3 98 00 1A FA 99 00 1B 77 98 01 21 6D B6 00 22 D3 89 00 24 6F 16 00 27 9B CE 00 27 A2 A2 00 28 8B B4 00 29 00 D8 00 2C 21 D7 00 2D 58 38 01 2D B1 A3 00 2E 53 4C 01 32 55 1E 01 32 56 AE 00 34 BB EF 00 36 D8 41 01 37 22 C7 00 37 BF E1 00 37 F8 1D 01 3D 5E 35 01 3F 1C EA 00 42 7F 7A 00 42 93 80 00 42 C4 6A 00 48 C6 F5 00 4B C8 36 01 4B DE 41 01 4F 0B 45 01 50 20 18 01 50 8F C4 00 52 22 13 01 52 54 FE 00 52 8C 49 01 53 D8 8F 00 54 20 2B 01 56 92 3B 01 56 B7 22 01 57 87 49 01 57 AE 3D 01 59 E5 D3 00 59 EA 60 01 5C C0 05 01 5D 4F 44 01 5D 82 51 01 5D B3 40 01 5E 42 C4 00 5F 6C 4A 01 5F 6 C DC 00 60 AA 56 01 60 B9 41 01 61 FC 39 01 62 29 51 01 62 F5 F8 00 63 3E 99 00 63 63 81 00 64 C9 26 01 65 6D 24 01 67 68 A7 00 69 D2 81 00 6B 01 10 01 6E 7B 8C 00 70 BF 19 01 70 E8 25 01 72 D8 36 01 73 D3 A7 00 76 41 8E 00 78 7F E1 00 79 2D 4F 01 7A 22 26 01 7C 22 B8 00 7C 78 A4 00 7D 23 B1 00 82 1A BA 00 82 E6 F4 00 84 68 0B 01 8A D2 D2 00 8C 3B D3 00 8D 05 47 01 8F 06 43 01 8F 3C F3 00 91 67 C8 00 91 96 22 01 92 82 71 00 92 83 51 01 92 C4 14 01 93 05 47 01 93 69 C7 00 94 96 D4 00 96 01 DE 00 96 39 0B 01 99 46 64 01 9A C6 57 01 9B 56 A4 00 9C 40 27 01 9D 9F A0 00 9F 37 D5 00 9F 60 C3 00 9F 8F 6E 00 9F C8 CA 00 A0 B5 0A 01 A1 9D 2A 01 A1 D7 B3 00 A2 A6 F8 00 A3 C4 E2 00 A3 F7 6A 00 A4 DB CF 00 A5 04 03 01 A5 22 A4 00 A5 8F 60 00 A6 38 DA 00 A7 C2 33 01 A9 B2 DB 00 AB 12 27 01 AB 78 3D 01 AB 86 30 01 AB D2 61 00 AC 84 0E 01 AF EF C9 00 B0 75 5E 00 B2 09 F5 00 B4 89 22 01 B5 7A 48 01 B6 51 5D 00 B7 E2 BF 00 BA 14 65 00 BA 47 71 02 BA E7 38 02 BD C3 98 00 BE 00 4A 02 BF F1 A9 00 C2 21 D1 00 C5 C0 05 01 C8 2B FC 00 C9 D7 CA 00 CA 8F 52 00 CC CC 38 01 D0 40 27 01 D0 D3 22 01 D0 FE 62 00 D1 2A 52 01 D1 58 96 00 D3 30 1C 01 D3 83 4B 01 D6 8E FB 00 D6 B7 9A 00 D8 79 3D 01 D8 F0 7C 00 D9 11 44 01 DA 19 D7 00 DA D8 7E 00 DC DD CF 00 DD EB 26 01 DF A8 C6 01 DF D5 22 01 DF D8 36 01 E0 F5 C8 01 E3 19 2F 01 E6 19 9B 00 E6 B9 2B 01 E7 16 30 01 E7 9B 3B 01 E8 A4 C6 01 E9 8A A7 00 E9 D1 F5 00 F0 0E 4E 01 F0 3A DD 00 F1 9F 43 01 F3 89 40 01 F4 06 28 01 F4 74 5E 00 F4 79 3D 01 F4 AD 7A 00 F4 C8 2F 01 F6 D9 EC 00 F7 D4 5F 01 F8 71 9A 00 FA 67 CB 00 FE 5B FE 00 09 00 40 01 00 00 02 12 F8 00 2D D8 F4 00 4B 11 B4 00 7B A8 D1 00 8A FA E3 00 9F 27 FF 00 A5 AD CF 00 A6 95 1D 01 DB B4 EF 00 02 00 41 01 00 00 2A B7 22 01 CD AD 05 01 03 00 42 01 00 00 27 69 12 01 5F 88 67 01 72 ED 81 01 01 00 43 01 00 00 C0 EC 7C 00 01 00 46 01 00 00 90 A6 A1 01 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Fcon\DU: 00 00 00 00 04 00 04 00 01 00 04 00 01 01 00 00 02 12 F8 00 72 ED 81 01 A5 AD CF 00 DB B4 EF 00 95 01 02 00 00 00 01 1D 63 02 01 BF 1E 01 01 CF 2A 01 02 12 F8 00 02 1C 41 01 02 99 66 00 02 BC 94 01 02 E6 38 01 04 93 1A 01 05 A9 46 02 08 8D 42 01 09 05 55 02 09 92 F8 00 09 A3 36 01 09 EF 7D 00 0B CF 4E 02 0C 35 84 00 0C E9 C2 00 0D 37 C6 00 0D 78 79 00 0D A1 81 00 0D BE 82 01 0D D3 F9 00 0D DB 80 01 0E 01 3E 01 0E 96 3D 01 0E BA CD 00 0F 05 DE 00 0F 22 1F 02 10 96 86 00 11 42 C2 00 12 92 40 02 12 E5 F8 00 13 E9 78 00 15 B6 25 01 15 CE EB 00 16 7F 57 02 17 93 38 01 17 E4 4A 02 18 5A 6C 02 18 65 65 01 18 BD 45 02 18 EE 4B 02 19 C0 E2 00 1A 94 49 02 1B 42 78 00 1B 6F 61 02 1B F5 EF 00 1B F6 0B 00 1C 95 5C 00 1C A7 21 01 1D 49 12 01 1D 9D 11 02 1E BD 45 02 1F 4E A8 00 1F DD 4E 02 20 18 F2 00 21 01 3E 01 21 77 7A 00 22 09 39 02 23 16 FF 01 23 83 E7 01 23 CC 4F 01 24 6B 46 01 24 AC C7 00 25 3A D5 00 25 BE 17 01 27 0C 36 02 27 69 12 01 27 DB 21 01 28 84 EB 01 28 A1 1B 01 29 19 41 01 29 20 3B 01 29 CC 10 01 29 CF 50 02 29 E2 4E 02 2A 0E 39 01 2A 68 A9 00 2A B7 22 01 2A B8 5E 01 2A C7 DE 00 2B 24 99 00 2C 3D 81 00 2C D8 42 01 2D D8 F4 00 2E 80 1D 01 2F 34 FB 00 2F 39 D5 00 2F 95 46 01 30 50 25 01 31 17 5D 00 31 20 F9 01 31 48 4F 00 31 58 58 02 32 57 A4 00 32 D1 A7 00 32 D4 5F 01 33 99 A9 00 33 DF 5D 01 34 2E FE 01 36 BF 4A 02 36 E9 D2 00 3A 5D 93 00 3B CE 34 01 3C B3 52 00 3D 7F E6 00 3E 33 83 00 3E A5 FA 00 3E D9 CC 01 40 1A D5 01 40 56 F1 00 40 B0 2A 01 41 A8 76 00 42 1D 0B 01 42 26 4A 00 42 B3 AE 00 43 AB 21 01 45 6D B6 00 46 1D 0B 01 46 48 B6 00 46 79 D1 00 46 C2 21 01 48 C2 4F 00 48 F9 A6 00 49 EA B7 00 4A AA 81 00 4A FF 5F 02 4B F5 4F 02 4C 37 FA 00 4C 41 B4 00 4C A7 70 00 4C B3 41 01 4C C8 4B 01 4C EC 3E 02 4E 12 24 01 4E 9F F0 00 4E E7 C1 00 4F 14 C2 00 4F 34 28 01 50 34 A5 00 50 EA 43 01 52 9F 4A 01 52 A7 AA 00 52 D3 16 00 54 7A 52 00 54 B7 DC 00 55 5F 2A 01 56 0A 85 00 57 AD 12 01 58 0B D0 00 58 20 18 01 59 0F 1C 01 59 1D F9 01 59 53 94 00 59 89 4D 01 5A 5E B5 00 5C 74 65 01 5C F4 31 02 5D 36 53 02 5F 93 55 02 5F E9 2B 02 60 63 5B 02 60 CB 43 02 61 13 24 01 62 5A C6 01 62 91 35 02 63 96 77 00 64 D4 19 01 65 30 54 01 65 A6 9E 00 69 CC 4F 01 6A C9 DA 00 6D 3E 43 01 6E F8 41 01 6F B3 11 01 6F E5 D6 01 70 52 E2 01 71 05 28 01 71 40 A3 00 72 3C 12 00 72 6E 4A 00 72 9B 37 01 72 A2 42 01 72 ED 81 01 75 17 34 01 75 A3 7E 00 75 AB 0A 01 76 BC 21 01 78 2D B0 00 79 9C 39 00 7A E3 93 01 7B 45 D5 00 7B 7E 3E 02 7B 9F EB 00 7B A8 D1 00 7C DB 98 00 7E 10 44 01 7F 88 CA 00 81 06 95 00 81 D2 4D 01 82 27 73 00 82 58 68 01 83 D7 5C 00 83 F1 60 00 84 4D 26 01 84 50 EB 00 84 DF DE 01 84 E6 83 00 85 12 4A 00 85 50 AE 00 86 7B 06 01 87 6A 49 01 87 92 17 01 87 B1 4D 01 87 D7 21 01 87 DE 83 00 87 F0 25 01 89 97 F5 00 8A D3 00 02 8A FA E3 00 8B 4E 1D 01 8B 51 88 00 8B 9D A1 01 8B EE F2 00 8C 63 E9 01 8D 85 07 02 8D 87 98 00 8E 25 60 01 8E 78 A2 00 8E D6 DC 01 8F 08 55 02 8F 30 36 02 90 48 1F 01 90 52 2E 02 90 A6 A1 0 1 90 D5 D0 00 90 EE 37 01 91 23 D3 00 92 AB 60 02 93 86 61 00 93 CE 8C 01 95 0B FE 00 95 9B 51 00 95 9F 33 01 95 E1 DB 00 96 5D D2 00 97 57 5E 02 97 6A B6 00 97 74 8D 00 97 F6 C4 00 98 72 46 01 99 FE F7 01 9B 2B DB 00 9C 47 41 01 9C 62 3A 01 9C 73 31 02 9C A4 EB 00 9C E0 A8 00 9D 9D 92 00 9E BC E9 01 9F 91 92 01 A0 5B 6A 02 A0 86 61 00 A1 89 C7 00 A1 F7 37 02 A2 05 06 00 A2 2E 1E 01 A2 93 1D 01 A3 E7 15 01 A4 58 02 00 A4 C0 08 02 A5 AD CF 00 A6 44 A6 00 A6 95 1D 01 A6 E9 B3 00 A7 36 A8 00 A7 B8 AD 00 A9 17 06 02 A9 D9 C8 01 AC 54 F9 00 AD 73 BF 00 AD 74 12 02 AD D4 EC 00 B1 CE 98 00 B2 91 DD 00 B2 AA 21 01 B3 92 FB 00 B3 BF 2D 01 B3 F6 23 02 B4 F9 EA 00 B5 5F 44 02 B5 61 0D 01 B7 4B 4C 02 B7 F0 02 02 B8 34 38 01 B8 67 3B 01 B9 1A F3 00 B9 9E C9 01 BA 25 80 01 BA F9 E9 00 BB 8E 8B 00 BC 5F 2A 01 BC 6E B4 00 BC D2 2A 01 BC FA 8D 00 BD 14 4C 02 BD 38 8F 00 BD 53 98 00 BE 0C AC 00 BE 7E 45 01 BF 8E CE 00 C0 07 9A 00 C0 46 AD 00 C0 DB 49 01 C2 0C 5B 02 C2 61 0B 01 C2 D9 12 02 C3 3E A3 00 C3 6D 81 00 C3 99 F3 00 C5 35 C9 00 C6 BE 42 01 C7 5D D7 00 C8 46 4E 00 C9 26 2D 01 C9 38 97 00 C9 53 F1 00 CA 23 B7 00 CA 99 CE 00 CB 74 DA 00 CC 49 56 00 CC EF EF 00 CD AD 05 01 CD BD 8C 00 CE AF 66 02 CF 74 AA 00 D0 17 56 00 D1 9A 7B 00 D1 D2 A7 00 D3 82 61 00 D3 C6 39 02 D3 E8 8D 00 D6 F6 DE 00 D8 D1 1F 01 D9 07 24 01 D9 3D AA 00 D9 C9 4D 02 DA 38 C8 01 DA FF 0E 00 DC 4D 5B 02 DC DD 8D 01 DD 1B 19 01 DF 1F 80 01 DF 4D 1C 02 E0 3E E7 01 E1 7E 8C 00 E2 1B 56 00 E3 81 40 02 E4 2A 5E 00 E4 40 27 01 E4 69 C9 00 E5 4C 27 01 E6 3E 2B 0D E6 6C 81 00 E6 FC 54 02 E7 91 46 02 E7 A4 D9 00 E8 80 3F 02 E8 9E FA 00 E8 E0 95 01 E9 8C 0A 01 EC 8F 49 02 EC B9 22 01 ED 19 69 02 EF 79 8B 00 EF DA 58 02 F0 E0 B6 00 F1 7D 5F 00 F1 FC 60 00 F2 B4 FA 00 F2 B9 46 02 F3 08 DB 00 F3 28 21 01 F4 3D 77 00 F4 CC 3E 01 F5 48 B1 00 F5 50 0D 01 F5 D4 5C 02 F5 FB 75 01 F7 12 5E 00 F7 D3 6F 00 F7 DA AD 01 F7 E8 91 01 F7 ED 6A 00 F7 EE 45 01 F9 77 8C 00 FA 36 53 02 FB 08 06 01 FC 02 30 02 FC 3A 47 01 FD 58 46 02 FD B0 D9 00 FF 34 00 02 FF 5C 5E 01 CA 00 06 00 00 00 00 47 F1 00 01 91 40 01 02 35 4F 01 02 A4 15 01 02 BD 7E 00 04 92 1E 01 05 37 C6 00 05 A4 3C 01 0A 29 D8 00 0B FF 5C 00 0C 4C BC 00 0C 5C 22 01 0C 81 40 01 0D 9A 03 01 0E 4D 7E 00 0F BA 9E 00 11 0F AA 00 11 7C 45 01 13 19 83 00 13 C3 28 01 14 AA FD 00 15 40 28 01 15 9A DB 00 15 BC B7 01 19 C3 98 00 1A 66 11 01 1A FA 99 00 1B 77 98 01 21 6D B6 00 22 D3 89 00 24 6F 16 00 27 9B CE 00 27 A2 A2 00 28 8B B4 00 29 00 D8 00 2C 21 D7 00 2D 58 38 01 2D B1 A3 00 2E 53 4C 01 2E 68 A9 00 32 55 1E 01 32 56 AE 00 34 BB EF 00 36 D8 41 01 37 22 C7 00 37 BF E1 00 37 F8 1D 01 3D 5E 35 01 3F 1C EA 00 42 7F 7A 00 42 93 80 00 42 C4 6A 00 48 C6 F5 00 4B C8 36 01 4B DE 41 01 4F 0B 45 01 50 20 18 01 52 22 13 01 52 54 FE 00 52 8C 49 01 53 D8 8F 00 54 20 2B 01 56 92 3B 01 56 B7 22 01 57 87 49 01 59 E5 D3 00 59 EA 60 01 5C C0 05 01 5D 4F 44 01 5D 82 51 01 5D B3 40 01 5E 42 C4 00 5F 6C 4A 01 5F 6C DC 00 60 AA 56 01 60 B9 41 01 61 FC 39 01 62 29 51 01 62 F5 F8 00 63 3 E 99 00 63 63 81 00 64 C9 26 01 65 6D 24 01 67 68 A7 00 6B 01 10 01 6E 7B 8C 00 70 BF 19 01 70 E8 25 01 72 D8 36 01 73 D3 A7 00 76 41 8E 00 78 7F E1 00 79 2D 4F 01 7A 22 26 01 7C 22 B8 00 7C 78 A4 00 82 E6 F4 00 84 68 0B 01 8A D2 D2 00 8C 3B D3 00 8D 05 47 01 8F 06 43 01 8F 3C F3 00 91 50 8A 00 91 67 C8 00 91 96 22 01 92 82 71 00 92 83 51 01 92 C4 14 01 93 05 47 01 93 69 C7 00 94 96 D4 00 96 39 0B 01 99 46 64 01 9A C6 57 01 9B 56 A4 00 9C 40 27 01 9D 9F A0 00 9F 60 C3 00 9F 8F 6E 00 9F C8 CA 00 A0 B5 0A 01 A1 9D 2A 01 A1 D7 B3 00 A2 A6 F8 00 A3 C4 E2 00 A3 F7 6A 00 A4 DB CF 00 A5 04 03 01 A5 22 A4 00 A5 8F 60 00 A6 38 DA 00 A7 C2 33 01 A9 B2 DB 00 AB 12 27 01 AB 78 3D 01 AB 86 30 01 AB D2 61 00 AC 84 0E 01 AF EF C9 00 B0 75 5E 00 B2 09 F5 00 B4 89 22 01 B5 7A 48 01 B6 51 5D 00 B7 E2 BF 00 BA 14 65 00 BA 47 71 02 BA E7 38 02 BD C3 98 00 BE 00 4A 02 BF 41 FD 00 BF F1 A9 00 C2 21 D1 00 C5 C0 05 01 C8 2B FC 00 C9 D7 CA 00 CA 8F 52 00 CC C1 01 01 CC CC 38 01 D0 D3 22 01 D0 FE 62 00 D1 2A 52 01 D1 58 96 00 D3 30 1C 01 D3 83 4B 01 D6 8E FB 00 D6 B7 9A 00 D8 79 3D 01 D8 F0 7C 00 D9 11 44 01 DA 19 D7 00 DA D8 7E 00 DC 1C 62 00 DC DD CF 00 DD EB 26 01 DF A8 C6 01 DF D5 22 01 DF D8 36 01 E0 F5 C8 01 E3 19 2F 01 E6 19 9B 00 E6 B9 2B 01 E7 16 30 01 E7 9B 3B 01 E8 A4 C6 01 E9 8A A7 00 E9 D1 F5 00 F0 0E 4E 01 F0 3A DD 00 F1 9F 43 01 F3 89 40 01 F4 06 28 01 F4 74 5E 00 F4 79 3D 01 F4 AD 7A 00 F4 C8 2F 01 F6 D9 EC 00 F7 D4 5F 01 F8 71 9A 00 FA 67 CB 00 FE 5B FE 00 09 00 40 01 00 00 02 12 F8 00 2D D8 F4 00 4B 11 B4 00 7B A8 D1 00 8A FA E3 00 9F 27 FF 00 A5 AD CF 00 A6 95 1D 01 DB B4 EF 00 04 00 41 01 00 00 18 65 65 01 2A 68 A9 00 2A B7 22 01 CD AD 05 01 03 00 42 01 00 00 27 69 12 01 5F 88 67 01 72 ED 81 01 01 00 43 01 00 00 C0 EC 7C 00 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Fcon\TimeSinceLastLog: 0x01DB595F1E3BE5B0 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Fcon\TimeSinceLastLog: 0x01DB5B02EBC22058 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\VFUProvider\StartTime: 0x01DB5B018F9CB1EE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\VFUProvider\StartTime: 0x01DB5B036086EC5E HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\LastTaskOperationHandle: 0x0000001E HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\LastTaskOperationHandle: 0x00000055 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC1C75: 65 04 00 00 00 00 00 00 04 00 04 00 01 00 04 00 01 01 00 00 02 12 F8 00 72 ED 81 01 A5 AD CF 00 DB B4 EF 00 95 01 02 00 00 00 01 1D 63 02 01 BF 1E 01 01 CF 2A 01 02 12 F8 00 02 1C 41 01 02 99 66 00 02 BC 94 01 02 E6 38 01 04 93 1A 01 05 A9 46 02 08 8D 42 01 09 05 55 02 09 92 F8 00 09 A3 36 01 09 EF 7D 00 0B CF 4E 02 0C 35 84 00 0C E9 C2 00 0D 37 C6 00 0D 78 79 00 0D A1 81 00 0D BE 82 01 0D D3 F9 00 0D DB 80 01 0E 01 3E 01 0E 96 3D 01 0E BA CD 00 0F 05 DE 00 0F 22 1F 02 10 96 86 00 11 42 C2 00 12 92 40 02 12 E5 F8 00 13 E9 78 00 15 B6 25 01 15 CE EB 00 16 7F 57 02 17 93 38 01 17 E4 4A 02 18 5A 6C 02 18 65 65 01 18 BD 45 02 18 EE 4B 02 19 C0 E2 00 1A 94 49 02 1B 42 78 00 1B 6F 61 02 1B F5 EF 00 1B F6 0B 00 1C 95 5C 00 1C A7 21 01 1D 49 12 01 1D 9D 11 02 1E BD 45 02 1F 4E A8 00 1F DD 4E 02 20 18 F2 00 21 01 3E 01 21 77 7A 00 22 09 39 02 23 16 FF 01 23 83 E7 01 23 CC 4F 01 24 6B 46 01 24 AC C7 00 25 3A D 5 00 25 BE 17 01 27 0C 36 02 27 69 12 01 27 DB 21 01 28 84 EB 01 28 A1 1B 01 29 19 41 01 29 20 3B 01 29 CC 10 01 29 CF 50 02 29 E2 4E 02 2A 0E 39 01 2A 68 A9 00 2A B7 22 01 2A B8 5E 01 2A C7 DE 00 2B 24 99 00 2C 3D 81 00 2C D8 42 01 2D D8 F4 00 2E 80 1D 01 2F 34 FB 00 2F 39 D5 00 2F 95 46 01 30 50 25 01 31 17 5D 00 31 20 F9 01 31 48 4F 00 31 58 58 02 32 57 A4 00 32 D1 A7 00 32 D4 5F 01 33 99 A9 00 33 DF 5D 01 34 2E FE 01 36 BF 4A 02 36 E9 D2 00 3A 5D 93 00 3B CE 34 01 3C B3 52 00 3D 7F E6 00 3E 33 83 00 3E A5 FA 00 3E D9 CC 01 40 1A D5 01 40 56 F1 00 40 B0 2A 01 41 A8 76 00 42 1D 0B 01 42 26 4A 00 42 B3 AE 00 43 AB 21 01 45 6D B6 00 46 1D 0B 01 46 48 B6 00 46 79 D1 00 46 C2 21 01 48 C2 4F 00 48 F9 A6 00 49 EA B7 00 4A AA 81 00 4A FF 5F 02 4B F5 4F 02 4C 37 FA 00 4C 41 B4 00 4C A7 70 00 4C B3 41 01 4C C8 4B 01 4C EC 3E 02 4E 12 24 01 4E 9F F0 00 4E E7 C1 00 4F 14 C2 00 4F 34 28 01 50 34 A5 00 50 EA 43 01 52 9F 4A 01 52 A7 AA 00 52 D3 16 00 54 7A 52 00 54 B7 DC 00 55 5F 2A 01 56 0A 85 00 57 AD 12 01 58 0B D0 00 58 20 18 01 59 0F 1C 01 59 1D F9 01 59 53 94 00 59 89 4D 01 5A 5E B5 00 5C 74 65 01 5C F4 31 02 5D 36 53 02 5F 93 55 02 5F E9 2B 02 60 63 5B 02 60 CB 43 02 61 13 24 01 62 5A C6 01 62 91 35 02 63 96 77 00 64 D4 19 01 65 30 54 01 65 A6 9E 00 69 CC 4F 01 6A C9 DA 00 6D 3E 43 01 6E F8 41 01 6F B3 11 01 6F E5 D6 01 70 52 E2 01 71 05 28 01 71 40 A3 00 72 3C 12 00 72 6E 4A 00 72 9B 37 01 72 A2 42 01 72 ED 81 01 75 17 34 01 75 A3 7E 00 75 AB 0A 01 76 BC 21 01 78 2D B0 00 79 9C 39 00 7A E3 93 01 7B 45 D5 00 7B 7E 3E 02 7B 9F EB 00 7B A8 D1 00 7C DB 98 00 7E 10 44 01 7F 88 CA 00 81 06 95 00 81 D2 4D 01 82 27 73 00 82 58 68 01 83 D7 5C 00 83 F1 60 00 84 4D 26 01 84 50 EB 00 84 DF DE 01 84 E6 83 00 85 12 4A 00 85 50 AE 00 86 7B 06 01 87 6A 49 01 87 92 17 01 87 B1 4D 01 87 D7 21 01 87 DE 83 00 87 F0 25 01 89 97 F5 00 8A D3 00 02 8A FA E3 00 8B 4E 1D 01 8B 51 88 00 8B 9D A1 01 8B EE F2 00 8C 63 E9 01 8D 85 07 02 8D 87 98 00 8E 25 60 01 8E 78 A2 00 8E D6 DC 01 8F 08 55 02 8F 30 36 02 90 48 1F 01 90 52 2E 02 90 A6 A1 01 90 D5 D0 00 90 EE 37 01 91 23 D3 00 92 AB 60 02 93 86 61 00 93 CE 8C 01 95 0B FE 00 95 9B 51 00 95 9F 33 01 95 E1 DB 00 96 5D D2 00 97 57 5E 02 97 6A B6 00 97 74 8D 00 97 F6 C4 00 98 72 46 01 99 FE F7 01 9B 2B DB 00 9C 47 41 01 9C 62 3A 01 9C 73 31 02 9C A4 EB 00 9C E0 A8 00 9D 9D 92 00 9E BC E9 01 9F 91 92 01 A0 5B 6A 02 A0 86 61 00 A1 89 C7 00 A1 F7 37 02 A2 05 06 00 A2 2E 1E 01 A2 93 1D 01 A3 E7 15 01 A4 58 02 00 A4 C0 08 02 A5 AD CF 00 A6 44 A6 00 A6 95 1D 01 A6 E9 B3 00 A7 36 A8 00 A7 B8 AD 00 A9 17 06 02 A9 D9 C8 01 AC 54 F9 00 AD 73 BF 00 AD 74 12 02 AD D4 EC 00 B1 CE 98 00 B2 91 DD 00 B2 AA 21 01 B3 92 FB 00 B3 BF 2D 01 B3 F6 23 02 B4 F9 EA 00 B5 5F 44 02 B5 61 0D 01 B7 4B 4C 02 B7 F0 02 02 B8 34 38 01 B8 67 3B 01 B9 1A F3 00 B9 9E C9 01 BA 25 80 01 BA F9 E9 00 BB 8E 8B 00 BC 5F 2A 01 BC 6E B4 00 BC D2 2A 01 BC FA 8D 00 BD 14 4C 02 BD 38 8F 00 BD 53 98 00 BE 0C AC 00 BE 7E 45 01 BF 8E CE 00 C0 07 9A 00 C0 46 AD 00 C0 DB 49 01 C2 0C 5 B 02 C2 61 0B 01 C2 D9 12 02 C3 3E A3 00 C3 6D 81 00 C3 99 F3 00 C5 35 C9 00 C6 BE 42 01 C7 5D D7 00 C8 46 4E 00 C9 26 2D 01 C9 38 97 00 C9 53 F1 00 CA 23 B7 00 CA 99 CE 00 CB 74 DA 00 CC 49 56 00 CC EF EF 00 CD AD 05 01 CD BD 8C 00 CE AF 66 02 CF 74 AA 00 D0 17 56 00 D1 9A 7B 00 D1 D2 A7 00 D3 82 61 00 D3 C6 39 02 D3 E8 8D 00 D6 F6 DE 00 D8 D1 1F 01 D9 07 24 01 D9 3D AA 00 D9 C9 4D 02 DA 38 C8 01 DA FF 0E 00 DC 4D 5B 02 DC DD 8D 01 DD 1B 19 01 DF 1F 80 01 DF 4D 1C 02 E0 3E E7 01 E1 7E 8C 00 E2 1B 56 00 E3 81 40 02 E4 2A 5E 00 E4 40 27 01 E4 69 C9 00 E5 4C 27 01 E6 3E 2B 0D E6 6C 81 00 E6 FC 54 02 E7 91 46 02 E7 A4 D9 00 E8 80 3F 02 E8 9E FA 00 E8 E0 95 01 E9 8C 0A 01 EC 8F 49 02 EC B9 22 01 ED 19 69 02 EF 79 8B 00 EF DA 58 02 F0 E0 B6 00 F1 7D 5F 00 F1 FC 60 00 F2 B4 FA 00 F2 B9 46 02 F3 08 DB 00 F3 28 21 01 F4 3D 77 00 F4 CC 3E 01 F5 48 B1 00 F5 50 0D 01 F5 D4 5C 02 F5 FB 75 01 F7 12 5E 00 F7 D3 6F 00 F7 DA AD 01 F7 E8 91 01 F7 ED 6A 00 F7 EE 45 01 F9 77 8C 00 FA 36 53 02 FB 08 06 01 FC 02 30 02 FC 3A 47 01 FD 58 46 02 FD B0 D9 00 FF 34 00 02 FF 5C 5E 01 CA 00 06 00 00 00 00 47 F1 00 01 91 40 01 02 35 4F 01 02 A4 15 01 02 BD 7E 00 04 92 1E 01 05 37 C6 00 05 A4 3C 01 0A 29 D8 00 0B FF 5C 00 0C 4C BC 00 0C 5C 22 01 0C 81 40 01 0D 9A 03 01 0E 4D 7E 00 0F BA 9E 00 11 0F AA 00 11 7C 45 01 13 19 83 00 13 C3 28 01 14 AA FD 00 15 40 28 01 15 9A DB 00 15 BC B7 01 19 C3 98 00 1A 66 11 01 1A FA 99 00 1B 77 98 01 21 6D B6 00 22 D3 89 00 24 6F 16 00 27 9B CE 00 27 A2 A2 00 28 8B B4 00 29 00 D8 00 2C 21 D7 00 2D 58 38 01 2D B1 A3 00 2E 53 4C 01 2E 68 A9 00 32 55 1E 01 32 56 AE 00 34 BB EF 00 36 D8 41 01 37 22 C7 00 37 BF E1 00 37 F8 1D 01 3D 5E 35 01 3F 1C EA 00 42 7F 7A 00 42 93 80 00 42 C4 6A 00 48 C6 F5 00 4B C8 36 01 4B DE 41 01 4F 0B 45 01 50 20 18 01 52 22 13 01 52 54 FE 00 52 8C 49 01 53 D8 8F 00 54 20 2B 01 56 92 3B 01 56 B7 22 01 57 87 49 01 59 E5 D3 00 59 EA 60 01 5C C0 05 01 5D 4F 44 01 5D 82 51 01 5D B3 40 01 5E 42 C4 00 5F 6C 4A 01 5F 6C DC 00 60 AA 56 01 60 B9 41 01 61 FC 39 01 62 29 51 01 62 F5 F8 00 63 3E 99 00 63 63 81 00 64 C9 26 01 65 6D 24 01 67 68 A7 00 6B 01 10 01 6E 7B 8C 00 70 BF 19 01 70 E8 25 01 72 D8 36 01 73 D3 A7 00 76 41 8E 00 78 7F E1 00 79 2D 4F 01 7A 22 26 01 7C 22 B8 00 7C 78 A4 00 82 E6 F4 00 84 68 0B 01 8A D2 D2 00 8C 3B D3 00 8D 05 47 01 8F 06 43 01 8F 3C F3 00 91 50 8A 00 91 67 C8 00 91 96 22 01 92 82 71 00 92 83 51 01 92 C4 14 01 93 05 47 01 93 69 C7 00 94 96 D4 00 96 39 0B 01 99 46 64 01 9A C6 57 01 9B 56 A4 00 9C 40 27 01 9D 9F A0 00 9F 60 C3 00 9F 8F 6E 00 9F C8 CA 00 A0 B5 0A 01 A1 9D 2A 01 A1 D7 B3 00 A2 A6 F8 00 A3 C4 E2 00 A3 F7 6A 00 A4 DB CF 00 A5 04 03 01 A5 22 A4 00 A5 8F 60 00 A6 38 DA 00 A7 C2 33 01 A9 B2 DB 00 AB 12 27 01 AB 78 3D 01 AB 86 30 01 AB D2 61 00 AC 84 0E 01 AF EF C9 00 B0 75 5E 00 B2 09 F5 00 B4 89 22 01 B5 7A 48 01 B6 51 5D 00 B7 E2 BF 00 BA 14 65 00 BA 47 71 02 BA E7 38 02 BD C3 98 00 BE 00 4A 02 BF 41 FD 00 BF F1 A9 00 C2 21 D1 00 C5 C0 05 01 C8 2B FC 00 C9 D7 CA 00 CA 8F 52 00 CC C1 01 01 C C CC 38 01 D0 D3 22 01 D0 FE 62 00 D1 2A 52 01 D1 58 96 00 D3 30 1C 01 D3 83 4B 01 D6 8E FB 00 D6 B7 9A 00 D8 79 3D 01 D8 F0 7C 00 D9 11 44 01 DA 19 D7 00 DA D8 7E 00 DC 1C 62 00 DC DD CF 00 DD EB 26 01 DF A8 C6 01 DF D5 22 01 DF D8 36 01 E0 F5 C8 01 E3 19 2F 01 E6 19 9B 00 E6 B9 2B 01 E7 16 30 01 E7 9B 3B 01 E8 A4 C6 01 E9 8A A7 00 E9 D1 F5 00 F0 0E 4E 01 F0 3A DD 00 F1 9F 43 01 F3 89 40 01 F4 06 28 01 F4 74 5E 00 F4 79 3D 01 F4 AD 7A 00 F4 C8 2F 01 F6 D9 EC 00 F7 D4 5F 01 F8 71 9A 00 FA 67 CB 00 FE 5B FE 00 09 00 40 01 00 00 02 12 F8 00 2D D8 F4 00 4B 11 B4 00 7B A8 D1 00 8A FA E3 00 9F 27 FF 00 A5 AD CF 00 A6 95 1D 01 DB B4 EF 00 04 00 41 01 00 00 18 65 65 01 2A 68 A9 00 2A B7 22 01 CD AD 05 01 03 00 42 01 00 00 27 69 12 01 5F 88 67 01 72 ED 81 01 01 00 43 01 00 00 C0 EC 7C 00 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC1C75: 7B 04 00 00 00 00 00 00 04 00 04 00 01 00 01 00 01 01 00 00 A5 AD CF 00 17 00 02 00 00 00 02 1C 41 01 1B 42 78 00 22 09 39 02 27 0C 36 02 31 48 4F 00 40 56 F1 00 4E 12 24 01 6E F8 41 01 84 50 EB 00 84 DF DE 01 8D 85 07 02 8E D6 DC 01 8F 08 55 02 8F 30 36 02 9D 9D 92 00 A1 F7 37 02 A9 D9 C8 01 B7 F0 02 02 C3 6D 81 00 C3 99 F3 00 C7 5D D7 00 CD AD 05 01 D9 07 24 01 05 00 06 00 00 00 04 92 1E 01 42 93 80 00 60 AA 56 01 AF EF C9 00 B5 7A 48 01 01 00 40 01 00 00 A5 AD CF 00 01 00 41 01 00 00 CD AD 05 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475: 55 04 00 00 00 00 00 00 04 00 04 00 01 02 06 00 00 00 00 00 12 00 00 00 0D 78 79 00 01 00 00 00 6B 50 7E 00 02 00 00 00 87 DE 83 00 01 00 00 00 90 A6 A1 01 94 00 00 00 A1 9F 5E 00 01 00 00 00 DB B4 EF 00 07 00 01 00 00 00 2E 00 00 00 00 7D 75 00 01 00 00 00 18 65 65 01 02 00 00 00 18 7D C7 00 04 00 00 00 3D D7 34 01 32 01 00 00 56 73 7D 00 05 00 00 00 6B 50 7E 00 05 00 00 00 E6 C5 31 00 01 00 04 00 00 00 40 00 00 00 1A 9C B2 00 02 00 05 00 00 00 01 00 00 00 4F 87 1A 01 02 00 00 00 9F C8 CA 00 02 00 64 00 00 00 07 00 00 00 42 1D 0B 01 0E 00 00 00 46 1D 0B 01 04 00 65 00 00 00 C6 00 00 00 65 A6 9E 00 22 00 00 00 A2 05 06 00 72 5C 01 00 E6 C5 31 00 12 06 00 00 F0 E0 B6 00 01 00 66 00 00 00 44 01 00 00 65 A6 9E 00 01 00 67 00 00 00 22 00 00 00 A2 05 06 00 02 00 68 00 00 00 3E 00 00 00 A2 05 06 00 02 00 00 00 BC 6E B4 00 01 00 69 00 00 00 00 10 00 00 65 A6 9E 00 01 00 6B 00 00 00 08 00 00 00 65 A6 9E 00 0 1 00 70 00 00 00 12 00 00 00 65 A6 9E 00 01 00 71 00 00 00 03 00 00 00 65 A6 9E 00 01 00 72 00 00 00 71 03 00 00 A2 05 06 00 01 00 73 00 00 00 61 00 00 00 65 A6 9E 00 01 00 76 00 00 00 02 00 00 00 65 A6 9E 00 01 00 77 00 00 00 0E 00 00 00 65 A6 9E 00 01 00 78 00 00 00 D8 00 00 00 65 A6 9E 00 01 00 7D 00 00 00 5E 00 00 00 65 A6 9E 00 01 00 7F 00 00 00 A2 00 00 00 65 A6 9E 00 01 00 81 00 00 00 44 01 00 00 65 A6 9E 00 01 00 97 00 00 00 28 00 00 00 BE B3 EF 00 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475: 61 04 00 00 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC4C75: 15 00 00 00 00 00 00 00 04 00 00 00 01 01 01 00 59 0F 1C 01 01 00 83 00 02 00 07 80 0E 01 24 00 66 00 66 00 7C 97 00 00 00 00 3B 01 24 00 66 00 39 21 0A 00 76 00 00 00 59 00 00 00 73 68 65 6C 6C 5C 72 6F 61 6D 69 6E 67 5C 73 65 74 74 69 6E 67 73 79 6E 63 5C 65 78 70 6C 6F 72 65 72 73 65 74 74 69 6E 67 68 61 6E 64 6C 65 72 2E 63 70 70 00 45 78 70 6C 6F 72 65 72 2E 45 58 45 00 53 65 74 74 69 6E 67 53 79 6E 63 2E 64 6C 6C 00 45 78 70 6C 6F 72 65 72 2E 45 58 45 00 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC4C75: 16 00 00 00 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{051DF697-AF10-4DB6-9B93-E1A4E35F00F7}\DynamicInfo: 03 00 00 00 A2 A1 81 E5 1B 34 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 2B 04 07 80 D7 5F 46 13 EB 3D DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{051DF697-AF10-4DB6-9B93-E1A4E35F00F7}\DynamicInfo: 03 00 00 00 A2 A1 81 E5 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 2B 04 07 80 D7 5F 46 13 EB 3D DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{077333D6-06BA-4EA4-BDF4-1CD1439558F2}\DynamicInfo: 03 00 00 00 A2 E1 17 BB 52 33 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 10 FF 25 4A 1E 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{077333D6-06BA-4EA4-BDF4-1CD1439558F2}\DynamicInfo: 03 00 00 00 A2 E1 17 BB 52 33 DB 01 F4 02 09 EA 02 5B DB 01 00 00 00 00 00 00 00 10 B0 4B 0F EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{117E2D01-1275-4560-90E9-A34BB4EE69A3}\DynamicInfo: 03 00 00 00 7E 8B 8D E5 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 45 6B 61 1C 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{117E2D01-1275-4560-90E9-A34BB4EE69A3}\DynamicInfo: 03 00 00 00 7E 8B 8D E5 1B 34 DB 01 B3 60 0B EA 02 5B DB 01 00 00 00 00 00 00 00 00 59 CD 4B EA 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1FDAEDB1-C8AA-43FA-B046-3CDDDA12661E}\DynamicInfo: 03 00 00 00 0E FF A2 E5 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 22 04 00 00 8E 02 30 1E 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1FDAEDB1-C8AA-43FA-B046-3CDDDA12661E}\DynamicInfo: 03 00 00 00 0E FF A2 E5 1B 34 DB 01 C8 BE 0D EA 02 5B DB 01 00 00 00 00 22 04 00 00 2D C1 75 EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{20546688-8F7B-4B82-8429-7E7E4F537E96}\DynamicInfo: 03 00 00 00 F6 9D 3B BB 52 33 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 2B 04 07 80 59 B2 04 14 EB 3D DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{20546688-8F7B-4B82-8429-7E7E4F537E96}\DynamicInfo: 03 00 00 00 F6 9D 3B BB 52 33 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 2B 04 07 80 59 B2 04 14 EB 3D DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{29903646-8B95-441C-AE59-CC43C0C76FF5}\DynamicInfo: 03 00 00 00 DE 2C 2D E7 64 2F DB 01 BC 35 53 1C 5F 59 DB 01 00 00 00 00 2B 04 07 80 96 C5 50 4E DD 3D DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{29903646-8B95-441C-AE59-CC43C0C76FF5}\DynamicInfo: 03 00 00 00 DE 2C 2D E7 64 2F DB 01 B4 35 23 EA 02 5B DB 01 00 00 00 00 2B 04 07 80 96 C5 50 4E DD 3D DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EE7F450-D2B6-4D5E-AFE0-A8699149E79E}\DynamicInfo: 03 00 00 00 6A 6A DB 90 89 32 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 C7 53 98 1C 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EE7F450-D2B6-4D5E-AFE0-A8699149E79E}\DynamicInfo: 03 00 00 00 6A 6A DB 90 89 32 DB 01 6D 2B 10 EA 02 5B DB 01 00 00 00 00 00 00 00 00 36 7D F7 EA 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3D363385-64B8-4207-AC46-3EE180DD87F2}\DynamicInfo: 03 00 00 00 1B 71 D7 E5 1B 34 DB 01 02 A1 49 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 65 B9 FE 1C 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3D363385-64B8-4207-AC46-3EE180DD87F2}\DynamicInfo: 03 00 00 00 1B 71 D7 E5 1B 34 DB 01 60 E1 01 EA 02 5B DB 01 00 00 00 00 00 00 00 00 B6 DE 5E EA 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F2E553C-D2A2-4A30-BCD8-B6A255445354}\DynamicInfo: 03 00 00 00 60 E8 10 EB 1B 34 DB 01 D6 0C 12 99 00 5B DB 01 00 00 00 00 00 00 00 00 BC E4 36 4E 61 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F2E553C-D2A2-4A30-BCD8-B6A255445354}\DynamicInfo: 03 00 00 00 60 E8 10 EB 1B 34 DB 01 D6 0C 12 99 00 5B DB 01 00 00 00 00 00 00 00 00 DD 4A 2C A5 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D595DA6-BC59-47AE-A527-EC01FCE2E615}\DynamicInfo: 03 00 00 00 A0 0A E8 E5 1B 34 DB 01 7D A6 AE 1B 5F 59 DB 01 00 00 00 00 00 00 00 00 D7 76 E5 1B 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D595DA6-BC59-47AE-A527-EC01FCE2E615}\DynamicInfo: 03 00 00 00 A0 0A E8 E5 1B 34 DB 01 65 A2 6B E9 02 5B DB 01 00 00 00 00 00 00 00 00 7B 46 E5 E9 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{57C76B66-AD3C-4221-81FA-55045859B06F}\DynamicInfo: 03 00 00 00 55 E7 EC E5 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 B0 E5 3B 1E 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{57C76B66-AD3C-4221-81FA-55045859B06F}\DynamicInfo: 03 00 00 00 55 E7 EC E5 1B 34 DB 01 6D 2B 10 EA 02 5B DB 01 00 00 00 00 00 00 00 00 B0 4B 0F EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{58CCC4DA-C86D-4E3D-8FAF-A7B24D8F3950}\DynamicInfo: 03 00 00 00 55 E7 EC E5 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 B5 C6 34 1E 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{58CCC4DA-C86D-4E3D-8FAF-A7B24D8F3950}\DynamicInfo: 03 00 00 00 55 E7 EC E5 1B 34 DB 01 7D EF 14 EA 02 5B DB 01 00 00 00 00 00 00 00 00 D3 F4 1F EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C9FA2F0-BF33-4739-8B96-4FA04768C6E6}\DynamicInfo: 03 00 00 00 22 41 EF E5 1B 34 DB 01 BC 35 53 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 B0 E5 3B 1E 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C9FA2F0-BF33-4739-8B96-4FA04768C6E6}\DynamicInfo: 03 00 00 00 22 41 EF E5 1B 34 DB 01 04 E7 20 EA 02 5B DB 01 00 00 00 00 00 00 00 00 DB DE C6 EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{638672E6-20F1-499D-BFCC-9EA7935257C4}\DynamicInfo: 03 00 00 00 4F 59 02 E6 1B 34 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 2B 04 07 80 6D 36 C0 16 EB 3D DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{638672E6-20F1-499D-BFCC-9EA7935257C4}\DynamicInfo: 03 00 00 00 4F 59 02 E6 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 2B 04 07 80 6D 36 C0 16 EB 3D DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6440C5E0-A168-4A5F-B84E-F7C8C0A6E933}\DynamicInfo: 03 00 00 00 EE 29 4D E5 1B 34 DB 01 B9 B5 50 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 45 6B 61 1C 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6440C5E0-A168-4A5F-B84E-F7C8C0A6E933}\DynamicInfo: 03 00 00 00 EE 29 4D E5 1B 34 DB 01 F3 CA 19 EA 02 5B DB 01 00 00 00 00 00 00 00 00 31 46 42 EA 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6AA2E298-C47C-45AE-BF6F-E2D9A555345C}\DynamicInfo: 03 00 00 00 FD 36 0E E6 1B 34 DB 01 9F EF 57 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 02 CB 04 29 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6AA2E298-C47C-45AE-BF6F-E2D9A555345C}\DynamicInfo: 03 00 00 00 FD 36 0E E6 1B 34 DB 01 09 CA 2C EA 02 5B DB 01 00 00 00 00 00 00 00 00 5B 29 E9 F2 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6EE3AFA8-CBB1-4E6E-B0B4-ABFF3127206C}\DynamicInfo: 03 00 00 00 EE 16 26 E6 1B 34 DB 01 02 A1 49 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 0E D7 A4 1E 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6EE3AFA8-CBB1-4E6E-B0B4-ABFF3127206C}\DynamicInfo: 03 00 00 00 EE 16 26 E6 1B 34 DB 01 AF A0 06 EA 02 5B DB 01 00 00 00 00 00 00 00 00 C4 D9 88 EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F063424-E8AD-40FA-92B9-CD047EC2A92A}\DynamicInfo: 03 00 00 00 EE 16 26 E6 1B 34 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 2B 04 07 80 6C 1E 45 44 EB 3D DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F063424-E8AD-40FA-92B9-CD047EC2A92A}\DynamicInfo: 03 00 00 00 EE 16 26 E6 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 2B 04 07 80 6C 1E 45 44 EB 3D DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{78E96733-DDEF-4FB9-AD45-FC553EFC4CFD}\DynamicInfo: 03 00 00 00 26 DB 2A E6 1B 34 DB 01 7D A6 AE 1B 5F 59 DB 01 00 00 00 00 E0 10 07 80 00 00 00 00 00 00 00 00 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{78E96733-DDEF-4FB9-AD45-FC553EFC4CFD}\DynamicInfo: 03 00 00 00 26 DB 2A E6 1B 34 DB 01 75 06 6E E9 02 5B DB 01 00 00 00 00 E0 10 07 80 00 00 00 00 00 00 00 00 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7A7B60AA-BA42-409F-BC97-7BCFEFAD6308}\DynamicInfo: 03 00 00 00 86 F4 51 E5 1B 34 DB 01 78 4D 4B 99 00 5B DB 01 00 00 00 00 00 00 00 00 3C C8 9E 99 00 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7A7B60AA-BA42-409F-BC97-7BCFEFAD6308}\DynamicInfo: 03 00 00 00 86 F4 51 E5 1B 34 DB 01 72 8A 64 E9 02 5B DB 01 00 00 00 00 00 00 00 00 3F 7A E0 E9 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{80436C26-BC19-4930-9051-F06F0E0BA960}\DynamicInfo: 03 00 00 00 C5 47 54 E5 1B 34 DB 01 5D D3 A9 1B 5F 59 DB 01 00 00 00 00 00 00 00 00 60 62 5B 3B 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{80436C26-BC19-4930-9051-F06F0E0BA960}\DynamicInfo: 03 00 00 00 C5 47 54 E5 1B 34 DB 01 72 8A 64 E9 02 5B DB 01 00 00 00 00 00 00 00 00 82 D5 E9 14 03 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8627F38D-3BB5-45A5-AAE5-B8735A41B62D}\DynamicInfo: 03 00 00 00 9C 10 32 E6 1B 34 DB 01 02 A1 49 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 6C 72 96 1E 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8627F38D-3BB5-45A5-AAE5-B8735A41B62D}\DynamicInfo: 03 00 00 00 9C 10 32 E6 1B 34 DB 01 F4 02 09 EA 02 5B DB 01 00 00 00 00 00 00 00 00 18 A3 11 EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8FF5DE67-C947-4488-997B-4184221E7D50}\Hash: B4 84 2A E4 67 93 35 12 40 C1 5E AD 77 5C 09 A6 A9 E0 3E 07 E9 13 85 1F 99 F2 1F 6D 8A 54 A1 F8 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8FF5DE67-C947-4488-997B-4184221E7D50}\Hash: B4 BB E9 91 8F 95 E4 76 46 9B D1 CD D7 0F F6 46 8A 87 64 89 31 93 25 DD 72 76 1C 8B D6 FA 41 48 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8FF5DE67-C947-4488-997B-4184221E7D50}\Triggers: 17 00 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 00 00 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 FF FF FF FF FF FF FF FF 48 20 42 42 48 48 48 48 FD F3 73 2A 48 48 48 48 18 00 00 00 48 48 48 48 4C 00 6F 00 63 00 61 00 6C 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 00 00 48 48 48 48 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 05 00 00 00 48 48 48 48 0C 00 00 00 48 48 48 48 01 01 00 00 00 00 00 05 12 00 00 00 48 48 48 48 00 00 00 00 48 48 48 48 2C 00 00 00 48 48 48 48 58 02 00 00 10 0E 00 00 80 F4 03 00 FF FF FF FF 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 48 48 48 DD DD 00 00 00 00 00 00 00 07 0C 00 00 00 1D 00 00 17 B2 5D 1F 5A DB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 01 8C C2 01 00 00 00 3C 00 00 00 D0 78 00 00 00 00 00 00 48 48 48 48 77 77 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 00 00 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 6F 00 70 00 4F 00 6E 00 49 00 64 00 6C 00 00 00 00 00 48 48 48 48 02 00 00 00 2F 00 53 00 01 48 48 48 48 48 48 48 77 77 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 00 00 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 20 00 20 00 3C 00 2F 00 49 00 64 00 6C 00 00 00 00 00 48 48 48 48 04 00 00 00 0D 00 0A 00 01 48 48 48 48 48 48 48 66 66 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 00 00 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 72 00 74 00 42 00 6F 00 75 00 6E 00 00 00 00 00 48 48 48 48 75 08 BC A3 38 0C 96 0C 01 00 00 00 00 00 00 00 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8FF5DE67-C947-4488-997B-4184221E7D50}\Triggers: 17 00 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 00 00 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 FF FF FF FF FF FF FF FF 48 20 42 42 48 48 48 48 0F 12 8A 65 48 48 48 48 18 00 00 00 48 48 48 48 4C 00 6F 00 63 00 61 00 6C 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 00 00 48 48 48 48 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 05 00 00 00 48 48 48 48 0C 00 00 00 48 48 48 48 01 01 00 00 00 00 00 05 12 00 00 00 48 48 48 48 00 00 00 00 48 48 48 48 2C 00 00 00 48 48 48 48 58 02 00 00 10 0E 00 00 80 F4 03 00 FF FF FF FF 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 48 48 48 DD DD 00 00 00 00 00 00 00 07 0C 00 00 00 1F 00 00 A8 EC 7C C9 5B DB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 01 22 84 01 00 00 00 3C 00 00 00 DE 32 00 00 00 00 00 00 48 48 48 48 77 77 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 00 00 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 74 00 69 00 6F 00 6E 00 50 00 6C 00 61 00 00 00 00 00 48 48 48 48 02 00 00 00 65 00 73 00 01 48 48 48 48 48 48 48 77 77 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 00 00 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 2D 00 39 00 37 00 33 00 33 00 37 00 33 00 00 00 00 00 48 48 48 48 04 00 00 00 36 00 33 00 01 48 48 48 48 48 48 48 66 66 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 00 00 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 00 2D 00 32 00 35 00 39 00 32 00 38 00 00 00 00 00 48 48 48 48 75 08 BC A3 38 0C 96 0C 01 00 00 00 00 00 00 00 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{92FFE795-C628-4324-AB97-06F804352DB6}\DynamicInfo: 03 00 00 00 3B D3 36 E6 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 10 D8 A1 1C 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{92FFE795-C628-4324-AB97-06F804352DB6}\DynamicInfo: 03 00 00 00 3B D3 36 E6 1B 34 DB 01 7D EF 14 EA 02 5B DB 01 00 00 00 00 00 00 00 00 78 5A B1 EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2887CBD-E4BF-4986-A4C3-07375F968D9D}\DynamicInfo: 03 00 00 00 A9 57 13 EB 1B 34 DB 01 D6 0C 12 99 00 5B DB 01 00 00 00 00 00 00 00 00 4A B5 41 99 00 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2887CBD-E4BF-4986-A4C3-07375F968D9D}\DynamicInfo: 03 00 00 00 A9 57 13 EB 1B 34 DB 01 4D 25 29 59 03 5B DB 01 00 00 00 00 00 00 00 00 4A B5 41 99 00 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A28E2F31-2C6D-426C-A2AC-2F9F6952D916}\DynamicInfo: 03 00 00 00 92 65 40 E6 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 A5 A2 CD 23 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A28E2F31-2C6D-426C-A2AC-2F9F6952D916}\DynamicInfo: 03 00 00 00 92 65 40 E6 1B 34 DB 01 7B 59 17 EA 02 5B DB 01 00 00 00 00 00 00 00 00 98 12 D6 EA 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2FADBDF-6855-42F7-BDFC-F0C510EDA9BC}\DynamicInfo: 03 00 00 00 92 65 40 E6 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 C9 0B 5F 1C 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2FADBDF-6855-42F7-BDFC-F0C510EDA9BC}\DynamicInfo: 03 00 00 00 92 65 40 E6 1B 34 DB 01 7B 59 17 EA 02 5B DB 01 00 00 00 00 00 00 00 00 0C 0C 3B EA 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B1A03158-0E8C-4CA8-8DB7-43E894A037E6}\DynamicInfo: 03 00 00 00 70 E0 61 82 23 39 DB 01 FD FD 4B 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 25 34 F6 3B 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B1A03158-0E8C-4CA8-8DB7-43E894A037E6}\DynamicInfo: 03 00 00 00 70 E0 61 82 23 39 DB 01 F4 02 09 EA 02 5B DB 01 00 00 00 00 00 00 00 00 56 D8 DD EC 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B43CBAFA-D55B-4077-AE2E-800F43C362D7}\DynamicInfo: 03 00 00 00 9A 7A 47 E6 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 C7 04 07 80 D7 C9 63 1C 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B43CBAFA-D55B-4077-AE2E-800F43C362D7}\DynamicInfo: 03 00 00 00 9A 7A 47 E6 1B 34 DB 01 F3 CA 19 EA 02 5B DB 01 00 00 00 00 C7 04 07 80 7C 93 50 EA 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B5108B49-C39A-43DE-AC49-06155873BAE9}\DynamicInfo: 03 00 00 00 9A 7A 47 E6 1B 34 DB 01 E4 FD 24 7B 56 59 DB 01 00 00 00 00 00 00 00 00 E4 FD 24 7B 56 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B5108B49-C39A-43DE-AC49-06155873BAE9}\DynamicInfo: 03 00 00 00 9A 7A 47 E6 1B 34 DB 01 60 E1 01 EA 02 5B DB 01 00 00 00 00 00 00 00 00 10 35 1B EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BAF4B9A8-1B02-4B38-B231-7EA97230256B}\DynamicInfo: 03 00 00 00 05 42 4C E6 1B 34 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 00 00 00 00 FC 56 30 2B 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BAF4B9A8-1B02-4B38-B231-7EA97230256B}\DynamicInfo: 03 00 00 00 05 42 4C E6 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 00 00 00 00 BA D2 40 11 03 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C483CE25-B1C5-4BEB-AA31-5CADC8C66692}\DynamicInfo: 03 00 00 00 67 C8 55 E6 1B 34 DB 01 B9 B5 50 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 FC 8B 57 42 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C483CE25-B1C5-4BEB-AA31-5CADC8C66692}\DynamicInfo: 03 00 00 00 67 C8 55 E6 1B 34 DB 01 F3 CA 19 EA 02 5B DB 01 00 00 00 00 00 00 00 00 46 EE 7C EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C9EC268B-1D36-4AF0-A1EB-2C1BC3B455D9}\DynamicInfo: 03 00 00 00 76 2E 58 E6 1B 34 DB 01 B9 B5 50 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 10 D8 A1 1C 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C9EC268B-1D36-4AF0-A1EB-2C1BC3B455D9}\DynamicInfo: 03 00 00 00 76 2E 58 E6 1B 34 DB 01 F3 CA 19 EA 02 5B DB 01 00 00 00 00 00 00 00 00 17 CF 37 EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D5A9F0F2-D7CA-4A2B-8871-C67F2CBEADF1}\DynamicInfo: 03 00 00 00 F2 55 5F E6 1B 34 DB 01 34 4A 68 1F 5F 59 DB 01 00 00 00 00 00 00 00 00 58 E8 93 29 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D5A9F0F2-D7CA-4A2B-8871-C67F2CBEADF1}\DynamicInfo: 03 00 00 00 F2 55 5F E6 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 00 00 00 00 FD 30 43 11 03 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D9353C30-D505-4F11-8F95-55F3DDA1E214}\DynamicInfo: 03 00 00 00 F2 55 5F E6 1B 34 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 2B 04 07 80 DD 3E CD 27 6D 3E DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D9353C30-D505-4F11-8F95-55F3DDA1E214}\DynamicInfo: 03 00 00 00 F2 55 5F E6 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 2B 04 07 80 DD 3E CD 27 6D 3E DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E51EADD7-C4F7-43E7-A9CB-FEC8EC1E204F}\DynamicInfo: 03 00 00 00 5B DD 68 E6 1B 34 DB 01 B9 B5 50 1C 5F 59 DB 01 00 00 00 00 2B 04 07 80 00 00 00 00 00 00 00 00 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E51EADD7-C4F7-43E7-A9CB-FEC8EC1E204F}\DynamicInfo: 03 00 00 00 5B DD 68 E6 1B 34 DB 01 D3 81 1E EA 02 5B DB 01 00 00 00 00 2B 04 07 80 00 00 00 00 00 00 00 00 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F472261A-A57A-465B-A695-5F2E75E37782}\DynamicInfo: 03 00 00 00 70 CF 74 E6 1B 34 DB 01 B9 B5 50 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 3A E3 98 1E 5F 59 DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F472261A-A57A-465B-A695-5F2E75E37782}\DynamicInfo: 03 00 00 00 70 CF 74 E6 1B 34 DB 01 04 E7 20 EA 02 5B DB 01 00 00 00 00 00 00 00 00 B1 34 78 EB 02 5B DB 01 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-914199523-3388888877-1504927903-1001\RefCount: 09 00 00 00 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-914199523-3388888877-1504927903-1001\RefCount: 0A 00 00 00 HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727\NGenService\State\LastSuccess: 0x08DD277EAF66ED0B HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727\NGenService\State\LastSuccess: 0x08DD29229579DEF3 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\LastStartedAU: 0x67730E86 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\LastStartedAU: 0x67731323 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\CurrentState\StateValue: 0x00000011 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\CurrentState\StateValue: 0x00000003 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\goopdate_main: 03 00 00 00 00 00 00 00 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\goopdate_main: 04 00 00 00 00 00 00 00 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\goopdate_constructor: 03 00 00 00 00 00 00 00 HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\goopdate_constructor: 04 00 00 00 00 00 00 00 HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\SequenceNumber: 0x00000071 HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\SequenceNumber: 0x00000072 HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Windows\System32\rundll32.exe: 88 2F D9 6F 6E 59 DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Windows\System32\rundll32.exe: 92 63 5C EA 02 5B DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Map\S-1-5-19#SmsRouter#SmsDropAcceptImmediate: "{135A9849-00A9-466F-B08A-018EC1088A6F}" HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Map\S-1-5-19#SmsRouter#SmsDropAcceptImmediate: "{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}" HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeEstimated: 0x01DB584FD33A36F0 HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeEstimated: 0x01DB58518068AAE0 HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeHigh: 0x01DB5B0BE8DB84F0 HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeHigh: 0x01DB5B0D9609F8E0 HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeLow: 0x01DB56E104E0BFF0 HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeLow: 0x01DB56E2B20F33E0 HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCount: 0x000000000040F64F HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCount: 0x00000000004BF2FE HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\SequenceNumber: 0x00000071 HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\SequenceNumber: 0x00000072 HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Windows\System32\rundll32.exe: 88 2F D9 6F 6E 59 DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Windows\System32\rundll32.exe: 92 63 5C EA 02 5B DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Map\S-1-5-19#SmsRouter#SmsDropAcceptImmediate: "{135A9849-00A9-466F-B08A-018EC1088A6F}" HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Map\S-1-5-19#SmsRouter#SmsDropAcceptImmediate: "{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}" HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimated: 0x01DB584FD33A36F0 HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimated: 0x01DB58518068AAE0 HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHigh: 0x01DB5B0BE8DB84F0 HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHigh: 0x01DB5B0D9609F8E0 HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLow: 0x01DB56E104E0BFF0 HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLow: 0x01DB56E2B20F33E0 HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCount: 0x000000000040F64F HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCount: 0x00000000004BF2FE HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct: "0.000000" HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct: "0.013006" HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB: 0x0000000000000AC8 HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB: 0x0000000000000B78 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\ActivityDataModel\ReaderRevisionInfo\A8C38C74-243D-7FA9-5871-37DD1BDCB98D: 31 00 38 32 00 30 00 7B 0A 20 20 20 22 44 61 74 61 62 61 73 65 49 6E 73 74 61 6E 63 65 49 64 22 20 3A 20 35 39 34 34 32 2C 0A 20 20 20 22 53 65 71 75 65 6E 63 65 22 20 3A 20 32 31 34 34 2C 0A 20 20 20 22 61 63 74 69 76 69 74 79 53 74 6F 72 65 49 64 22 20 3A 20 22 41 38 43 33 38 43 37 34 2D 32 34 33 44 2D 37 46 41 39 2D 35 38 37 31 2D 33 37 44 44 31 42 44 43 42 39 38 44 22 2C 0A 20 20 20 22 66 69 6C 74 65 72 22 20 3A 20 7B 0A 20 20 20 20 20 20 22 69 73 52 65 61 64 46 69 6C 74 65 72 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 6F 72 69 67 69 6E 46 69 6C 74 65 72 4B 65 79 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 73 74 61 74 65 46 69 6C 74 65 72 4B 65 79 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 75 73 65 72 41 63 74 69 6F 6E 53 74 61 74 65 46 69 6C 74 65 72 22 20 3A 20 30 0A 20 20 20 7D 0A 7D 0A 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\ActivityDataModel\ReaderRevisionInfo\A8C38C74-243D-7FA9-5871-37DD1BDCB98D: 31 00 38 32 00 30 00 7B 0A 20 20 20 22 44 61 74 61 62 61 73 65 49 6E 73 74 61 6E 63 65 49 64 22 20 3A 20 35 39 34 34 32 2C 0A 20 20 20 22 53 65 71 75 65 6E 63 65 22 20 3A 20 32 31 35 37 2C 0A 20 20 20 22 61 63 74 69 76 69 74 79 53 74 6F 72 65 49 64 22 20 3A 20 22 41 38 43 33 38 43 37 34 2D 32 34 33 44 2D 37 46 41 39 2D 35 38 37 31 2D 33 37 44 44 31 42 44 43 42 39 38 44 22 2C 0A 20 20 20 22 66 69 6C 74 65 72 22 20 3A 20 7B 0A 20 20 20 20 20 20 22 69 73 52 65 61 64 46 69 6C 74 65 72 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 6F 72 69 67 69 6E 46 69 6C 74 65 72 4B 65 79 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 73 74 61 74 65 46 69 6C 74 65 72 4B 65 79 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 75 73 65 72 41 63 74 69 6F 6E 53 74 61 74 65 46 69 6C 74 65 72 22 20 3A 20 30 0A 20 20 20 7D 0A 7D 0A 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$de${99316baa-455a-42b1-813d-e1ff15407f89}$$windows.data.unifiedtile.localstartvolatiletilepropertiesmap\Current\Data: 02 00 00 00 B2 36 DF 6F 6E 59 DB 01 00 00 00 00 43 42 01 00 0D 12 0A 0D 39 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 53 00 45 00 43 00 48 00 45 00 41 00 4C 00 54 00 48 00 55 00 49 00 5F 00 43 00 57 00 35 00 4E 00 31 00 48 00 32 00 54 00 58 00 59 00 45 00 57 00 59 00 21 00 53 00 45 00 43 00 48 00 45 00 41 00 4C 00 54 00 48 00 55 00 49 00 C7 0A F2 98 5E 3B C5 14 01 C6 1E 90 F5 8C E3 AB FA CC ED 01 00 2F 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 43 00 41 00 4C 00 43 00 55 00 4C 00 41 00 54 00 4F 00 52 00 5F 00 38 00 57 00 45 00 4B 00 59 00 42 00 33 00 44 00 38 00 42 00 42 00 57 00 45 00 21 00 41 0 0 50 00 50 00 C7 0A DE 60 89 3C C6 1E FE C8 B1 FC 8B FA CC ED 01 00 2D 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 54 00 45 00 52 00 4D 00 49 00 4E 00 41 00 4C 00 5F 00 38 00 57 00 45 00 4B 00 59 00 42 00 33 00 44 00 38 00 42 00 42 00 57 00 45 00 21 00 41 00 50 00 50 00 C7 0A C9 BE 41 3D C5 14 08 C6 1E 80 A5 E4 AD 98 AC D6 ED 01 00 55 50 00 7E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 49 00 4D 00 4D 00 45 00 52 00 53 00 49 00 56 00 45 00 43 00 4F 00 4E 00 54 00 52 00 4F 00 4C 00 50 00 41 00 4E 00 45 00 4C 00 5F 00 43 00 57 00 35 00 4E 00 31 00 48 00 32 00 54 00 58 00 59 00 45 00 57 00 59 00 21 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 49 00 4D 00 4D 00 45 00 52 00 53 00 49 00 56 00 45 00 43 00 4F 00 4E 00 54 00 52 00 4F 00 4C 00 50 00 41 00 4E 00 45 00 4C 00 C7 0A A2 59 8E 3D C5 14 0D C6 1E C0 99 B0 FA 9E AC D6 ED 01 00 08 57 00 7E 00 43 00 48 00 52 00 4F 00 4D 00 45 00 C7 0A 88 BC E6 3D C5 14 24 C6 1E F0 EB F8 FE E6 AD D6 ED 01 00 1C 57 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 45 00 58 00 50 00 4C 00 4F 00 52 00 45 00 52 00 C7 0A 13 5E B7 3D C5 14 04 C6 1E 80 B4 8A D0 DA 8C D6 ED 01 00 08 57 00 7E 00 4D 00 53 00 45 00 44 00 47 00 45 00 C7 0A 2E 89 36 3D C5 14 12 C6 1E B0 8A A8 E1 97 AC D6 ED 01 00 30 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 43 00 4D 00 44 00 2E 00 45 00 58 00 45 00 C7 0A 69 40 56 3C C5 14 02 C6 1E C0 C8 93 DA 96 AB D6 ED 01 00 34 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 4D 00 53 00 50 00 41 00 49 00 4E 00 54 00 2E 00 45 00 58 00 45 00 C7 0A 6C 63 A7 3C C5 14 04 C6 1E 80 EF C4 9A C8 88 CD ED 01 00 34 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 4E 00 4F 00 54 00 45 00 50 00 41 00 44 00 2E 00 45 00 58 00 45 00 C7 0A 2C 50 45 3D C5 14 1D C6 1E D0 BC D5 BB C6 AB D6 ED 01 00 39 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 53 00 4E 00 49 00 50 00 50 00 49 00 4E 00 47 00 54 00 4F 00 4F 00 4C 00 2E 00 45 00 58 00 45 00 C7 0A 82 AF A2 3C C6 1E FE C8 B1 FC 8B FA CC ED 01 00 4E 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 0 0 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 50 00 4F 00 57 00 45 00 52 00 53 00 48 00 45 00 4C 00 4C 00 5C 00 56 00 31 00 2E 00 30 00 5C 00 50 00 4F 00 57 00 45 00 52 00 53 00 48 00 45 00 4C 00 4C 00 2E 00 45 00 58 00 45 00 C7 0A 7A 06 FE 3B C5 14 02 C6 1E B0 E9 90 FD B6 FA CC ED 01 00 37 57 00 7E 00 7B 00 36 00 44 00 38 00 30 00 39 00 33 00 37 00 37 00 2D 00 36 00 41 00 46 00 30 00 2D 00 34 00 34 00 34 00 42 00 2D 00 38 00 39 00 35 00 37 00 2D 00 41 00 33 00 37 00 37 00 33 00 46 00 30 00 32 00 32 00 30 00 30 00 45 00 7D 00 5C 00 37 00 2D 00 5A 00 49 00 50 00 5C 00 37 00 5A 00 46 00 4D 00 2E 00 45 00 58 00 45 00 C7 0A D6 EE 5E 3C C5 14 0B C6 1E 80 A2 DA DC D2 AB D6 ED 01 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$de${99316baa-455a-42b1-813d-e1ff15407f89}$$windows.data.unifiedtile.localstartvolatiletilepropertiesmap\Current\Data: 02 00 00 00 47 3D A2 EF 01 5B DB 01 00 00 00 00 43 42 01 00 0D 12 0A 0D 39 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 53 00 45 00 43 00 48 00 45 00 41 00 4C 00 54 00 48 00 55 00 49 00 5F 00 43 00 57 00 35 00 4E 00 31 00 48 00 32 00 54 00 58 00 59 00 45 00 57 00 59 00 21 00 53 00 45 00 43 00 48 00 45 00 41 00 4C 00 54 00 48 00 55 00 49 00 C7 0A 14 EF 60 3B C5 14 01 C6 1E 90 F5 8C E3 AB FA CC ED 01 00 2F 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 43 00 41 00 4C 00 43 00 55 00 4C 00 41 00 54 00 4F 00 52 00 5F 00 38 00 57 00 45 00 4B 00 59 00 42 00 33 00 44 00 38 00 42 00 42 00 57 00 45 00 21 00 41 0 0 50 00 50 00 C7 0A 3F 29 8E 3C C6 1E FE C8 B1 FC 8B FA CC ED 01 00 2D 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 54 00 45 00 52 00 4D 00 49 00 4E 00 41 00 4C 00 5F 00 38 00 57 00 45 00 4B 00 59 00 42 00 33 00 44 00 38 00 42 00 42 00 57 00 45 00 21 00 41 00 50 00 50 00 C7 0A 0B 31 3F 3D C5 14 08 C6 1E 80 A5 E4 AD 98 AC D6 ED 01 00 55 50 00 7E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 49 00 4D 00 4D 00 45 00 52 00 53 00 49 00 56 00 45 00 43 00 4F 00 4E 00 54 00 52 00 4F 00 4C 00 50 00 41 00 4E 00 45 00 4C 00 5F 00 43 00 57 00 35 00 4E 00 31 00 48 00 32 00 54 00 58 00 59 00 45 00 57 00 59 00 21 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 49 00 4D 00 4D 00 45 00 52 00 53 00 49 00 56 00 45 00 43 00 4F 00 4E 00 54 00 52 00 4F 00 4C 00 50 00 41 00 4E 00 45 00 4C 00 C7 0A 3E 90 A9 3D C5 14 0D C6 1E 90 A0 92 85 9C AD D6 ED 01 00 08 57 00 7E 00 43 00 48 00 52 00 4F 00 4D 00 45 00 C7 0A CB 36 F5 3D C5 14 24 C6 1E F0 EB F8 FE E6 AD D6 ED 01 00 1C 57 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 45 00 58 00 50 00 4C 00 4F 00 52 00 45 00 52 00 C7 0A 60 BD CE 3D C5 14 04 C6 1E 80 B4 8A D0 DA 8C D6 ED 01 00 08 57 00 7E 00 4D 00 53 00 45 00 44 00 47 00 45 00 C7 0A 0D 66 39 3D C5 14 12 C6 1E B0 8A A8 E1 97 AC D6 ED 01 00 30 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 43 00 4D 00 44 00 2E 00 45 00 58 00 45 00 C7 0A ED B5 51 3C C5 14 02 C6 1E C0 C8 93 DA 96 AB D6 ED 01 00 34 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 4D 00 53 00 50 00 41 00 49 00 4E 00 54 00 2E 00 45 00 58 00 45 00 C7 0A DC B3 AF 3C C5 14 04 C6 1E 80 EF C4 9A C8 88 CD ED 01 00 34 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 4E 00 4F 00 54 00 45 00 50 00 41 00 44 00 2E 00 45 00 58 00 45 00 C7 0A 95 2D 4B 3D C5 14 1D C6 1E D0 BC D5 BB C6 AB D6 ED 01 00 39 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 53 00 4E 00 49 00 50 00 50 00 49 00 4E 00 47 00 54 00 4F 00 4F 00 4C 00 2E 00 45 00 58 00 45 00 C7 0A 5D C7 A7 3C C6 1E FE C8 B1 FC 8B FA CC ED 01 00 4E 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 0 0 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 50 00 4F 00 57 00 45 00 52 00 53 00 48 00 45 00 4C 00 4C 00 5C 00 56 00 31 00 2E 00 30 00 5C 00 50 00 4F 00 57 00 45 00 52 00 53 00 48 00 45 00 4C 00 4C 00 2E 00 45 00 58 00 45 00 C7 0A 88 60 FD 3B C5 14 02 C6 1E B0 E9 90 FD B6 FA CC ED 01 00 37 57 00 7E 00 7B 00 36 00 44 00 38 00 30 00 39 00 33 00 37 00 37 00 2D 00 36 00 41 00 46 00 30 00 2D 00 34 00 34 00 34 00 42 00 2D 00 38 00 39 00 35 00 37 00 2D 00 41 00 33 00 37 00 37 00 33 00 46 00 30 00 32 00 32 00 30 00 30 00 45 00 7D 00 5C 00 37 00 2D 00 5A 00 49 00 50 00 5C 00 37 00 5A 00 46 00 4D 00 2E 00 45 00 58 00 45 00 C7 0A 47 BD 67 3C C5 14 0B C6 1E 80 A2 DA DC D2 AB D6 ED 01 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA: 00 00 00 00 CF 00 00 00 6A 02 00 00 1C 54 3B 01 26 00 00 00 2A 00 00 00 1E D8 08 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 69 00 6D 00 6D 00 65 00 72 00 73 00 69 00 76 00 65 00 63 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 70 00 61 00 6E 00 65 00 6C 00 5F 00 63 00 77 00 35 00 6E 00 31 00 68 00 32 00 74 00 78 00 79 00 65 00 77 00 79 00 21 00 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 69 00 6D 00 6D 00 65 00 72 00 73 00 69 00 76 00 65 00 63 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 70 00 61 00 6E 00 65 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 00 00 6F 00 00 00 0B 6F 22 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1A 00 00 00 34 00 00 00 D8 2B 3D 00 43 00 68 00 72 00 6F 00 6D 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA: 00 00 00 00 D0 00 00 00 70 02 00 00 BE D1 3D 01 26 00 00 00 2A 00 00 00 1E D8 08 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 69 00 6D 00 6D 00 65 00 72 00 73 00 69 00 76 00 65 00 63 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 70 00 61 00 6E 00 65 00 6C 00 5F 00 63 00 77 00 35 00 6E 00 31 00 68 00 32 00 74 00 78 00 79 00 65 00 77 00 79 00 21 00 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 69 00 6D 00 6D 00 65 00 72 00 73 00 69 00 76 00 65 00 63 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 70 00 61 00 6E 00 65 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 00 00 72 00 00 00 CD 7C 24 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1A 00 00 00 34 00 00 00 D8 2B 3D 00 43 00 68 00 72 00 6F 00 6D 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.Rkcybere: 00 00 00 00 0A 00 00 00 6F 00 00 00 0B 6F 22 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 9A 02 AA 65 58 DB 01 00 00 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.Rkcybere: 00 00 00 00 0A 00 00 00 72 00 00 00 CD 7C 24 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 9A 02 AA 65 58 DB 01 00 00 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Gbbyf\Ertfubg-k64-Havpbqr\Ertfubg-k64-Havpbqr.rkr: 00 00 00 00 01 00 00 00 03 00 00 00 04 99 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 90 E2 06 F8 00 5B DB 01 00 00 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Gbbyf\Ertfubg-k64-Havpbqr\Ertfubg-k64-Havpbqr.rkr: 00 00 00 00 01 00 00 00 05 00 00 00 96 08 01 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 90 E2 06 F8 00 5B DB 01 00 00 00 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\InstalledWin32AppsRevision: "{077403C2-0BB2-4B02-AAFF-D5AFA6D355C9}" HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\InstalledWin32AppsRevision: "{113B7465-8E33-4F33-9ABE-54514340D483}" HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex\LatestConstraintIndexFolder: "C:\Users\husky\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{373250f9-43e3-4f1b-9782-fedd9679eb6b}" HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex\LatestConstraintIndexFolder: "C:\Users\husky\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ae70ddfc-a173-4dfc-9ded-a9587dd7a9c9}" HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}.check.800\CheckSetting: 23 00 41 00 43 00 42 00 6C 00 6F 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 73 00 00 00 70 00 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}.check.800\CheckSetting: 23 00 41 00 43 00 42 00 6C 00 6F 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 05 40 00 80 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).left: 0x000002F0 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).left: 0x00000333 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).top: 0x00000060 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).top: 0x00000073 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).right: 0x0000067E HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).right: 0x000006C1 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).bottom: 0x000002E1 HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).bottom: 0x000002F4 HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).left: 0x000002F0 HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).left: 0x00000333 HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).top: 0x00000060 HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).top: 0x00000073 HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).right: 0x0000067E HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).right: 0x000006C1 HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).bottom: 0x000002E1 HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).bottom: 0x000002F4 ---------------------------------- Total changes: 199 ----------------------------------
=======================================
Networking
---------------------------------------
inetsim report:
2024-11-11 15:23:09 DNS connection, type: A, class: IN, requested name: slscr.update.microsoft[.]com
2024-11-11 15:23:09 DNS connection, type: A, class: IN, requested name: ctldl.windowsupdate[.]com
2024-11-11 15:23:09 HTTP connection, method: GET, URL: hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl[.]cab?95cb98bf48371ef4, file name: /var/lib/inetsim/http/fakefiles/sample.html
2024-11-11 15:23:09 DNS connection, type: A, class: IN, requested name: fe3cr.delivery.mp.microsoft[.]com
2024-11-11 15:23:33 HTTP connection, method: GET, URL: hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl[.]cab?02ff515d0ff4a002, file name: /var/lib/inetsim/http/fakefiles/sample.html
2024-11-11 15:25:35 DNS connection, type: A, class: IN, requested name: update.googleapis[.]com
2024-11-11 15:26:09 DNS connection, type: A, class: IN, requested name: en.wikipedia[.]org
2024-11-11 15:29:00 DNS connection, type: A, class: IN, requested name: node2.feed43[.]com
2024-11-11 15:29:00 HTTP connection, method: POST, URL: hxxp://node2.feed43.com/2665675887512026[.]xml, file name: /var/lib/inetsim/http/fakefiles/sample.html --> each second from here
2024-11-11 15:29:00 DNS connection, type: A, class: IN, requested name: raw.githubusercontent[.]com
2024-11-11 15:29:00 HTTP connection, method: POST, URL: hxxp://raw.githubusercontent.com/johnhenery12/testy/master/xml[.]xml, file name: /var/lib/inetsim/http/fakefiles/sample.html --> each second from here
...
2024-11-11 15:35:17 HTTP connection, method: GET, URL: hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl[.]cab?09d5b0702e00c362, file name: /var/lib/inetsim/http/fakefiles/sample.html
..
2024-11-11 15:37:00 DNS connection, type: A, class: IN, requested name: conemu.github[.]io
2024-11-11 15:37:00 HTTP connection, method: GET, URL: hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl[.]cab?35f6e629126ba3d4, file name: /var/lib/inetsim/http/fakefiles/sample.html
...
https://www.virustotal.com/gui/domain/ctldl.windowsupdate.com/relations
=======================================
Detection rule
---------------------------------------
I scanned the malware with Loki, and created this detection rule with yarGen:
python3 yarGen.py -m C:\Users\husky\Desktop\sample\ --excludegood -o C:\Users\husky\Desktop\sample\ad_final.yar /* YARA Rule Set Author: yarGen Rule Generator Date: 2024-12-28 Identifier: cc Reference: https://github.com/Neo23x0/yarGen */ /* Rule Set ----------------------------------------------------------------- */ rule cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57 { meta: description = "detection for dwm johnhenery12 malware" author = "AD added - yarGen Rule Generator" reference = "https://github.com/Neo23x0/yarGen" date = "2024-12-28" hash1 = "cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57" strings: $s1 = "escanmon.exe" fullword ascii $s2 = "escanpro.exe" fullword ascii $s3 = "AkSA.exe" fullword ascii $s4 = "Tray.exe" fullword ascii $s5 = "apvui.exe" fullword ascii $s6 = "onlinent.exe" fullword ascii $s7 = "Prd.EventViewer.exe" fullword ascii $s8 = "zatray.exe" fullword ascii $s9 = "uiSeAgnt.exe" fullword ascii $s10 = "egui.exe" fullword ascii $s11 = "PSUAMain.exe" fullword ascii $s12 = "norton" fullword ascii /* reversed goodware string 'notron' */ $s13 = "bitdefender_isecurity.exe" fullword ascii $s14 = "nis.exe" fullword ascii $s15 = "ns.exe" fullword ascii $s16 = "\\MsUpdte.exe" fullword ascii $s17 = " VirtualQuery failed for %d bytes at address %p" fullword ascii $s18 = "bdagent" fullword ascii $s19 = "ouemm/emm!!!!!!!!!!!!!" fullword ascii $s20 = "vakn.jUt p" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 700KB and 8 of them }
=======================================
* Analysis notes
---------------------------------------
Malware enumerates processes on the system:
ekrn.exe
egui.exe
avg
AVGUI
bdagent
gziface
bitdefender_isecurity.exe
uiSeAgnt.exe
ccSvcHst.exe
norton
AvkTray
apvui.exe
avp
AvastUI
onlinent.exe
PSUAMain.exe
escanmon.exe
escanpro.exe
Tray.exe
Prd.EventViewer.exe
zatray.exe
AkSA.exe
Decompile: FUN_00402820
/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */ int FUN_00402820(void) { HMODULE pHVar1; HANDLE hObject; char *pcVar2; int iVar3; undefined4 *puVar4; undefined4 local_20c; undefined local_208; undefined local_207; undefined local_206; undefined local_205; undefined local_204; undefined local_203; undefined local_202; undefined local_201; undefined4 local_1a8; undefined local_1a4; undefined local_1a3; undefined local_1a2; undefined local_1a1; undefined local_1a0; undefined local_19f; undefined local_19e; undefined local_19d; undefined local_19c; undefined local_19b; undefined local_19a; undefined local_199; undefined local_198; undefined local_197; undefined local_196; undefined local_195; undefined local_194; undefined local_193; undefined local_192; undefined local_191; undefined local_190; undefined4 local_144 [9]; CHAR local_120 [272]; puVar4 = &local_20c; for (iVar3 = 0x19; iVar3 != 0; iVar3 = iVar3 + -1) { *puVar4 = 0; puVar4 = puVar4 + 1; } local_20c._0_1_ = 'k'; local_20c._1_1_ = 0x65; local_20c._2_1_ = 0x72; local_20c._3_1_ = 0x6e; puVar4 = &local_1a8; for (iVar3 = 0x19; iVar3 != 0; iVar3 = iVar3 + -1) { *puVar4 = 0; puVar4 = puVar4 + 1; } local_208 = 0x65; local_207 = 0x6c; local_206 = 0x33; local_205 = 0x32; local_204 = 0x2e; local_203 = 100; local_202 = 0x6c; local_201 = 0x6c; pHVar1 = GetModuleHandleA((LPCSTR)&local_20c); local_1a8._0_1_ = 'L'; local_1a8._1_1_ = 0x6f; local_1a8._2_1_ = 0x61; local_1a8._3_1_ = 100; local_1a4 = 0x4c; local_1a3 = 0x69; local_1a2 = 0x62; local_1a1 = 0x72; local_1a0 = 0x61; local_19f = 0x72; local_19e = 0x79; local_19d = 0x41; local_19c = 0; DAT_0041104c = (code *)FUN_00401760((int)pHVar1,(LPCSTR)&local_1a8); iVar3 = (*DAT_0041104c)(&local_20c); local_1a8._0_1_ = 'C'; local_1a8._1_1_ = 0x72; local_1a8._2_1_ = 0x65; local_1a8._3_1_ = 0x61; local_1a4 = 0x74; local_1a3 = 0x65; local_1a2 = 0x54; local_1a1 = 0x6f; local_1a0 = 0x6f; local_19f = 0x6c; local_19e = 0x68; local_19d = 0x65; local_19c = 0x6c; local_19b = 0x70; local_19a = 0x33; local_199 = 0x32; local_198 = 0x53; local_197 = 0x6e; local_196 = 0x61; local_195 = 0x70; local_194 = 0x73; local_193 = 0x68; local_192 = 0x6f; local_191 = 0x74; local_190 = 0; _DAT_00411048 = (code *)FUN_00401760(iVar3,(LPCSTR)&local_1a8); hObject = (HANDLE)(*_DAT_00411048)(2,0); if (hObject == (HANDLE)0xffffffff) { return 0; } local_144[0] = 0x128; iVar3 = Process32First(hObject,local_144); if (iVar3 != 0) { do { iVar3 = lstrcmpA(local_120,"ekrn.exe"); if ((iVar3 == 0) || (iVar3 = lstrcmpA(local_120,"egui.exe"), iVar3 == 0)) { CloseHandle(hObject); return 1; } pcVar2 = strstr(local_120,"avg"); if ((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"AVGUI"), pcVar2 != (char *)0x0)) { CloseHandle(hObject); return 2; } pcVar2 = strstr(local_120,"bdagent"); if (((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"gziface"), pcVar2 != (char *)0x0)) || (pcVar2 = strstr(local_120,"bitdefender_isecurity.exe"), pcVar2 != (char *)0x0)) { CloseHandle(hObject); return 3; } pcVar2 = strstr(local_120,"uiSeAgnt.exe"); if (pcVar2 != (char *)0x0) { CloseHandle(hObject); return 4; } pcVar2 = strstr(local_120,"ccSvcHst.exe"); if (((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"norton"), pcVar2 != (char *)0x0)) || ((pcVar2 = strstr(local_120,"nis.exe"), pcVar2 != (char *)0x0 || (pcVar2 = strstr(local_120,"ns.exe"), pcVar2 != (char *)0x0)))) { CloseHandle(hObject); return 5; } pcVar2 = strstr(local_120,"AvkTray"); if ((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"AVKTray"), pcVar2 != (char *)0x0)) { CloseHandle(hObject); return 6; } pcVar2 = strstr(local_120,"apvui.exe"); if ((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"avp"), pcVar2 != (char *)0x0)) { CloseHandle(hObject); return 7; } pcVar2 = strstr(local_120,"AvastUI"); if (pcVar2 != (char *)0x0) { CloseHandle(hObject); return 8; } pcVar2 = strstr(local_120,"onlinent.exe"); if (pcVar2 != (char *)0x0) { CloseHandle(hObject); return 10; } pcVar2 = strstr(local_120,"PSUAMain.exe"); if (pcVar2 != (char *)0x0) { CloseHandle(hObject); return 9; } pcVar2 = strstr(local_120,"escanmon.exe"); if ((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"escanpro.exe"), pcVar2 != (char *)0x0)) { CloseHandle(hObject); return 0xb; } pcVar2 = strstr(local_120,"Tray.exe"); if ((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"Prd.EventViewer.exe"), pcVar2 != (char *)0x0)) { CloseHandle(hObject); return 0xd; } pcVar2 = strstr(local_120,"zatray.exe"); if ((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"AkSA.exe"), pcVar2 != (char *)0x0)) { CloseHandle(hObject); return 0xc; } iVar3 = Process32Next(hObject,local_144); } while (iVar3 != 0); iVar3 = 0; } CloseHandle(hObject); return iVar3;
Capa detected XOR encoded data, I found the XOR keys with Ghidra: 0x03, 0x0A
=======================================
Online research
---------------------------------------
- Sandboxes:
https://bazaar.abuse.ch/sample/cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57/
https://app.any.run/tasks/0c22d364-518a-46bd-a82b-8c454c459cb3?p=67714d1b7bc927e79eaaff39
https://tria.ge/200829-srk9q9pera
https://www.virustotal.com/gui/file/cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57/details
https://www.hybrid-analysis.com/sample/cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57/677187644771dbe8bd0f38d0
https://www.useragents.me/
https://useragentstring.com/index.php
- Relevant Info to review:
https://bazaar.abuse.ch/browse/tag/BozokRAT/
https://x.com/arkbird_solg/status/1299450788163575808 "#APT #Patchwork Edited BozokRAT with the same Xor keys (0x3, 0xA) that the last BozokRAT sample ... "
https://otx.alienvault.com/pulse/60f02c152b68bec1ace00c85 "#Patchwork #APT maldoc is dropping #BozokRAT ... "
https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok
https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews
https://attack.mitre.org/software/S0128/ "BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control ... "
https://openhunting.io/threat-library-detail?data=bozok
https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Patchwork%2C%20Dropping%20Elephant
https://www.virusbulletin.com/conference/vb2023/abstracts/dropping-elephant-never-dropped/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf#page=121 "Kaspersky Crimeware Reports Common TTPs of the modern ransomware groups"
https://unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/
=======================================
Learning Resources
---------------------------------------
- TCM Security [referral link]: Practical Malware Analysis & Triage (PMAT) course (Practical Malware Research Professional (PMRP) exam)
- Infosec Skills: Reverse Engineering path, Hands-on Ransomware Mitigation path
- TryHackMe: Malware Analysis module, Yara room
- HackTheBox Academy [referral link]: Introduction to Malware Analysis, YARA & Sigma for SOC Analysts
- Rangeforce Community Theme: Reverse Engineering
- Practical Malware Analysis ebook + Jai Minton Practical Malware Analysis - Lab Write-up
- SANS Digital Forensics and Incident Response
* to be continued
Learning Resources
---------------------------------------