Malware Sample Analysis

In this blog post-in-progress I am going to analyze the malware sample sha256:cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57 and provide beginner-friendly resources to start with malware analysis. Let's get started!
bazaar.abuse.ch sha256
Filename: cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe
Internal (Original) Name: dwm.exe
Size: 243,361 bytes
Time/date stamp: Thu Jan 01 18:12:16 1970 (UTC)
Compiler: MinGW(GCC: (GNU) 4.8.2)
MD5: 8b282ef8f441ccceb707a9ee04a541
SHA-256: cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57
Imphash: 79CF8CA8DD4DAD9D47E49BEB5C9BBD50
Ssdeep: 6144:oeLc9VV0liQ9KM5uVEgqz/ZnMmwqFlYiJB:owcDV0lilM5MqVMwbYiP
pestudio - name pestudio - 9 sections bss 0 ssdeep die trid pecheck peid kanal
capa.exe cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe

capa exe
capa very verbose output
md5                     8b282ef8f441ccceb707a9ee04a5413e                                                           
sha1                    10fc5bbd2f801251d1228e6b3b35d24c6e018162                                                   
sha256                  cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57                           
path                    C:/Users/husky/Desktop/cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe
timestamp               2024-12-27 19:17:53.970541                                                                 
capa version            7.4.0                                                                                      
os                      windows                                                                                    
format                  pe                                                                                         
arch                    i386                                                                                       
analysis                static                                                                                     
extractor               VivisectFeatureExtractor                                                                   
base address            0x400000                                                                                   
rules                   C:/Users/husky/AppData/Local/Temp/_MEI70002/rules                                          
function count          186                                                                                        
library function count  0                                                                                          
total feature count     10683                                                                                      

allocate or change RW memory (library rule)
author  0x534a@mailbox.org, @mr-tz     
scope   basic block                    
mbc     Memory::Allocate Memory [C0007]
basic block @ 0x404916 in function 0x4048C0
  and:
    or:
      match: change memory protection @ 0x404916
        or:
          api: VirtualProtect @ 0x404935
    or:
      number: 0x4 = PAGE_READWRITE @ 0x404956

change memory protection (2 matches, only showing first match of library rule)
author  @mr-tz                                  
scope   basic block                             
mbc     Memory::Change Memory Protection [C0008]
basic block @ 0x404916 in function 0x4048C0
  or:
    api: VirtualProtect @ 0x404935

contain loop (55 matches, only showing first match of library rule)
author  moritz.raabe@mandiant.com
scope   function                 
function @ 0x4013E0
  or:
    characteristic: loop @ 0x4013E0

create or open file (2 matches, only showing first match of library rule)
author  michael.hunhoff@mandiant.com, joakim@intezer.com
scope   basic block                                     
mbc     File System::Create File [C0016]                
basic block @ 0x402FB0 in function 0x402FB0
  or:
    api: fopen @ 0x402FC7, 0x40304E

delay execution (library rule)
author      michael.hunhoff@mandiant.com, @ramen0x3f                                                                                                                      
scope       basic block                                                                                                                                                   
mbc         Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution [B0003.003]                                                                             
references  https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions, https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp
basic block @ 0x40A4E0 in function 0x40A4C0
  or:
    and:
      os: windows
      or:
        api: Sleep @ 0x40A4E7

contain obfuscated stackstrings (17 matches)
namespace  anti-analysis/obfuscation/string/stackstring                                                                                                                     
author     moritz.raabe@mandiant.com                                                                                                                                        
scope      basic block                                                                                                                                                      
att&ck     Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005]                                                                       
mbc        Anti-Static Analysis::Executable Code Obfuscation::Argument Obfuscation [B0032.020], Anti-Static Analysis::Executable Code Obfuscation::Stack Strings [B0032.017]
basic block @ 0x4017B0 in function 0x4017B0
  characteristic: stack string @ 0x4017B0
basic block @ 0x4019FC in function 0x4019D0
  characteristic: stack string @ 0x4019FC
basic block @ 0x401A55 in function 0x4019D0
  characteristic: stack string @ 0x401A55
basic block @ 0x401B4A in function 0x4019D0
  characteristic: stack string @ 0x401B4A
basic block @ 0x401CDC in function 0x4019D0
  characteristic: stack string @ 0x401CDC
basic block @ 0x401E1B in function 0x4019D0
  characteristic: stack string @ 0x401E1B
basic block @ 0x401FF8 in function 0x401F00
  characteristic: stack string @ 0x401FF8
basic block @ 0x40215D in function 0x401F00
  characteristic: stack string @ 0x40215D
basic block @ 0x40230D in function 0x401F00
  characteristic: stack string @ 0x40230D
basic block @ 0x4025BE in function 0x401F00
  characteristic: stack string @ 0x4025BE
basic block @ 0x402820 in function 0x402820
  characteristic: stack string @ 0x402820
basic block @ 0x403080 in function 0x403080
  characteristic: stack string @ 0x403080
basic block @ 0x403360 in function 0x403360
  characteristic: stack string @ 0x403360
basic block @ 0x403640 in function 0x403640
  characteristic: stack string @ 0x403640
basic block @ 0x40381B in function 0x403640
  characteristic: stack string @ 0x40381B
basic block @ 0x403DD0 in function 0x403DD0
  characteristic: stack string @ 0x403DD0
basic block @ 0x40B75E in function 0x40B710
  characteristic: stack string @ 0x40B75E

compiled with MinGW for Windows
namespace  compiler/mingw                 
author     william.ballenthin@mandiant.com
scope      file                           
and:
  string: "Mingw runtime failure:" @ file+0xB7E8
  string: "_Jv_RegisterClasses" = from GCC @ file+0xB237

encode data using XOR
namespace  data-manipulation/encoding/xor                                                                                               
author     moritz.raabe@mandiant.com                                                                                                    
scope      basic block                                                                                                                  
att&ck     Defense Evasion::Obfuscated Files or Information [T1027]                                                                     
mbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02], Data::Encode Data::XOR [C0026.002]
basic block @ 0x407008 in function 0x406ED0
  and:
    characteristic: tight loop @ 0x407008
    characteristic: nzxor @ 0x407012
    not: = filter for potential false positives
      or:
        or: = unsigned bitwise negation operation (~i)
          number: 0xFFFFFFFF = bitwise negation for unsigned 32 bits
          number: 0xFFFFFFFFFFFFFFFF = bitwise negation for unsigned 64 bits
        or: = signed bitwise negation operation (~i)
          number: 0xFFFFFFF = bitwise negation for signed 32 bits
          number: 0xFFFFFFFFFFFFFFF = bitwise negation for signed 64 bits
        or: = Magic constants used in the implementation of strings functions.
          number: 0x7EFEFEFF = optimized string constant for 32 bits
          number: 0x81010101 = -0x81010101 = 0x7EFEFEFF
          number: 0x81010100 = 0x81010100 = ~0x7EFEFEFF
          number: 0x7EFEFEFEFEFEFEFF = optimized string constant for 64 bits
          number: 0x8101010101010101 = -0x8101010101010101 = 0x7EFEFEFEFEFEFEFF
          number: 0x8101010101010100 = 0x8101010101010100 = ~0x7EFEFEFEFEFEFEFF

contain a thread local storage (.tls) section
namespace  executable/pe/section/tls   
author     michael.hunhoff@mandiant.com
scope      file                        
section: .tls @ 0x414000

extract resource via kernel32 functions
namespace  executable/resource            
author     william.ballenthin@mandiant.com
scope      function                       
function @ 0x403640
  or:
    and:
      or:
        api: LoadResource @ 0x4039B4, 0x403A17, 0x403A7A, 0x403ADD, and 2 more...
        api: LockResource @ 0x403967, 0x4039BF, 0x403A22, 0x403A85, and 3 more...
      optional:
        api: GetModuleHandle @ 0x4036D2
        api: SizeofResource @ 0x40399B, 0x4039FE, 0x403A61, 0x403AC4, and 2 more...

accept command line arguments
namespace  host-interaction/cli                                      
author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com
scope      function                                                  
att&ck     Execution::Command and Scripting Interpreter [T1059]      
mbc        Execution::Command and Scripting Interpreter [E1059]      
function @ 0x404560
  or:
    api: GetCommandLine @ 0x404576

query environment variable (2 matches)
namespace  host-interaction/environment-variable          
author     michael.hunhoff@mandiant.com, @_re_fox         
scope      function                                       
att&ck     Discovery::System Information Discovery [T1082]
mbc        Discovery::System Information Discovery [E1082]
function @ 0x403360
  or:
    api: GetEnvironmentVariable @ 0x4035A4
function @ 0x4074A0
  or:
    api: getenv @ 0x407500

get common file path
namespace  host-interaction/file-system                                                            
author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
scope      function                                                                                
att&ck     Discovery::File and Directory Discovery [T1083]                                         
mbc        Discovery::File and Directory Discovery [E1083]                                         
function @ 0x401F00
  or:
    api: GetSystemDirectory @ 0x4024EB

create directory
namespace  host-interaction/file-system/create                    
author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
scope      function                                               
mbc        File System::Create Directory [C0046]                  
function @ 0x403080
  or:
    api: CreateDirectory @ 0x4032DC, 0x4032EF

get file size
namespace  host-interaction/file-system/meta                            
author     michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
scope      function                                                     
att&ck     Discovery::File and Directory Discovery [T1083]              
mbc        Discovery::File and Directory Discovery [E1083]              
function @ 0x401F00
  or:
    api: GetFileSize @ 0x402320

set file attributes
namespace  host-interaction/file-system/meta                                                       
author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com
scope      basic block                                                                             
att&ck     Defense Evasion::File and Directory Permissions Modification [T1222]                    
mbc        File System::Set File Attributes [C0050]                                                
basic block @ 0x403080 in function 0x403080
  or:
    api: SetFileAttributes @ 0x403302

read file on Windows (2 matches)
namespace  host-interaction/file-system/read                         
author     moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com
scope      function                                                  
mbc        File System::Read File [C0051]                            
function @ 0x401F00
  or:
    and:
      os: windows
      or:
        api: ReadFile @ 0x4023D8
function @ 0x402FB0
  or:
    and:
      os: windows
      or:
        api: fread @ 0x403033

write file on Windows (2 matches)
namespace  host-interaction/file-system/write                              
author     william.ballenthin@mandiant.com, anushka.virgaonkar@mandiant.com
scope      function                                                        
mbc        File System::Writes File [C0052]                                
function @ 0x402FB0
  or:
    and:
      os: windows
      optional:
        basic block:
          or:
            number: 0x2 = FILE_WRITE_DATA @ 0x402FCC
            match: create or open file @ 0x402FB0
              or:
                api: fopen @ 0x402FC7, 0x40304E
      or:
        api: fwrite @ 0x403068
function @ 0x404870
  or:
    and:
      os: windows
      or:
        api: fwrite @ 0x40489C

check Internet connectivity via WinINet (2 matches)
namespace  host-interaction/network/connectivity                                                       
author     matthew.williams@mandiant.com, michael.hunhoff@mandiant.com                                 
scope      basic block                                                                                 
att&ck     Discovery::System Network Configuration Discovery::Internet Connection Discovery [T1016.001]
basic block @ 0x4041BB in function 0x403DD0
  or:
    and:
      or:
        api: InternetCheckConnection @ 0x4041EE, 0x404219
      optional:
        instruction:
          and:
            mnemonic: cmp @ 0x40423C
            or:
              number: 0x1 = TRUE @ 0x40423C
basic block @ 0x404246 in function 0x403DD0
  or:
    and:
      or:
        api: InternetCheckConnection @ 0x40425D

get thread local storage value
namespace  host-interaction/process    
author     michael.hunhoff@mandiant.com
scope      function                    
function @ 0x404C30
  and:
    api: TlsGetValue @ 0x404C56

allocate or change RWX memory
namespace  host-interaction/process/inject
author     @mr-tz                         
scope      basic block                    
mbc        Memory::Allocate Memory [C0007]
basic block @ 0x404916 in function 0x4048C0
  and:
    or:
      match: change memory protection @ 0x404916
        or:
          api: VirtualProtect @ 0x404935
    or:
      number: 0x40 = PAGE_EXECUTE_READWRITE @ 0x404920

enumerate processes
namespace  host-interaction/process/list                                              
author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com                    
scope      function                                                                   
att&ck     Discovery::Process Discovery [T1057], Discovery::Software Discovery [T1518]
function @ 0x402820
  or:
    and:
      api: Process32First @ 0x402A1E
      api: Process32Next @ 0x402CA7

link function at runtime on Windows (7 matches)
namespace  linking/runtime-linking                                
author     moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com
scope      instruction                                            
att&ck     Execution::Shared Modules [T1129]                      
instruction @ 0x401329
  and:
    os: windows
    or:
      api: GetProcAddress @ 0x401329
instruction @ 0x401374
  and:
    os: windows
    or:
      api: GetProcAddress @ 0x401374
instruction @ 0x4013B9
  and:
    os: windows
    or:
      api: GetProcAddress @ 0x4013B9
instruction @ 0x401D8E
  and:
    os: windows
    or:
      api: GetProcAddress @ 0x401D8E
instruction @ 0x401E90
  and:
    os: windows
    or:
      api: GetProcAddress @ 0x401E90
instruction @ 0x401FC9
  and:
    os: windows
    or:
      api: GetProcAddress @ 0x401FC9
instruction @ 0x402558
  and:
    os: windows
    or:
      api: GetProcAddress @ 0x402558

resolve function by parsing PE exports (2 matches)
namespace  load-code/pe
author     sara-rn     
scope      function    
function @ 0x401760
  and:
    os: windows
    or:
      mnemonic: movzx @ 0x401798
    and:
      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x401769
      or:
        and:
          arch: i386
          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x40176C
      3 or more:
        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x401770, 0x401795
        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x401765, 0x401785
        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x40177E
        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40179E
function @ 0x4074A0
  and:
    os: windows
    or:
      characteristic: loop @ 0x4074A0
      mnemonic: movzx @ 0x407569, 0x407592, 0x4075A0, 0x407617, and 20 more...
    and:
      offset: 0x3C = IMAGE_DOS_HEADER.PE.e_lfanew @ 0x4074DD
      or:
        and:
          arch: i386
          offset: 0x78 = offset to IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_EXPORT] @ 0x4074F0
      3 or more:
        offset: 0x14 = IMAGE_EXPORT_DIRECTORY.NumberOfFunctions @ 0x40755D, 0x4075A6, 0x4075FB, 0x407608, and 22 more...
        offset: 0x24 = IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals @ 0x407750, 0x407758, 0x4077D3, 0x407803, and 10 more...
        offset: 0x20 = IMAGE_EXPORT_DIRECTORY.AddressOfNames @ 0x407698, 0x40769C, 0x40775E, 0x407762, and 18 more...
        offset: 0x18 = IMAGE_EXPORT_DIRECTORY.NumberOfNames @ 0x407571, 0x407A2C, 0x407A34, 0x407A49, and 7 more...
        offset: 0x1C = IMAGE_EXPORT_DIRECTORY.AddressOfFunctions @ 0x40752C, 0x407CEE

create shortcut via IShellLink
namespace   persistence                                                                                                   
author      matthew.williams@mandiant.com                                                                                 
scope       function                                                                                                      
att&ck      Persistence::Boot or Logon Autostart Execution::Shortcut Modification [T1547.009]                             
references  https://docs.microsoft.com/en-us/windows/win32/shell/links#creating-a-shortcut-and-a-folder-shortcut-to-a-file
function @ 0x402E10
  and:
    offset: 0x50 = psl->SetPath @ 0x402EAB
    offset: 0x18 = ppf->Save @ 0x402F78
    api: CoCreateInstance @ 0x402E52
    bytes: 0114020000000000c000000000000046 = CLSID_ShellLink @ 0x402E4B
    bytes: 0b01000000000000c000000000000046 = IID_IPersistFile @ 0x402F13
    or:
      bytes: f914020000000000c000000000000046 = IID_IShellLinkW @ 0x402E33



=======================================
Strings of interest
---------------------------------------
pestudio.exe detail - strings
GetEnvironmentVariable
InternetCheckConnection
VirtualProtect
VirtualQuery
FindFirstFile
FindNextFile
SetFileAttributes
GetCurrentProcess
Process32First
Process32Next
ShowWindow
DeleteCriticalSection
EnterCriticalSection
InitializeCriticalSection
InterlockedExchange
LeaveCriticalSection
LoadResource
LockResource
SizeofResource
GetSystemDirectory
WININET.DLL
VirtualQuery failed for %d bytes at address %p
LocalAlloc
malloc
memcpy
FindClose
GetFileSize
ReadFile
SHGetFolderPath
CreateDirectory
fclose
fopen
fputc
fread
fseek
ftell
fwrite
ExitProcess
TlsGetValue
GetCommandLine
Sleep
SetUnhandledExceptionFilter
GetProcAddress
GetModuleFileName
GetModuleHandle
LoadLibrary
GetLastError
GetConsoleWindow
!This program cannot be run in DOS mode.
.CRT
libgcc_s_dw2-1.dll
libgcj-13.dll
ekrn.exe
egui.exe
bitdefender_isecurity.exe
uiSeAgnt.exe
ccSvcHst.exe
nis.exe
ns.exe
apvui.exe
onlinent.exe
PSUAMain.exe
escanmon.exe
escanpro.exe
Tray.exe
Prd.EventViewer.exe
zatray.exe
AkSA.exe
\MsUpdte.exe
https://en.wikipedia.org/wiki/Main_Page
https://secure.comodo.net/CPS0C
http://ocsp.comodoca.com0
dwm.exe
0@.bss
ouemm/emm!!!!!!!!!!!!!
Vtfs43/emm
bewbqj43/emm
Tifmm43/emm
lfsofm43/emm
__register_frame_info
_Jv_RegisterClasses
__deregister_frame_info
%d is the largest prime factor !
--*****
Mo~Ysy~og]e}<>Ncxoi~exsK
aoxdof98$nff
--*****-------
--*****------
PfwSql`fppGFSSloj`z
--*****------***
%d****
AVGUI
bdagent
gziface
norton
AvkTray
AVKTray
avp
AvastUI
avg
V]cdne}y*_znk~o
_Npvsgwf-omh
ProgramData
GjoeSftpvsdfB
MpbeSftpvsdf
MpdlSftpvsdf
P}_dgkz\co}ElYoi~ced
UjqwvboSqlwf`wF{
MwTqjwfUjqwvboNfnlqz
Mingw runtime failure:
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
glob-1.0-mingw32
GCC: (GNU) 4.8.2
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
$4 THE HAYLOFT, FAR PEAK, NORTHLEACH,1(0&
Accelerate Technologies Limited1(0&
admin@acceleratetech.co.uk0
Desktop Window Manager
6.1.7600.16385 (win7_rtm.090713-1255)
Microsoft Corporation. All rights reserved.
6WinUpdatr_ldrexe_19july.ex
floss.exe --no static -- cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe
INFO: floss.results: SeDebugPrivilege
INFO: floss.results: kernel32.dllW
INFO: floss.results: LoadLibraryAW
INFO: floss.results: LoadLibraryA
INFO: floss.results: OpenProcessTokenW
INFO: floss.results: Advapi32.dllW
INFO: floss.results: LookupPrivilegeValueA
INFO: floss.results: AdjustTokenPrivileges
INFO: floss.results: kernel32.dll
INFO: floss.results: LoadLibraryA
INFO: floss.results: CreateToolhelp32Snapshot
INFO: floss.results: kernel32.dll
INFO: floss.results: LoadLibraryA
INFO: floss.results: Shell32.dll
INFO: floss.results: MsUpdte.exe
INFO: floss.results: kernel32.dll
INFO: floss.results: LoadLibraryA
INFO: floss.results: Shell32.dll
INFO: floss.results: kernel32.dll
INFO: floss.results: LoadLibraryA
INFO: floss.results: SizeofResource
INFO: floss.results: kernel32.dll
INFO: floss.results: LoadLibraryA
INFO: floss.results: LoadLibraryA
INFO: floss.results: GetSystemWow64DirectoryA
INFO: floss.results: RPCRT4.dll
INFO: floss.results: ZwUnmapViewOfSection
INFO: floss.results: ntdll.dll
INFO: floss.results: olea
INFO: floss.results: t32.dll
INFO: floss.results: Kock
INFO: floss.results: kernel32.dll
INFO: floss.results: gdi32.dll
INFO: floss.results: mfc110
INFO: floss.results: .dll
INFO: floss.results: advapi32.dll
INFO: floss.results: r32.dll
INFO: floss.results: msvcr110.dll
INFO: floss.results: \Windows Update
INFO: floss.results: shell32.dll
INFO: floss.results: shlwapi.dll
INFO: floss.results: ser32.dll
INFO: floss.results: msvcrt.dll
INFO: floss.results: efefefefefefefef
INFO: floss.results: efefefef
INFO: floss.results: User32.dll
INFO: floss.results: kernel32.dll
INFO: floss.results: CreateToolhelp32Snapshot
INFO: floss.results: LoadLibraryA
INFO: floss.results: ntdll.dll
INFO: floss.results: kernel32.dll
INFO: floss.results: VirtualAlloc
INFO: floss.results: Infinity

FLARE FLOSS RESULTS (version v3.1.1-0-g3cd3ee6)

+------------------------+------------------------------------------------------------------------------------+
| file path              | cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe               |
| identified language    | unknown                                                                            |
| extracted strings      |                                                                                    |
|  static strings        | Disabled                                                                           |
|   language strings     | 0 (0 characters)                                                                   |
|  stack strings         | 24                                                                                 |
|  tight strings         | 0                                                                                  |
|  decoded strings       | 29                                                                                 |
+------------------------+------------------------------------------------------------------------------------+

 ──────────────────────────
  FLOSS STACK STRINGS (24)
 ──────────────────────────

SeDebugPrivilege
kernel32.dllW
LoadLibraryAW
LoadLibraryA
OpenProcessTokenW
Advapi32.dllW
LookupPrivilegeValueA
AdjustTokenPrivileges
kernel32.dll
LoadLibraryA
CreateToolhelp32Snapshot
kernel32.dll
LoadLibraryA
Shell32.dll
MsUpdte.exe
kernel32.dll
LoadLibraryA
Shell32.dll
kernel32.dll
LoadLibraryA
SizeofResource
kernel32.dll
LoadLibraryA
LoadLibraryA

 ─────────────────────────
  FLOSS TIGHT STRINGS (0)
 ─────────────────────────

 ────────────────────────────
  FLOSS DECODED STRINGS (29)
 ────────────────────────────

GetSystemWow64DirectoryA
RPCRT4.dll
ZwUnmapViewOfSection
ntdll.dll
olea
t32.dll
Kock
kernel32.dll
gdi32.dll
mfc110
.dll
advapi32.dll
r32.dll
msvcr110.dll
\Windows Update
shell32.dll
shlwapi.dll
ser32.dll
msvcrt.dll
efefefefefefefef
efefefef
User32.dll
kernel32.dll
CreateToolhelp32Snapshot
LoadLibraryA
ntdll.dll
kernel32.dll
VirtualAlloc
Infinity
pestudio.exe found email - hunter.io detail


=======================================
Imports
--------------------------------------- 
ghidra
=======================================
Exports
--------------------------------------- 
ghidra


=======================================
Files and Registry keys created/modified/deleted
---------------------------------------
Initial detonation (w/wo Remnux and inetsim):
Malware creates a shortcut "Msupdte.lnk" in Startup directory, the shortcut targets C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b6.exe , Size:980 bytes , sha256:3cb51f5f44954ea08641c1a13da0c8838a92fdb7ff18a58a962a3402c1f451d4 No matches found on VT
initial detonation procmon Regshot summary
Regshot Compare report
Regshot 1.9.1 x64 Unicode (beta r321)
Comments: 
Datetime: 2024-12-30 21:27:32, 2024-12-30 21:39:43
Computer: DESKTOP-V64A5T1, DESKTOP-V64A5T1
Username: husky, husky

----------------------------------
Keys deleted: 6
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances\ea27fe31-4467-484a-a717-ea736d21e980
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\CurrentState
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\CurrentState
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances\ea27fe31-4467-484a-a717-ea736d21e980
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}

----------------------------------
Keys added: 8
----------------------------------
HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0
HKLM\SOFTWARE\Microsoft\Provisioning\FirstBootRun
HKLM\SOFTWARE\Microsoft\Provisioning\LogonTaskCompleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances\22386174-fd81-4e78-a42c-67d78ebebfaa
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances\22386174-fd81-4e78-a42c-67d78ebebfaa
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A01F4

----------------------------------
Values deleted: 27
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\VolatileNotifications\41C64E6DA3DC3855: 01 00 04 80 44 00 00 00 50 00 00 00 00 00 00 00 14 00 00 00 02 00 30 00 02 00 00 00 00 00 14 00 03 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 14 00 00 00 01 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 20 00 00 00
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\CurrentState\StateValue: 0x00000011
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\CurrentState\StateValue: 0x00000011
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\Priority: 0x01000000
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\CreationTime: 0x0000000067705308
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\Transient: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\IsPackaged: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\DeliveryType: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\FilterXML: ""
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\RegistrationName: "SmsDropAcceptImmediate"
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\ApplicationName: "SmsRouter"
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\UserSid: "S-1-5-19"
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\LastNotifiedMessageId: 0xFFFFFFFFFFFFFFFF
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\LastAccessedMessageId: 0xFFFFFFFFFFFFFFFF
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\NotifyCount: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\Priority: 0x01000000
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\CreationTime: 0x0000000067705308
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\Transient: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\IsPackaged: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\DeliveryType: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\FilterXML: ""
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\RegistrationName: "SmsDropAcceptImmediate"
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\ApplicationName: "SmsRouter"
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\UserSid: "S-1-5-19"
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\LastNotifiedMessageId: 0xFFFFFFFFFFFFFFFF
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\LastAccessedMessageId: 0xFFFFFFFFFFFFFFFF
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{135A9849-00A9-466F-B08A-018EC1088A6F}\NotifyCount: 0x00000000

----------------------------------
Values added: 43
----------------------------------
HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\go+EQwXwOk+jHmdV.0\NextSession: "loyJxHVRY0myuEU7.0"
HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0\BeginTime: "2024-12-30 21:36:41"
HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0\RebootCount: 0x00000000
HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0\State: "Completed"
HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0\StateValue: 0x00000003
HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\loyJxHVRY0myuEU7.0\LastRunTime: "2024-12-30 21:37:52"
HKLM\SOFTWARE\Microsoft\Provisioning\FirstBootRun\: 0x00000001
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\core_worker_succeeded: 01 00 00 00 00 00 00 00
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\core_worker_total: 01 00 00 00 00 00 00 00
HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe: 3C 21 1F EE 01 5B DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\Priority: 0x01000000
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\CreationTime: 0x0000000067731269
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\Transient: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\IsPackaged: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\DeliveryType: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\FilterXML: ""
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\RegistrationName: "SmsDropAcceptImmediate"
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\ApplicationName: "SmsRouter"
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\UserSid: "S-1-5-19"
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\LastNotifiedMessageId: 0xFFFFFFFFFFFFFFFF
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\LastAccessedMessageId: 0xFFFFFFFFFFFFFFFF
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\NotifyCount: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe: 3C 21 1F EE 01 5B DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\Priority: 0x01000000
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\CreationTime: 0x0000000067731269
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\Transient: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\IsPackaged: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\DeliveryType: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\FilterXML: ""
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\RegistrationName: "SmsDropAcceptImmediate"
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\ApplicationName: "SmsRouter"
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\UserSid: "S-1-5-19"
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\LastNotifiedMessageId: 0xFFFFFFFFFFFFFFFF
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\LastAccessedMessageId: 0xFFFFFFFFFFFFFFFF
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Ids\{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}\NotifyCount: 0x00000000
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched\C:\Tools\Regshot-x64-Unicode\Regshot-x64-Unicode.exe: 0x00000001
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\uhfxl\Qrfxgbc\fnzcyr\pp8867n5sq62o82r817nsp405807s88716960ns5744040999o619o126n9rps57.rkr: 00 00 00 00 01 00 00 00 01 00 00 00 4E 00 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 19 E3 C9 01 5B DB 01 00 00 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A01F4\VirtualDesktop: 10 00 00 00 30 30 44 56 51 61 8C 11 AD 69 F0 45 81 44 60 32 A1 4A 47 E3
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 A1 B6 03 00 FD 0E 04 00 01 00 00 00 00 00 00 00 00 00 00 0A 61 20 00 00 50 BB 64 ED DD AC D5 01 00 00 00 00 00 00 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe.FriendlyAppName: "Desktop Window Manager"
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe.ApplicationCompany: "Microsoft Corporation"
HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe.FriendlyAppName: "Desktop Window Manager"
HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\husky\Desktop\sample\cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57.exe.ApplicationCompany: "Microsoft Corporation"

----------------------------------
Values modified: 115
----------------------------------
HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State\LastSuccess: 0x08DD277EADC820AD
HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State\LastSuccess: 0x08DD2922957C3ABA
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\AvgFragmentsPerFile: 0x00000064
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\AvgFragmentsPerFile: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\MovableFiles: 0x0000006A
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\MovableFiles: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\UnmovableFiles: 0x00000004
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\UnmovableFiles: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\DirectoryCount: 0x00000004
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\DirectoryCount: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\FreeSpaceCount: 0x000000000000000A
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\FreeSpaceCount: 0x0000000000000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\AvgFreeSpaceSize: 0x0000000000000383
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\AvgFreeSpaceSize: 0x0000000000000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\LargestFreeSpaceSize: 0x000000000000116C
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\LargestFreeSpaceSize: 0x0000000000000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\TotalMFTRecords: 0x000000FF
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\TotalMFTRecords: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\InUseMFTRecords: 0x000000FF
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\InUseMFTRecords: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\MFTFragmentCount: 0x00000001
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-100000000000}\MFTFragmentCount: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\TotalUsedClusters: 0x000000000076EC59
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\TotalUsedClusters: 0x00000000007A0C1B
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\AvgFragmentsPerFile: 0x00000064
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\AvgFragmentsPerFile: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\MovableFiles: 0x0001DAE1
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\MovableFiles: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\UnmovableFiles: 0x00000007
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\UnmovableFiles: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FragmentedFiles: 0x00000001
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FragmentedFiles: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FragmentedExtents: 0x0000000000000001
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FragmentedExtents: 0x0000000000000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\DirectoryCount: 0x00002593
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\DirectoryCount: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FreeSpaceCount: 0x0000000000000008
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\FreeSpaceCount: 0x0000000000000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\AvgFreeSpaceSize: 0x00000000002F1CFD
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\AvgFreeSpaceSize: 0x0000000000000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\LargestFreeSpaceSize: 0x0000000000AE086D
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\LargestFreeSpaceSize: 0x0000000000000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\TotalMFTRecords: 0x0002C9FF
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\TotalMFTRecords: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\InUseMFTRecords: 0x0002C9FF
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\InUseMFTRecords: 0x00000000
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\MFTFragmentCount: 0x00000001
HKLM\SOFTWARE\Microsoft\Dfrg\Statistics\Volume{67f27a33-0000-0000-0000-300300000000}\MFTFragmentCount: 0x00000000
HKLM\SOFTWARE\Microsoft\MemoryDiagnostic\LastScanTime: 0x01DB595F1C57EF9F
HKLM\SOFTWARE\Microsoft\MemoryDiagnostic\LastScanTime: 0x01DB5B02EA2CCA09
HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\LastLogTime: 0x01DB59573D3EA495
HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\LastLogTime: 0x01DB5B028A7B3446
HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\Render: 53 00 57 00 44 00 5C 00 4D 00 4D 00 44 00 45 00 56 00 41 00 50 00 49 00 5C 00 7B 00 30 00 2E 00 30 00 2E 00 30 00 2E 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 7D 00 2E 00 7B 00 36 00 36 00 61 00 37 00 38 00 66 00 38 00 32 00 2D 00 37 00 38 00 34 00 66 00 2D 00 34 00 64 00 66 00 31 00 2D 00 38 00 61 00 31 00 35 00 2D 00 63 00 35 00 38 00 35 00 61 00 33 00 64 00 64 00 35 00 64 00 39 00 63 00 7D 00 00 00 00 00 00 00 00 00 01 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EE 20 76 A6 D0 D7 30 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journal\Render: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\LastSession: "go+EQwXwOk+jHmdV.0"
HKLM\SOFTWARE\Microsoft\Provisioning\Sessions\LastSession: "loyJxHVRY0myuEU7.0"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepositoryStatus\DeploymentDatabaseStatisticsLastUpdated: 0x01DB59614C88C0E7
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepositoryStatus\DeploymentDatabaseStatisticsLastUpdated: 0x01DB5B02EB00F359
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepositoryStatus\MachineDatabaseStatisticsLastUpdated: 0x01DB595F1CFEB965
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepositoryStatus\MachineDatabaseStatisticsLastUpdated: 0x01DB5B02EAFC1FD0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdHigh: 0x01DB5B00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdHigh: 0x01DB5B02
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdLow: 0x99BB6834
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\SessionIdLow: 0xEEFD7534
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Fcon\DU: 00 00 00 00 04 00 04 00 01 00 04 00 01 01 00 00 02 12 F8 00 72 ED 81 01 A5 AD CF 00 DB B4 EF 00 9D 01 02 00 00 00 01 1D 63 02 01 BF 1E 01 01 CF 2A 01 02 12 F8 00 02 1C 41 01 02 99 66 00 02 BC 94 01 02 E6 38 01 03 81 22 01 04 93 1A 01 05 61 0F 01 05 A9 46 02 05 D4 7F 00 08 8D 42 01 08 C7 89 01 09 05 55 02 09 92 F8 00 09 A3 36 01 09 EF 7D 00 0B CF 4E 02 0C 35 84 00 0C E9 C2 00 0D 37 C6 00 0D 78 79 00 0D A1 81 00 0D BE 82 01 0D D3 F9 00 0D DB 80 01 0E 01 3E 01 0E 96 3D 01 0E BA CD 00 0F 05 DE 00 0F 22 1F 02 10 96 86 00 11 42 C2 00 12 92 40 02 12 E5 F8 00 13 E9 78 00 15 B6 25 01 15 C0 4E 01 15 CE EB 00 16 7F 57 02 17 93 38 01 17 E4 4A 02 18 5A 6C 02 18 BD 45 02 18 EE 4B 02 19 C0 E2 00 1A 6B E2 01 1A 94 49 02 1B 42 78 00 1B 6F 61 02 1B F5 EF 00 1B F6 0B 00 1C 95 5C 00 1C A7 21 01 1D 49 12 01 1D 9D 11 02 1D C7 89 01 1E BD 45 02 1F 4E A8 00 1F DD 4E 02 20 18 F2 00 21 01 3E 01 21 77 7A 00 22 09 39 02 23 83 E7 01 23 CC 4F 01 24 6B 46 01 24
 AC C7 00 25 3A D5 00 25 A0 43 02 25 BE 17 01 27 0C 36 02 27 69 12 01 27 DB 21 01 28 84 EB 01 28 A1 1B 01 29 19 41 01 29 20 3B 01 29 CC 10 01 29 E2 4E 02 2A 0E 39 01 2A 68 A9 00 2A B7 22 01 2A C7 DE 00 2B 24 99 00 2C 3D 81 00 2C D8 42 01 2D D8 F4 00 2E 80 1D 01 2F 34 FB 00 2F 95 46 01 30 50 25 01 31 17 5D 00 31 20 F9 01 31 48 4F 00 31 58 58 02 32 57 A4 00 32 D1 A7 00 32 D4 5F 01 33 99 A9 00 33 DF 5D 01 34 2E FE 01 35 E3 4D 02 36 BF 4A 02 36 E9 D2 00 3A 5D 93 00 3B CE 34 01 3C B3 52 00 3D 7F E6 00 3E 33 83 00 3E A5 FA 00 3E D9 CC 01 40 1A D5 01 40 56 F1 00 40 B0 2A 01 41 A8 76 00 41 A9 7A 01 42 1D 0B 01 42 26 4A 00 42 B3 AE 00 43 AB 21 01 44 B9 07 01 45 6D B6 00 46 1D 0B 01 46 48 B6 00 46 79 D1 00 46 C2 21 01 48 C2 4F 00 48 F9 A6 00 49 EA B7 00 4A AA 81 00 4A FF 5F 02 4B F5 4F 02 4C 37 FA 00 4C 41 B4 00 4C A7 70 00 4C B3 41 01 4C C8 4B 01 4C EC 3E 02 4E 12 24 01 4E 9F F0 00 4E E7 C1 00 4F 14 C2 00 4F 34 28 01 50 34 A5 00 50 EA 43 01 52 9F 4A 01 52 A7 AA 00 54 7A 52 00 54 B7 DC 00 55 5F 
2A 01 57 AD 12 01 58 0B D0 00 58 20 18 01 59 0F 1C 01 59 1D F9 01 59 53 94 00 59 89 4D 01 5A 5E B5 00 5C 74 65 01 5C F4 31 02 5D 36 53 02 5E 65 27 01 5E B5 8D 01 5F 93 55 02 5F E9 2B 02 60 63 5B 02 60 CB 43 02 61 13 24 01 62 5A C6 01 62 91 35 02 63 96 77 00 64 D4 19 01 65 30 54 01 65 A6 9E 00 69 CC 4F 01 6A C9 DA 00 6D 3E 43 01 6D 56 E4 01 6E F8 41 01 6F B3 11 01 70 2A 07 01 70 52 E2 01 71 05 28 01 71 40 A3 00 72 3C 12 00 72 6E 4A 00 72 9B 37 01 72 A2 42 01 72 ED 81 01 73 45 45 02 75 A3 7E 00 75 AB 0A 01 76 BC 21 01 78 EF 64 00 79 9C 39 00 7A E3 93 01 7B 45 D5 00 7B 7E 3E 02 7B 9F EB 00 7B A8 D1 00 7C DB 98 00 7E 10 44 01 7F 88 CA 00 81 06 95 00 82 27 73 00 82 58 68 01 83 F1 60 00 84 4D 26 01 84 50 EB 00 84 DF DE 01 84 E6 83 00 85 12 4A 00 85 50 AE 00 86 7B 06 01 87 6A 49 01 87 92 17 01 87 B1 4D 01 87 D7 21 01 87 F0 25 01 89 97 F5 00 8A D3 00 02 8A FA E3 00 8B 4E 1D 01 8B 51 88 00 8B 9D A1 01 8B EE F2 00 8D 2F 3C 01 8D 85 07 02 8D 87 98 00 8E 78 A2 00 8E D6 DC 01 8F 08 55 02 8F 30 36 0
2 90 48 1F 01 90 52 2E 02 90 A6 A1 01 90 D5 D0 00 90 EE 37 01 91 23 D3 00 92 AB 60 02 93 86 61 00 93 CE 8C 01 95 0B FE 00 95 9B 51 00 95 9F 33 01 95 E1 DB 00 96 5D D2 00 97 57 5E 02 97 6A B6 00 97 74 8D 00 97 F6 C4 00 98 72 46 01 98 BF 37 01 99 FE F7 01 9B 2B DB 00 9C 47 41 01 9C 62 3A 01 9C 73 31 02 9C A4 EB 00 9C E0 A8 00 9D 9D 92 00 9E BB 0D 01 9E BC E9 01 9F 91 92 01 A0 2E 61 00 A0 5B 6A 02 A0 86 61 00 A0 CD 71 00 A1 89 C7 00 A1 F7 37 02 A2 05 06 00 A2 2E 1E 01 A2 93 1D 01 A3 E7 15 01 A4 58 02 00 A4 BA 37 01 A4 C0 08 02 A5 AD CF 00 A6 44 A6 00 A6 95 1D 01 A7 36 A8 00 A7 B8 AD 00 A9 17 06 02 A9 D9 C8 01 AD 73 BF 00 AD 74 12 02 AD D4 EC 00 AF A5 42 01 B1 CE 98 00 B2 91 DD 00 B2 AA 21 01 B3 92 FB 00 B3 BF 2D 01 B3 F6 23 02 B4 F9 EA 00 B5 5F 44 02 B7 4B 4C 02 B8 34 38 01 B8 67 3B 01 B9 1A F3 00 B9 9E C9 01 BA 25 80 01 BA F9 E9 00 BB 8E 8B 00 BB AE 7E 00 BC 5F 2A 01 BC FA 8D 00 BD 14 4C 02 BD 38 8F 00 BD 53 98 00 BE 0C AC 00 BE 7E 45 01 BE FD 22 01 BF 8E CE 00 C0 07 9A 00 C0 46 AD 00 C0
 CC 99 00 C0 DB 49 01 C2 0C 5B 02 C2 61 0B 01 C2 D9 12 02 C3 3E A3 00 C3 6D 81 00 C3 99 F3 00 C4 66 27 01 C5 35 C9 00 C6 BE 42 01 C7 0B C2 00 C8 46 4E 00 C9 26 2D 01 C9 38 97 00 C9 53 F1 00 CA 23 B7 00 CA 99 CE 00 CB 74 DA 00 CC 49 56 00 CC EF EF 00 CD AD 05 01 CE AF 66 02 CF C2 94 00 D0 17 56 00 D0 72 5B 00 D1 9A 7B 00 D1 D2 A7 00 D3 82 61 00 D3 C6 39 02 D3 E8 8D 00 D6 F6 DE 00 D9 07 24 01 D9 3D AA 00 D9 C9 4D 02 DA 38 C8 01 DA FF 0E 00 DC 4D 5B 02 DD 1B 19 01 DF 0C 8E 01 DF 1F 80 01 DF 4D 1C 02 E0 3E E7 01 E1 7E 8C 00 E2 1B 56 00 E3 81 40 02 E4 2A 5E 00 E4 40 27 01 E4 69 C9 00 E5 4C 27 01 E6 3E 2B 0D E6 6C 81 00 E6 FC 54 02 E7 91 46 02 E7 A4 D9 00 E8 80 3F 02 E8 9A FD 00 E8 9E FA 00 E8 E0 95 01 E9 8C 0A 01 EC 8F 49 02 EC B9 22 01 ED 19 69 02 EF 79 8B 00 EF DA 58 02 F0 51 A5 00 F0 E0 B6 00 F1 7D 5F 00 F2 B4 FA 00 F2 B9 46 02 F3 08 DB 00 F3 28 21 01 F3 8B B5 00 F4 CC 3E 01 F5 48 B1 00 F5 50 0D 01 F5 D4 5C 02 F5 FB 75 01 F6 D5 D0 00 F7 12 5E 00 F7 D3 6F 00 F7 DA AD 01 F7 E8 91 01 F7 ED 
6A 00 F7 EE 45 01 F9 77 8C 00 FA 36 53 02 FB 08 06 01 FC 02 30 02 FC 3A 47 01 FD 58 46 02 FD B0 D9 00 FF 34 00 02 FF 5C 5E 01 CA 00 06 00 00 00 00 47 F1 00 02 35 4F 01 02 A4 15 01 02 BD 7E 00 04 92 1E 01 05 37 C6 00 05 A4 3C 01 0A 29 D8 00 0B FF 5C 00 0C 5C 22 01 0C 81 40 01 0D 9A 03 01 0E 4D 7E 00 0F BA 9E 00 11 0F AA 00 11 7C 45 01 13 19 83 00 13 2F D3 00 14 AA FD 00 15 40 28 01 15 9A DB 00 15 BC B7 01 19 C3 98 00 1A FA 99 00 1B 77 98 01 21 6D B6 00 22 D3 89 00 24 6F 16 00 27 9B CE 00 27 A2 A2 00 28 8B B4 00 29 00 D8 00 2C 21 D7 00 2D 58 38 01 2D B1 A3 00 2E 53 4C 01 32 55 1E 01 32 56 AE 00 34 BB EF 00 36 D8 41 01 37 22 C7 00 37 BF E1 00 37 F8 1D 01 3D 5E 35 01 3F 1C EA 00 42 7F 7A 00 42 93 80 00 42 C4 6A 00 48 C6 F5 00 4B C8 36 01 4B DE 41 01 4F 0B 45 01 50 20 18 01 50 8F C4 00 52 22 13 01 52 54 FE 00 52 8C 49 01 53 D8 8F 00 54 20 2B 01 56 92 3B 01 56 B7 22 01 57 87 49 01 57 AE 3D 01 59 E5 D3 00 59 EA 60 01 5C C0 05 01 5D 4F 44 01 5D 82 51 01 5D B3 40 01 5E 42 C4 00 5F 6C 4A 01 5F 6
C DC 00 60 AA 56 01 60 B9 41 01 61 FC 39 01 62 29 51 01 62 F5 F8 00 63 3E 99 00 63 63 81 00 64 C9 26 01 65 6D 24 01 67 68 A7 00 69 D2 81 00 6B 01 10 01 6E 7B 8C 00 70 BF 19 01 70 E8 25 01 72 D8 36 01 73 D3 A7 00 76 41 8E 00 78 7F E1 00 79 2D 4F 01 7A 22 26 01 7C 22 B8 00 7C 78 A4 00 7D 23 B1 00 82 1A BA 00 82 E6 F4 00 84 68 0B 01 8A D2 D2 00 8C 3B D3 00 8D 05 47 01 8F 06 43 01 8F 3C F3 00 91 67 C8 00 91 96 22 01 92 82 71 00 92 83 51 01 92 C4 14 01 93 05 47 01 93 69 C7 00 94 96 D4 00 96 01 DE 00 96 39 0B 01 99 46 64 01 9A C6 57 01 9B 56 A4 00 9C 40 27 01 9D 9F A0 00 9F 37 D5 00 9F 60 C3 00 9F 8F 6E 00 9F C8 CA 00 A0 B5 0A 01 A1 9D 2A 01 A1 D7 B3 00 A2 A6 F8 00 A3 C4 E2 00 A3 F7 6A 00 A4 DB CF 00 A5 04 03 01 A5 22 A4 00 A5 8F 60 00 A6 38 DA 00 A7 C2 33 01 A9 B2 DB 00 AB 12 27 01 AB 78 3D 01 AB 86 30 01 AB D2 61 00 AC 84 0E 01 AF EF C9 00 B0 75 5E 00 B2 09 F5 00 B4 89 22 01 B5 7A 48 01 B6 51 5D 00 B7 E2 BF 00 BA 14 65 00 BA 47 71 02 BA E7 38 02 BD C3 98 00 BE 00 4A 02 BF F1 A9 00 C2 21 D1
 00 C5 C0 05 01 C8 2B FC 00 C9 D7 CA 00 CA 8F 52 00 CC CC 38 01 D0 40 27 01 D0 D3 22 01 D0 FE 62 00 D1 2A 52 01 D1 58 96 00 D3 30 1C 01 D3 83 4B 01 D6 8E FB 00 D6 B7 9A 00 D8 79 3D 01 D8 F0 7C 00 D9 11 44 01 DA 19 D7 00 DA D8 7E 00 DC DD CF 00 DD EB 26 01 DF A8 C6 01 DF D5 22 01 DF D8 36 01 E0 F5 C8 01 E3 19 2F 01 E6 19 9B 00 E6 B9 2B 01 E7 16 30 01 E7 9B 3B 01 E8 A4 C6 01 E9 8A A7 00 E9 D1 F5 00 F0 0E 4E 01 F0 3A DD 00 F1 9F 43 01 F3 89 40 01 F4 06 28 01 F4 74 5E 00 F4 79 3D 01 F4 AD 7A 00 F4 C8 2F 01 F6 D9 EC 00 F7 D4 5F 01 F8 71 9A 00 FA 67 CB 00 FE 5B FE 00 09 00 40 01 00 00 02 12 F8 00 2D D8 F4 00 4B 11 B4 00 7B A8 D1 00 8A FA E3 00 9F 27 FF 00 A5 AD CF 00 A6 95 1D 01 DB B4 EF 00 02 00 41 01 00 00 2A B7 22 01 CD AD 05 01 03 00 42 01 00 00 27 69 12 01 5F 88 67 01 72 ED 81 01 01 00 43 01 00 00 C0 EC 7C 00 01 00 46 01 00 00 90 A6 A1 01
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Fcon\DU: 00 00 00 00 04 00 04 00 01 00 04 00 01 01 00 00 02 12 F8 00 72 ED 81 01 A5 AD CF 00 DB B4 EF 00 95 01 02 00 00 00 01 1D 63 02 01 BF 1E 01 01 CF 2A 01 02 12 F8 00 02 1C 41 01 02 99 66 00 02 BC 94 01 02 E6 38 01 04 93 1A 01 05 A9 46 02 08 8D 42 01 09 05 55 02 09 92 F8 00 09 A3 36 01 09 EF 7D 00 0B CF 4E 02 0C 35 84 00 0C E9 C2 00 0D 37 C6 00 0D 78 79 00 0D A1 81 00 0D BE 82 01 0D D3 F9 00 0D DB 80 01 0E 01 3E 01 0E 96 3D 01 0E BA CD 00 0F 05 DE 00 0F 22 1F 02 10 96 86 00 11 42 C2 00 12 92 40 02 12 E5 F8 00 13 E9 78 00 15 B6 25 01 15 CE EB 00 16 7F 57 02 17 93 38 01 17 E4 4A 02 18 5A 6C 02 18 65 65 01 18 BD 45 02 18 EE 4B 02 19 C0 E2 00 1A 94 49 02 1B 42 78 00 1B 6F 61 02 1B F5 EF 00 1B F6 0B 00 1C 95 5C 00 1C A7 21 01 1D 49 12 01 1D 9D 11 02 1E BD 45 02 1F 4E A8 00 1F DD 4E 02 20 18 F2 00 21 01 3E 01 21 77 7A 00 22 09 39 02 23 16 FF 01 23 83 E7 01 23 CC 4F 01 24 6B 46 01 24 AC C7 00 25 3A D5 00 25 BE 17 01 27 0C 36 02 27 69 12 01 27
 DB 21 01 28 84 EB 01 28 A1 1B 01 29 19 41 01 29 20 3B 01 29 CC 10 01 29 CF 50 02 29 E2 4E 02 2A 0E 39 01 2A 68 A9 00 2A B7 22 01 2A B8 5E 01 2A C7 DE 00 2B 24 99 00 2C 3D 81 00 2C D8 42 01 2D D8 F4 00 2E 80 1D 01 2F 34 FB 00 2F 39 D5 00 2F 95 46 01 30 50 25 01 31 17 5D 00 31 20 F9 01 31 48 4F 00 31 58 58 02 32 57 A4 00 32 D1 A7 00 32 D4 5F 01 33 99 A9 00 33 DF 5D 01 34 2E FE 01 36 BF 4A 02 36 E9 D2 00 3A 5D 93 00 3B CE 34 01 3C B3 52 00 3D 7F E6 00 3E 33 83 00 3E A5 FA 00 3E D9 CC 01 40 1A D5 01 40 56 F1 00 40 B0 2A 01 41 A8 76 00 42 1D 0B 01 42 26 4A 00 42 B3 AE 00 43 AB 21 01 45 6D B6 00 46 1D 0B 01 46 48 B6 00 46 79 D1 00 46 C2 21 01 48 C2 4F 00 48 F9 A6 00 49 EA B7 00 4A AA 81 00 4A FF 5F 02 4B F5 4F 02 4C 37 FA 00 4C 41 B4 00 4C A7 70 00 4C B3 41 01 4C C8 4B 01 4C EC 3E 02 4E 12 24 01 4E 9F F0 00 4E E7 C1 00 4F 14 C2 00 4F 34 28 01 50 34 A5 00 50 EA 43 01 52 9F 4A 01 52 A7 AA 00 52 D3 16 00 54 7A 52 00 54 B7 DC 00 55 5F 2A 01 56 0A 85 00 57 AD 12 01 58 0B D0 00 58 20 18 01 59 0F 
1C 01 59 1D F9 01 59 53 94 00 59 89 4D 01 5A 5E B5 00 5C 74 65 01 5C F4 31 02 5D 36 53 02 5F 93 55 02 5F E9 2B 02 60 63 5B 02 60 CB 43 02 61 13 24 01 62 5A C6 01 62 91 35 02 63 96 77 00 64 D4 19 01 65 30 54 01 65 A6 9E 00 69 CC 4F 01 6A C9 DA 00 6D 3E 43 01 6E F8 41 01 6F B3 11 01 6F E5 D6 01 70 52 E2 01 71 05 28 01 71 40 A3 00 72 3C 12 00 72 6E 4A 00 72 9B 37 01 72 A2 42 01 72 ED 81 01 75 17 34 01 75 A3 7E 00 75 AB 0A 01 76 BC 21 01 78 2D B0 00 79 9C 39 00 7A E3 93 01 7B 45 D5 00 7B 7E 3E 02 7B 9F EB 00 7B A8 D1 00 7C DB 98 00 7E 10 44 01 7F 88 CA 00 81 06 95 00 81 D2 4D 01 82 27 73 00 82 58 68 01 83 D7 5C 00 83 F1 60 00 84 4D 26 01 84 50 EB 00 84 DF DE 01 84 E6 83 00 85 12 4A 00 85 50 AE 00 86 7B 06 01 87 6A 49 01 87 92 17 01 87 B1 4D 01 87 D7 21 01 87 DE 83 00 87 F0 25 01 89 97 F5 00 8A D3 00 02 8A FA E3 00 8B 4E 1D 01 8B 51 88 00 8B 9D A1 01 8B EE F2 00 8C 63 E9 01 8D 85 07 02 8D 87 98 00 8E 25 60 01 8E 78 A2 00 8E D6 DC 01 8F 08 55 02 8F 30 36 02 90 48 1F 01 90 52 2E 02 90 A6 A1 0
1 90 D5 D0 00 90 EE 37 01 91 23 D3 00 92 AB 60 02 93 86 61 00 93 CE 8C 01 95 0B FE 00 95 9B 51 00 95 9F 33 01 95 E1 DB 00 96 5D D2 00 97 57 5E 02 97 6A B6 00 97 74 8D 00 97 F6 C4 00 98 72 46 01 99 FE F7 01 9B 2B DB 00 9C 47 41 01 9C 62 3A 01 9C 73 31 02 9C A4 EB 00 9C E0 A8 00 9D 9D 92 00 9E BC E9 01 9F 91 92 01 A0 5B 6A 02 A0 86 61 00 A1 89 C7 00 A1 F7 37 02 A2 05 06 00 A2 2E 1E 01 A2 93 1D 01 A3 E7 15 01 A4 58 02 00 A4 C0 08 02 A5 AD CF 00 A6 44 A6 00 A6 95 1D 01 A6 E9 B3 00 A7 36 A8 00 A7 B8 AD 00 A9 17 06 02 A9 D9 C8 01 AC 54 F9 00 AD 73 BF 00 AD 74 12 02 AD D4 EC 00 B1 CE 98 00 B2 91 DD 00 B2 AA 21 01 B3 92 FB 00 B3 BF 2D 01 B3 F6 23 02 B4 F9 EA 00 B5 5F 44 02 B5 61 0D 01 B7 4B 4C 02 B7 F0 02 02 B8 34 38 01 B8 67 3B 01 B9 1A F3 00 B9 9E C9 01 BA 25 80 01 BA F9 E9 00 BB 8E 8B 00 BC 5F 2A 01 BC 6E B4 00 BC D2 2A 01 BC FA 8D 00 BD 14 4C 02 BD 38 8F 00 BD 53 98 00 BE 0C AC 00 BE 7E 45 01 BF 8E CE 00 C0 07 9A 00 C0 46 AD 00 C0 DB 49 01 C2 0C 5B 02 C2 61 0B 01 C2 D9 12 02 C3 3E A3 00 C3
 6D 81 00 C3 99 F3 00 C5 35 C9 00 C6 BE 42 01 C7 5D D7 00 C8 46 4E 00 C9 26 2D 01 C9 38 97 00 C9 53 F1 00 CA 23 B7 00 CA 99 CE 00 CB 74 DA 00 CC 49 56 00 CC EF EF 00 CD AD 05 01 CD BD 8C 00 CE AF 66 02 CF 74 AA 00 D0 17 56 00 D1 9A 7B 00 D1 D2 A7 00 D3 82 61 00 D3 C6 39 02 D3 E8 8D 00 D6 F6 DE 00 D8 D1 1F 01 D9 07 24 01 D9 3D AA 00 D9 C9 4D 02 DA 38 C8 01 DA FF 0E 00 DC 4D 5B 02 DC DD 8D 01 DD 1B 19 01 DF 1F 80 01 DF 4D 1C 02 E0 3E E7 01 E1 7E 8C 00 E2 1B 56 00 E3 81 40 02 E4 2A 5E 00 E4 40 27 01 E4 69 C9 00 E5 4C 27 01 E6 3E 2B 0D E6 6C 81 00 E6 FC 54 02 E7 91 46 02 E7 A4 D9 00 E8 80 3F 02 E8 9E FA 00 E8 E0 95 01 E9 8C 0A 01 EC 8F 49 02 EC B9 22 01 ED 19 69 02 EF 79 8B 00 EF DA 58 02 F0 E0 B6 00 F1 7D 5F 00 F1 FC 60 00 F2 B4 FA 00 F2 B9 46 02 F3 08 DB 00 F3 28 21 01 F4 3D 77 00 F4 CC 3E 01 F5 48 B1 00 F5 50 0D 01 F5 D4 5C 02 F5 FB 75 01 F7 12 5E 00 F7 D3 6F 00 F7 DA AD 01 F7 E8 91 01 F7 ED 6A 00 F7 EE 45 01 F9 77 8C 00 FA 36 53 02 FB 08 06 01 FC 02 30 02 FC 3A 47 01 FD 58 46 02 FD B0 
D9 00 FF 34 00 02 FF 5C 5E 01 CA 00 06 00 00 00 00 47 F1 00 01 91 40 01 02 35 4F 01 02 A4 15 01 02 BD 7E 00 04 92 1E 01 05 37 C6 00 05 A4 3C 01 0A 29 D8 00 0B FF 5C 00 0C 4C BC 00 0C 5C 22 01 0C 81 40 01 0D 9A 03 01 0E 4D 7E 00 0F BA 9E 00 11 0F AA 00 11 7C 45 01 13 19 83 00 13 C3 28 01 14 AA FD 00 15 40 28 01 15 9A DB 00 15 BC B7 01 19 C3 98 00 1A 66 11 01 1A FA 99 00 1B 77 98 01 21 6D B6 00 22 D3 89 00 24 6F 16 00 27 9B CE 00 27 A2 A2 00 28 8B B4 00 29 00 D8 00 2C 21 D7 00 2D 58 38 01 2D B1 A3 00 2E 53 4C 01 2E 68 A9 00 32 55 1E 01 32 56 AE 00 34 BB EF 00 36 D8 41 01 37 22 C7 00 37 BF E1 00 37 F8 1D 01 3D 5E 35 01 3F 1C EA 00 42 7F 7A 00 42 93 80 00 42 C4 6A 00 48 C6 F5 00 4B C8 36 01 4B DE 41 01 4F 0B 45 01 50 20 18 01 52 22 13 01 52 54 FE 00 52 8C 49 01 53 D8 8F 00 54 20 2B 01 56 92 3B 01 56 B7 22 01 57 87 49 01 59 E5 D3 00 59 EA 60 01 5C C0 05 01 5D 4F 44 01 5D 82 51 01 5D B3 40 01 5E 42 C4 00 5F 6C 4A 01 5F 6C DC 00 60 AA 56 01 60 B9 41 01 61 FC 39 01 62 29 51 01 62 F5 F8 00 63 3
E 99 00 63 63 81 00 64 C9 26 01 65 6D 24 01 67 68 A7 00 6B 01 10 01 6E 7B 8C 00 70 BF 19 01 70 E8 25 01 72 D8 36 01 73 D3 A7 00 76 41 8E 00 78 7F E1 00 79 2D 4F 01 7A 22 26 01 7C 22 B8 00 7C 78 A4 00 82 E6 F4 00 84 68 0B 01 8A D2 D2 00 8C 3B D3 00 8D 05 47 01 8F 06 43 01 8F 3C F3 00 91 50 8A 00 91 67 C8 00 91 96 22 01 92 82 71 00 92 83 51 01 92 C4 14 01 93 05 47 01 93 69 C7 00 94 96 D4 00 96 39 0B 01 99 46 64 01 9A C6 57 01 9B 56 A4 00 9C 40 27 01 9D 9F A0 00 9F 60 C3 00 9F 8F 6E 00 9F C8 CA 00 A0 B5 0A 01 A1 9D 2A 01 A1 D7 B3 00 A2 A6 F8 00 A3 C4 E2 00 A3 F7 6A 00 A4 DB CF 00 A5 04 03 01 A5 22 A4 00 A5 8F 60 00 A6 38 DA 00 A7 C2 33 01 A9 B2 DB 00 AB 12 27 01 AB 78 3D 01 AB 86 30 01 AB D2 61 00 AC 84 0E 01 AF EF C9 00 B0 75 5E 00 B2 09 F5 00 B4 89 22 01 B5 7A 48 01 B6 51 5D 00 B7 E2 BF 00 BA 14 65 00 BA 47 71 02 BA E7 38 02 BD C3 98 00 BE 00 4A 02 BF 41 FD 00 BF F1 A9 00 C2 21 D1 00 C5 C0 05 01 C8 2B FC 00 C9 D7 CA 00 CA 8F 52 00 CC C1 01 01 CC CC 38 01 D0 D3 22 01 D0 FE 62 00 D1 2A 52
 01 D1 58 96 00 D3 30 1C 01 D3 83 4B 01 D6 8E FB 00 D6 B7 9A 00 D8 79 3D 01 D8 F0 7C 00 D9 11 44 01 DA 19 D7 00 DA D8 7E 00 DC 1C 62 00 DC DD CF 00 DD EB 26 01 DF A8 C6 01 DF D5 22 01 DF D8 36 01 E0 F5 C8 01 E3 19 2F 01 E6 19 9B 00 E6 B9 2B 01 E7 16 30 01 E7 9B 3B 01 E8 A4 C6 01 E9 8A A7 00 E9 D1 F5 00 F0 0E 4E 01 F0 3A DD 00 F1 9F 43 01 F3 89 40 01 F4 06 28 01 F4 74 5E 00 F4 79 3D 01 F4 AD 7A 00 F4 C8 2F 01 F6 D9 EC 00 F7 D4 5F 01 F8 71 9A 00 FA 67 CB 00 FE 5B FE 00 09 00 40 01 00 00 02 12 F8 00 2D D8 F4 00 4B 11 B4 00 7B A8 D1 00 8A FA E3 00 9F 27 FF 00 A5 AD CF 00 A6 95 1D 01 DB B4 EF 00 04 00 41 01 00 00 18 65 65 01 2A 68 A9 00 2A B7 22 01 CD AD 05 01 03 00 42 01 00 00 27 69 12 01 5F 88 67 01 72 ED 81 01 01 00 43 01 00 00 C0 EC 7C 00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Fcon\TimeSinceLastLog: 0x01DB595F1E3BE5B0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Fcon\TimeSinceLastLog: 0x01DB5B02EBC22058
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\VFUProvider\StartTime: 0x01DB5B018F9CB1EE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\VFUProvider\StartTime: 0x01DB5B036086EC5E
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\LastTaskOperationHandle: 0x0000001E
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\LastTaskOperationHandle: 0x00000055
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC1C75: 65 04 00 00 00 00 00 00 04 00 04 00 01 00 04 00 01 01 00 00 02 12 F8 00 72 ED 81 01 A5 AD CF 00 DB B4 EF 00 95 01 02 00 00 00 01 1D 63 02 01 BF 1E 01 01 CF 2A 01 02 12 F8 00 02 1C 41 01 02 99 66 00 02 BC 94 01 02 E6 38 01 04 93 1A 01 05 A9 46 02 08 8D 42 01 09 05 55 02 09 92 F8 00 09 A3 36 01 09 EF 7D 00 0B CF 4E 02 0C 35 84 00 0C E9 C2 00 0D 37 C6 00 0D 78 79 00 0D A1 81 00 0D BE 82 01 0D D3 F9 00 0D DB 80 01 0E 01 3E 01 0E 96 3D 01 0E BA CD 00 0F 05 DE 00 0F 22 1F 02 10 96 86 00 11 42 C2 00 12 92 40 02 12 E5 F8 00 13 E9 78 00 15 B6 25 01 15 CE EB 00 16 7F 57 02 17 93 38 01 17 E4 4A 02 18 5A 6C 02 18 65 65 01 18 BD 45 02 18 EE 4B 02 19 C0 E2 00 1A 94 49 02 1B 42 78 00 1B 6F 61 02 1B F5 EF 00 1B F6 0B 00 1C 95 5C 00 1C A7 21 01 1D 49 12 01 1D 9D 11 02 1E BD 45 02 1F 4E A8 00 1F DD 4E 02 20 18 F2 00 21 01 3E 01 21 77 7A 00 22 09 39 02 23 16 FF 01 23 83 E7 01 23 CC 4F 01 24 6B 46 01 24 AC C7 00 25 3A D
5 00 25 BE 17 01 27 0C 36 02 27 69 12 01 27 DB 21 01 28 84 EB 01 28 A1 1B 01 29 19 41 01 29 20 3B 01 29 CC 10 01 29 CF 50 02 29 E2 4E 02 2A 0E 39 01 2A 68 A9 00 2A B7 22 01 2A B8 5E 01 2A C7 DE 00 2B 24 99 00 2C 3D 81 00 2C D8 42 01 2D D8 F4 00 2E 80 1D 01 2F 34 FB 00 2F 39 D5 00 2F 95 46 01 30 50 25 01 31 17 5D 00 31 20 F9 01 31 48 4F 00 31 58 58 02 32 57 A4 00 32 D1 A7 00 32 D4 5F 01 33 99 A9 00 33 DF 5D 01 34 2E FE 01 36 BF 4A 02 36 E9 D2 00 3A 5D 93 00 3B CE 34 01 3C B3 52 00 3D 7F E6 00 3E 33 83 00 3E A5 FA 00 3E D9 CC 01 40 1A D5 01 40 56 F1 00 40 B0 2A 01 41 A8 76 00 42 1D 0B 01 42 26 4A 00 42 B3 AE 00 43 AB 21 01 45 6D B6 00 46 1D 0B 01 46 48 B6 00 46 79 D1 00 46 C2 21 01 48 C2 4F 00 48 F9 A6 00 49 EA B7 00 4A AA 81 00 4A FF 5F 02 4B F5 4F 02 4C 37 FA 00 4C 41 B4 00 4C A7 70 00 4C B3 41 01 4C C8 4B 01 4C EC 3E 02 4E 12 24 01 4E 9F F0 00 4E E7 C1 00 4F 14 C2 00 4F 34 28 01 50 34 A5 00 50 EA 43 01 52 9F 4A 01 52 A7 AA 00 52 D3 16 00 54 7A 52 00 54 B7 DC 00 55 5F 2A 01 56 0A 85 00
 57 AD 12 01 58 0B D0 00 58 20 18 01 59 0F 1C 01 59 1D F9 01 59 53 94 00 59 89 4D 01 5A 5E B5 00 5C 74 65 01 5C F4 31 02 5D 36 53 02 5F 93 55 02 5F E9 2B 02 60 63 5B 02 60 CB 43 02 61 13 24 01 62 5A C6 01 62 91 35 02 63 96 77 00 64 D4 19 01 65 30 54 01 65 A6 9E 00 69 CC 4F 01 6A C9 DA 00 6D 3E 43 01 6E F8 41 01 6F B3 11 01 6F E5 D6 01 70 52 E2 01 71 05 28 01 71 40 A3 00 72 3C 12 00 72 6E 4A 00 72 9B 37 01 72 A2 42 01 72 ED 81 01 75 17 34 01 75 A3 7E 00 75 AB 0A 01 76 BC 21 01 78 2D B0 00 79 9C 39 00 7A E3 93 01 7B 45 D5 00 7B 7E 3E 02 7B 9F EB 00 7B A8 D1 00 7C DB 98 00 7E 10 44 01 7F 88 CA 00 81 06 95 00 81 D2 4D 01 82 27 73 00 82 58 68 01 83 D7 5C 00 83 F1 60 00 84 4D 26 01 84 50 EB 00 84 DF DE 01 84 E6 83 00 85 12 4A 00 85 50 AE 00 86 7B 06 01 87 6A 49 01 87 92 17 01 87 B1 4D 01 87 D7 21 01 87 DE 83 00 87 F0 25 01 89 97 F5 00 8A D3 00 02 8A FA E3 00 8B 4E 1D 01 8B 51 88 00 8B 9D A1 01 8B EE F2 00 8C 63 E9 01 8D 85 07 02 8D 87 98 00 8E 25 60 01 8E 78 A2 00 8E D6 DC 01 8F 08 55 02 8F 
30 36 02 90 48 1F 01 90 52 2E 02 90 A6 A1 01 90 D5 D0 00 90 EE 37 01 91 23 D3 00 92 AB 60 02 93 86 61 00 93 CE 8C 01 95 0B FE 00 95 9B 51 00 95 9F 33 01 95 E1 DB 00 96 5D D2 00 97 57 5E 02 97 6A B6 00 97 74 8D 00 97 F6 C4 00 98 72 46 01 99 FE F7 01 9B 2B DB 00 9C 47 41 01 9C 62 3A 01 9C 73 31 02 9C A4 EB 00 9C E0 A8 00 9D 9D 92 00 9E BC E9 01 9F 91 92 01 A0 5B 6A 02 A0 86 61 00 A1 89 C7 00 A1 F7 37 02 A2 05 06 00 A2 2E 1E 01 A2 93 1D 01 A3 E7 15 01 A4 58 02 00 A4 C0 08 02 A5 AD CF 00 A6 44 A6 00 A6 95 1D 01 A6 E9 B3 00 A7 36 A8 00 A7 B8 AD 00 A9 17 06 02 A9 D9 C8 01 AC 54 F9 00 AD 73 BF 00 AD 74 12 02 AD D4 EC 00 B1 CE 98 00 B2 91 DD 00 B2 AA 21 01 B3 92 FB 00 B3 BF 2D 01 B3 F6 23 02 B4 F9 EA 00 B5 5F 44 02 B5 61 0D 01 B7 4B 4C 02 B7 F0 02 02 B8 34 38 01 B8 67 3B 01 B9 1A F3 00 B9 9E C9 01 BA 25 80 01 BA F9 E9 00 BB 8E 8B 00 BC 5F 2A 01 BC 6E B4 00 BC D2 2A 01 BC FA 8D 00 BD 14 4C 02 BD 38 8F 00 BD 53 98 00 BE 0C AC 00 BE 7E 45 01 BF 8E CE 00 C0 07 9A 00 C0 46 AD 00 C0 DB 49 01 C2 0C 5
B 02 C2 61 0B 01 C2 D9 12 02 C3 3E A3 00 C3 6D 81 00 C3 99 F3 00 C5 35 C9 00 C6 BE 42 01 C7 5D D7 00 C8 46 4E 00 C9 26 2D 01 C9 38 97 00 C9 53 F1 00 CA 23 B7 00 CA 99 CE 00 CB 74 DA 00 CC 49 56 00 CC EF EF 00 CD AD 05 01 CD BD 8C 00 CE AF 66 02 CF 74 AA 00 D0 17 56 00 D1 9A 7B 00 D1 D2 A7 00 D3 82 61 00 D3 C6 39 02 D3 E8 8D 00 D6 F6 DE 00 D8 D1 1F 01 D9 07 24 01 D9 3D AA 00 D9 C9 4D 02 DA 38 C8 01 DA FF 0E 00 DC 4D 5B 02 DC DD 8D 01 DD 1B 19 01 DF 1F 80 01 DF 4D 1C 02 E0 3E E7 01 E1 7E 8C 00 E2 1B 56 00 E3 81 40 02 E4 2A 5E 00 E4 40 27 01 E4 69 C9 00 E5 4C 27 01 E6 3E 2B 0D E6 6C 81 00 E6 FC 54 02 E7 91 46 02 E7 A4 D9 00 E8 80 3F 02 E8 9E FA 00 E8 E0 95 01 E9 8C 0A 01 EC 8F 49 02 EC B9 22 01 ED 19 69 02 EF 79 8B 00 EF DA 58 02 F0 E0 B6 00 F1 7D 5F 00 F1 FC 60 00 F2 B4 FA 00 F2 B9 46 02 F3 08 DB 00 F3 28 21 01 F4 3D 77 00 F4 CC 3E 01 F5 48 B1 00 F5 50 0D 01 F5 D4 5C 02 F5 FB 75 01 F7 12 5E 00 F7 D3 6F 00 F7 DA AD 01 F7 E8 91 01 F7 ED 6A 00 F7 EE 45 01 F9 77 8C 00 FA 36 53 02 FB 08 06 01
 FC 02 30 02 FC 3A 47 01 FD 58 46 02 FD B0 D9 00 FF 34 00 02 FF 5C 5E 01 CA 00 06 00 00 00 00 47 F1 00 01 91 40 01 02 35 4F 01 02 A4 15 01 02 BD 7E 00 04 92 1E 01 05 37 C6 00 05 A4 3C 01 0A 29 D8 00 0B FF 5C 00 0C 4C BC 00 0C 5C 22 01 0C 81 40 01 0D 9A 03 01 0E 4D 7E 00 0F BA 9E 00 11 0F AA 00 11 7C 45 01 13 19 83 00 13 C3 28 01 14 AA FD 00 15 40 28 01 15 9A DB 00 15 BC B7 01 19 C3 98 00 1A 66 11 01 1A FA 99 00 1B 77 98 01 21 6D B6 00 22 D3 89 00 24 6F 16 00 27 9B CE 00 27 A2 A2 00 28 8B B4 00 29 00 D8 00 2C 21 D7 00 2D 58 38 01 2D B1 A3 00 2E 53 4C 01 2E 68 A9 00 32 55 1E 01 32 56 AE 00 34 BB EF 00 36 D8 41 01 37 22 C7 00 37 BF E1 00 37 F8 1D 01 3D 5E 35 01 3F 1C EA 00 42 7F 7A 00 42 93 80 00 42 C4 6A 00 48 C6 F5 00 4B C8 36 01 4B DE 41 01 4F 0B 45 01 50 20 18 01 52 22 13 01 52 54 FE 00 52 8C 49 01 53 D8 8F 00 54 20 2B 01 56 92 3B 01 56 B7 22 01 57 87 49 01 59 E5 D3 00 59 EA 60 01 5C C0 05 01 5D 4F 44 01 5D 82 51 01 5D B3 40 01 5E 42 C4 00 5F 6C 4A 01 5F 6C DC 00 60 AA 56 01 60 B9 41 
01 61 FC 39 01 62 29 51 01 62 F5 F8 00 63 3E 99 00 63 63 81 00 64 C9 26 01 65 6D 24 01 67 68 A7 00 6B 01 10 01 6E 7B 8C 00 70 BF 19 01 70 E8 25 01 72 D8 36 01 73 D3 A7 00 76 41 8E 00 78 7F E1 00 79 2D 4F 01 7A 22 26 01 7C 22 B8 00 7C 78 A4 00 82 E6 F4 00 84 68 0B 01 8A D2 D2 00 8C 3B D3 00 8D 05 47 01 8F 06 43 01 8F 3C F3 00 91 50 8A 00 91 67 C8 00 91 96 22 01 92 82 71 00 92 83 51 01 92 C4 14 01 93 05 47 01 93 69 C7 00 94 96 D4 00 96 39 0B 01 99 46 64 01 9A C6 57 01 9B 56 A4 00 9C 40 27 01 9D 9F A0 00 9F 60 C3 00 9F 8F 6E 00 9F C8 CA 00 A0 B5 0A 01 A1 9D 2A 01 A1 D7 B3 00 A2 A6 F8 00 A3 C4 E2 00 A3 F7 6A 00 A4 DB CF 00 A5 04 03 01 A5 22 A4 00 A5 8F 60 00 A6 38 DA 00 A7 C2 33 01 A9 B2 DB 00 AB 12 27 01 AB 78 3D 01 AB 86 30 01 AB D2 61 00 AC 84 0E 01 AF EF C9 00 B0 75 5E 00 B2 09 F5 00 B4 89 22 01 B5 7A 48 01 B6 51 5D 00 B7 E2 BF 00 BA 14 65 00 BA 47 71 02 BA E7 38 02 BD C3 98 00 BE 00 4A 02 BF 41 FD 00 BF F1 A9 00 C2 21 D1 00 C5 C0 05 01 C8 2B FC 00 C9 D7 CA 00 CA 8F 52 00 CC C1 01 01 C
C CC 38 01 D0 D3 22 01 D0 FE 62 00 D1 2A 52 01 D1 58 96 00 D3 30 1C 01 D3 83 4B 01 D6 8E FB 00 D6 B7 9A 00 D8 79 3D 01 D8 F0 7C 00 D9 11 44 01 DA 19 D7 00 DA D8 7E 00 DC 1C 62 00 DC DD CF 00 DD EB 26 01 DF A8 C6 01 DF D5 22 01 DF D8 36 01 E0 F5 C8 01 E3 19 2F 01 E6 19 9B 00 E6 B9 2B 01 E7 16 30 01 E7 9B 3B 01 E8 A4 C6 01 E9 8A A7 00 E9 D1 F5 00 F0 0E 4E 01 F0 3A DD 00 F1 9F 43 01 F3 89 40 01 F4 06 28 01 F4 74 5E 00 F4 79 3D 01 F4 AD 7A 00 F4 C8 2F 01 F6 D9 EC 00 F7 D4 5F 01 F8 71 9A 00 FA 67 CB 00 FE 5B FE 00 09 00 40 01 00 00 02 12 F8 00 2D D8 F4 00 4B 11 B4 00 7B A8 D1 00 8A FA E3 00 9F 27 FF 00 A5 AD CF 00 A6 95 1D 01 DB B4 EF 00 04 00 41 01 00 00 18 65 65 01 2A 68 A9 00 2A B7 22 01 CD AD 05 01 03 00 42 01 00 00 27 69 12 01 5F 88 67 01 72 ED 81 01 01 00 43 01 00 00 C0 EC 7C 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC1C75: 7B 04 00 00 00 00 00 00 04 00 04 00 01 00 01 00 01 01 00 00 A5 AD CF 00 17 00 02 00 00 00 02 1C 41 01 1B 42 78 00 22 09 39 02 27 0C 36 02 31 48 4F 00 40 56 F1 00 4E 12 24 01 6E F8 41 01 84 50 EB 00 84 DF DE 01 8D 85 07 02 8E D6 DC 01 8F 08 55 02 8F 30 36 02 9D 9D 92 00 A1 F7 37 02 A9 D9 C8 01 B7 F0 02 02 C3 6D 81 00 C3 99 F3 00 C7 5D D7 00 CD AD 05 01 D9 07 24 01 05 00 06 00 00 00 04 92 1E 01 42 93 80 00 60 AA 56 01 AF EF C9 00 B5 7A 48 01 01 00 40 01 00 00 A5 AD CF 00 01 00 41 01 00 00 CD AD 05 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475: 55 04 00 00 00 00 00 00 04 00 04 00 01 02 06 00 00 00 00 00 12 00 00 00 0D 78 79 00 01 00 00 00 6B 50 7E 00 02 00 00 00 87 DE 83 00 01 00 00 00 90 A6 A1 01 94 00 00 00 A1 9F 5E 00 01 00 00 00 DB B4 EF 00 07 00 01 00 00 00 2E 00 00 00 00 7D 75 00 01 00 00 00 18 65 65 01 02 00 00 00 18 7D C7 00 04 00 00 00 3D D7 34 01 32 01 00 00 56 73 7D 00 05 00 00 00 6B 50 7E 00 05 00 00 00 E6 C5 31 00 01 00 04 00 00 00 40 00 00 00 1A 9C B2 00 02 00 05 00 00 00 01 00 00 00 4F 87 1A 01 02 00 00 00 9F C8 CA 00 02 00 64 00 00 00 07 00 00 00 42 1D 0B 01 0E 00 00 00 46 1D 0B 01 04 00 65 00 00 00 C6 00 00 00 65 A6 9E 00 22 00 00 00 A2 05 06 00 72 5C 01 00 E6 C5 31 00 12 06 00 00 F0 E0 B6 00 01 00 66 00 00 00 44 01 00 00 65 A6 9E 00 01 00 67 00 00 00 22 00 00 00 A2 05 06 00 02 00 68 00 00 00 3E 00 00 00 A2 05 06 00 02 00 00 00 BC 6E B4 00 01 00 69 00 00 00 00 10 00 00 65 A6 9E 00 01 00 6B 00 00 00 08 00 00 00 65 A6 9E 00 0
1 00 70 00 00 00 12 00 00 00 65 A6 9E 00 01 00 71 00 00 00 03 00 00 00 65 A6 9E 00 01 00 72 00 00 00 71 03 00 00 A2 05 06 00 01 00 73 00 00 00 61 00 00 00 65 A6 9E 00 01 00 76 00 00 00 02 00 00 00 65 A6 9E 00 01 00 77 00 00 00 0E 00 00 00 65 A6 9E 00 01 00 78 00 00 00 D8 00 00 00 65 A6 9E 00 01 00 7D 00 00 00 5E 00 00 00 65 A6 9E 00 01 00 7F 00 00 00 A2 00 00 00 65 A6 9E 00 01 00 81 00 00 00 44 01 00 00 65 A6 9E 00 01 00 97 00 00 00 28 00 00 00 BE B3 EF 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475: 61 04 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC4C75: 15 00 00 00 00 00 00 00 04 00 00 00 01 01 01 00 59 0F 1C 01 01 00 83 00 02 00 07 80 0E 01 24 00 66 00 66 00 7C 97 00 00 00 00 3B 01 24 00 66 00 39 21 0A 00 76 00 00 00 59 00 00 00 73 68 65 6C 6C 5C 72 6F 61 6D 69 6E 67 5C 73 65 74 74 69 6E 67 73 79 6E 63 5C 65 78 70 6C 6F 72 65 72 73 65 74 74 69 6E 67 68 61 6E 64 6C 65 72 2E 63 70 70 00 45 78 70 6C 6F 72 65 72 2E 45 58 45 00 53 65 74 74 69 6E 67 53 79 6E 63 2E 64 6C 6C 00 45 78 70 6C 6F 72 65 72 2E 45 58 45 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC4C75: 16 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{051DF697-AF10-4DB6-9B93-E1A4E35F00F7}\DynamicInfo: 03 00 00 00 A2 A1 81 E5 1B 34 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 2B 04 07 80 D7 5F 46 13 EB 3D DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{051DF697-AF10-4DB6-9B93-E1A4E35F00F7}\DynamicInfo: 03 00 00 00 A2 A1 81 E5 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 2B 04 07 80 D7 5F 46 13 EB 3D DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{077333D6-06BA-4EA4-BDF4-1CD1439558F2}\DynamicInfo: 03 00 00 00 A2 E1 17 BB 52 33 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 10 FF 25 4A 1E 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{077333D6-06BA-4EA4-BDF4-1CD1439558F2}\DynamicInfo: 03 00 00 00 A2 E1 17 BB 52 33 DB 01 F4 02 09 EA 02 5B DB 01 00 00 00 00 00 00 00 10 B0 4B 0F EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{117E2D01-1275-4560-90E9-A34BB4EE69A3}\DynamicInfo: 03 00 00 00 7E 8B 8D E5 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 45 6B 61 1C 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{117E2D01-1275-4560-90E9-A34BB4EE69A3}\DynamicInfo: 03 00 00 00 7E 8B 8D E5 1B 34 DB 01 B3 60 0B EA 02 5B DB 01 00 00 00 00 00 00 00 00 59 CD 4B EA 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1FDAEDB1-C8AA-43FA-B046-3CDDDA12661E}\DynamicInfo: 03 00 00 00 0E FF A2 E5 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 22 04 00 00 8E 02 30 1E 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1FDAEDB1-C8AA-43FA-B046-3CDDDA12661E}\DynamicInfo: 03 00 00 00 0E FF A2 E5 1B 34 DB 01 C8 BE 0D EA 02 5B DB 01 00 00 00 00 22 04 00 00 2D C1 75 EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{20546688-8F7B-4B82-8429-7E7E4F537E96}\DynamicInfo: 03 00 00 00 F6 9D 3B BB 52 33 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 2B 04 07 80 59 B2 04 14 EB 3D DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{20546688-8F7B-4B82-8429-7E7E4F537E96}\DynamicInfo: 03 00 00 00 F6 9D 3B BB 52 33 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 2B 04 07 80 59 B2 04 14 EB 3D DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{29903646-8B95-441C-AE59-CC43C0C76FF5}\DynamicInfo: 03 00 00 00 DE 2C 2D E7 64 2F DB 01 BC 35 53 1C 5F 59 DB 01 00 00 00 00 2B 04 07 80 96 C5 50 4E DD 3D DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{29903646-8B95-441C-AE59-CC43C0C76FF5}\DynamicInfo: 03 00 00 00 DE 2C 2D E7 64 2F DB 01 B4 35 23 EA 02 5B DB 01 00 00 00 00 2B 04 07 80 96 C5 50 4E DD 3D DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EE7F450-D2B6-4D5E-AFE0-A8699149E79E}\DynamicInfo: 03 00 00 00 6A 6A DB 90 89 32 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 C7 53 98 1C 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EE7F450-D2B6-4D5E-AFE0-A8699149E79E}\DynamicInfo: 03 00 00 00 6A 6A DB 90 89 32 DB 01 6D 2B 10 EA 02 5B DB 01 00 00 00 00 00 00 00 00 36 7D F7 EA 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3D363385-64B8-4207-AC46-3EE180DD87F2}\DynamicInfo: 03 00 00 00 1B 71 D7 E5 1B 34 DB 01 02 A1 49 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 65 B9 FE 1C 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3D363385-64B8-4207-AC46-3EE180DD87F2}\DynamicInfo: 03 00 00 00 1B 71 D7 E5 1B 34 DB 01 60 E1 01 EA 02 5B DB 01 00 00 00 00 00 00 00 00 B6 DE 5E EA 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F2E553C-D2A2-4A30-BCD8-B6A255445354}\DynamicInfo: 03 00 00 00 60 E8 10 EB 1B 34 DB 01 D6 0C 12 99 00 5B DB 01 00 00 00 00 00 00 00 00 BC E4 36 4E 61 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F2E553C-D2A2-4A30-BCD8-B6A255445354}\DynamicInfo: 03 00 00 00 60 E8 10 EB 1B 34 DB 01 D6 0C 12 99 00 5B DB 01 00 00 00 00 00 00 00 00 DD 4A 2C A5 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D595DA6-BC59-47AE-A527-EC01FCE2E615}\DynamicInfo: 03 00 00 00 A0 0A E8 E5 1B 34 DB 01 7D A6 AE 1B 5F 59 DB 01 00 00 00 00 00 00 00 00 D7 76 E5 1B 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D595DA6-BC59-47AE-A527-EC01FCE2E615}\DynamicInfo: 03 00 00 00 A0 0A E8 E5 1B 34 DB 01 65 A2 6B E9 02 5B DB 01 00 00 00 00 00 00 00 00 7B 46 E5 E9 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{57C76B66-AD3C-4221-81FA-55045859B06F}\DynamicInfo: 03 00 00 00 55 E7 EC E5 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 B0 E5 3B 1E 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{57C76B66-AD3C-4221-81FA-55045859B06F}\DynamicInfo: 03 00 00 00 55 E7 EC E5 1B 34 DB 01 6D 2B 10 EA 02 5B DB 01 00 00 00 00 00 00 00 00 B0 4B 0F EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{58CCC4DA-C86D-4E3D-8FAF-A7B24D8F3950}\DynamicInfo: 03 00 00 00 55 E7 EC E5 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 B5 C6 34 1E 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{58CCC4DA-C86D-4E3D-8FAF-A7B24D8F3950}\DynamicInfo: 03 00 00 00 55 E7 EC E5 1B 34 DB 01 7D EF 14 EA 02 5B DB 01 00 00 00 00 00 00 00 00 D3 F4 1F EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C9FA2F0-BF33-4739-8B96-4FA04768C6E6}\DynamicInfo: 03 00 00 00 22 41 EF E5 1B 34 DB 01 BC 35 53 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 B0 E5 3B 1E 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C9FA2F0-BF33-4739-8B96-4FA04768C6E6}\DynamicInfo: 03 00 00 00 22 41 EF E5 1B 34 DB 01 04 E7 20 EA 02 5B DB 01 00 00 00 00 00 00 00 00 DB DE C6 EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{638672E6-20F1-499D-BFCC-9EA7935257C4}\DynamicInfo: 03 00 00 00 4F 59 02 E6 1B 34 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 2B 04 07 80 6D 36 C0 16 EB 3D DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{638672E6-20F1-499D-BFCC-9EA7935257C4}\DynamicInfo: 03 00 00 00 4F 59 02 E6 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 2B 04 07 80 6D 36 C0 16 EB 3D DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6440C5E0-A168-4A5F-B84E-F7C8C0A6E933}\DynamicInfo: 03 00 00 00 EE 29 4D E5 1B 34 DB 01 B9 B5 50 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 45 6B 61 1C 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6440C5E0-A168-4A5F-B84E-F7C8C0A6E933}\DynamicInfo: 03 00 00 00 EE 29 4D E5 1B 34 DB 01 F3 CA 19 EA 02 5B DB 01 00 00 00 00 00 00 00 00 31 46 42 EA 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6AA2E298-C47C-45AE-BF6F-E2D9A555345C}\DynamicInfo: 03 00 00 00 FD 36 0E E6 1B 34 DB 01 9F EF 57 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 02 CB 04 29 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6AA2E298-C47C-45AE-BF6F-E2D9A555345C}\DynamicInfo: 03 00 00 00 FD 36 0E E6 1B 34 DB 01 09 CA 2C EA 02 5B DB 01 00 00 00 00 00 00 00 00 5B 29 E9 F2 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6EE3AFA8-CBB1-4E6E-B0B4-ABFF3127206C}\DynamicInfo: 03 00 00 00 EE 16 26 E6 1B 34 DB 01 02 A1 49 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 0E D7 A4 1E 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6EE3AFA8-CBB1-4E6E-B0B4-ABFF3127206C}\DynamicInfo: 03 00 00 00 EE 16 26 E6 1B 34 DB 01 AF A0 06 EA 02 5B DB 01 00 00 00 00 00 00 00 00 C4 D9 88 EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F063424-E8AD-40FA-92B9-CD047EC2A92A}\DynamicInfo: 03 00 00 00 EE 16 26 E6 1B 34 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 2B 04 07 80 6C 1E 45 44 EB 3D DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F063424-E8AD-40FA-92B9-CD047EC2A92A}\DynamicInfo: 03 00 00 00 EE 16 26 E6 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 2B 04 07 80 6C 1E 45 44 EB 3D DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{78E96733-DDEF-4FB9-AD45-FC553EFC4CFD}\DynamicInfo: 03 00 00 00 26 DB 2A E6 1B 34 DB 01 7D A6 AE 1B 5F 59 DB 01 00 00 00 00 E0 10 07 80 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{78E96733-DDEF-4FB9-AD45-FC553EFC4CFD}\DynamicInfo: 03 00 00 00 26 DB 2A E6 1B 34 DB 01 75 06 6E E9 02 5B DB 01 00 00 00 00 E0 10 07 80 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7A7B60AA-BA42-409F-BC97-7BCFEFAD6308}\DynamicInfo: 03 00 00 00 86 F4 51 E5 1B 34 DB 01 78 4D 4B 99 00 5B DB 01 00 00 00 00 00 00 00 00 3C C8 9E 99 00 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7A7B60AA-BA42-409F-BC97-7BCFEFAD6308}\DynamicInfo: 03 00 00 00 86 F4 51 E5 1B 34 DB 01 72 8A 64 E9 02 5B DB 01 00 00 00 00 00 00 00 00 3F 7A E0 E9 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{80436C26-BC19-4930-9051-F06F0E0BA960}\DynamicInfo: 03 00 00 00 C5 47 54 E5 1B 34 DB 01 5D D3 A9 1B 5F 59 DB 01 00 00 00 00 00 00 00 00 60 62 5B 3B 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{80436C26-BC19-4930-9051-F06F0E0BA960}\DynamicInfo: 03 00 00 00 C5 47 54 E5 1B 34 DB 01 72 8A 64 E9 02 5B DB 01 00 00 00 00 00 00 00 00 82 D5 E9 14 03 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8627F38D-3BB5-45A5-AAE5-B8735A41B62D}\DynamicInfo: 03 00 00 00 9C 10 32 E6 1B 34 DB 01 02 A1 49 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 6C 72 96 1E 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8627F38D-3BB5-45A5-AAE5-B8735A41B62D}\DynamicInfo: 03 00 00 00 9C 10 32 E6 1B 34 DB 01 F4 02 09 EA 02 5B DB 01 00 00 00 00 00 00 00 00 18 A3 11 EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8FF5DE67-C947-4488-997B-4184221E7D50}\Hash: B4 84 2A E4 67 93 35 12 40 C1 5E AD 77 5C 09 A6 A9 E0 3E 07 E9 13 85 1F 99 F2 1F 6D 8A 54 A1 F8
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8FF5DE67-C947-4488-997B-4184221E7D50}\Hash: B4 BB E9 91 8F 95 E4 76 46 9B D1 CD D7 0F F6 46 8A 87 64 89 31 93 25 DD 72 76 1C 8B D6 FA 41 48
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8FF5DE67-C947-4488-997B-4184221E7D50}\Triggers: 17 00 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 00 00 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 FF FF FF FF FF FF FF FF 48 20 42 42 48 48 48 48 FD F3 73 2A 48 48 48 48 18 00 00 00 48 48 48 48 4C 00 6F 00 63 00 61 00 6C 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 00 00 48 48 48 48 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 05 00 00 00 48 48 48 48 0C 00 00 00 48 48 48 48 01 01 00 00 00 00 00 05 12 00 00 00 48 48 48 48 00 00 00 00 48 48 48 48 2C 00 00 00 48 48 48 48 58 02 00 00 10 0E 00 00 80 F4 03 00 FF FF FF FF 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 48 48 48 DD DD 00 00 00 00 00 00 00 07 0C 00 00 00 1D 00 00 17 B2 5D 1F 5A DB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 01 8C C2 
01 00 00 00 3C 00 00 00 D0 78 00 00 00 00 00 00 48 48 48 48 77 77 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 00 00 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 6F 00 70 00 4F 00 6E 00 49 00 64 00 6C 00 00 00 00 00 48 48 48 48 02 00 00 00 2F 00 53 00 01 48 48 48 48 48 48 48 77 77 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 00 00 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 20 00 20 00 3C 00 2F 00 49 00 64 00 6C 00 00 00 00 00 48 48 48 48 04 00 00 00 0D 00 0A 00 01 48 48 48 48 48 48 48 66 66 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 00 00 00 00 00 00 00 00 00 DF 17 E1 EF 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 72 00 74 00 42 00 6F 00 75 00 6E 00 00 00 00 00 48 48 48 48 75 08 BC A3 38 0C 96 0C 01 00 00 00 00 00 00 00 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8FF5DE67-C947-4488-997B-4184221E7D50}\Triggers: 17 00 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 00 00 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 FF FF FF FF FF FF FF FF 48 20 42 42 48 48 48 48 0F 12 8A 65 48 48 48 48 18 00 00 00 48 48 48 48 4C 00 6F 00 63 00 61 00 6C 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 00 00 48 48 48 48 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 05 00 00 00 48 48 48 48 0C 00 00 00 48 48 48 48 01 01 00 00 00 00 00 05 12 00 00 00 48 48 48 48 00 00 00 00 48 48 48 48 2C 00 00 00 48 48 48 48 58 02 00 00 10 0E 00 00 80 F4 03 00 FF FF FF FF 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 48 48 48 DD DD 00 00 00 00 00 00 00 07 0C 00 00 00 1F 00 00 A8 EC 7C C9 5B DB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 01 22 84 
01 00 00 00 3C 00 00 00 DE 32 00 00 00 00 00 00 48 48 48 48 77 77 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 00 00 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 74 00 69 00 6F 00 6E 00 50 00 6C 00 61 00 00 00 00 00 48 48 48 48 02 00 00 00 65 00 73 00 01 48 48 48 48 48 48 48 77 77 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 00 00 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 2D 00 39 00 37 00 33 00 33 00 37 00 33 00 00 00 00 00 48 48 48 48 04 00 00 00 36 00 33 00 01 48 48 48 48 48 48 48 66 66 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 00 00 00 00 00 00 00 00 00 DE 17 2F BC 00 00 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 00 2D 00 32 00 35 00 39 00 32 00 38 00 00 00 00 00 48 48 48 48 75 08 BC A3 38 0C 96 0C 01 00 00 00 00 00 00 00 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{92FFE795-C628-4324-AB97-06F804352DB6}\DynamicInfo: 03 00 00 00 3B D3 36 E6 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 10 D8 A1 1C 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{92FFE795-C628-4324-AB97-06F804352DB6}\DynamicInfo: 03 00 00 00 3B D3 36 E6 1B 34 DB 01 7D EF 14 EA 02 5B DB 01 00 00 00 00 00 00 00 00 78 5A B1 EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2887CBD-E4BF-4986-A4C3-07375F968D9D}\DynamicInfo: 03 00 00 00 A9 57 13 EB 1B 34 DB 01 D6 0C 12 99 00 5B DB 01 00 00 00 00 00 00 00 00 4A B5 41 99 00 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2887CBD-E4BF-4986-A4C3-07375F968D9D}\DynamicInfo: 03 00 00 00 A9 57 13 EB 1B 34 DB 01 4D 25 29 59 03 5B DB 01 00 00 00 00 00 00 00 00 4A B5 41 99 00 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A28E2F31-2C6D-426C-A2AC-2F9F6952D916}\DynamicInfo: 03 00 00 00 92 65 40 E6 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 A5 A2 CD 23 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A28E2F31-2C6D-426C-A2AC-2F9F6952D916}\DynamicInfo: 03 00 00 00 92 65 40 E6 1B 34 DB 01 7B 59 17 EA 02 5B DB 01 00 00 00 00 00 00 00 00 98 12 D6 EA 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2FADBDF-6855-42F7-BDFC-F0C510EDA9BC}\DynamicInfo: 03 00 00 00 92 65 40 E6 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 C9 0B 5F 1C 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2FADBDF-6855-42F7-BDFC-F0C510EDA9BC}\DynamicInfo: 03 00 00 00 92 65 40 E6 1B 34 DB 01 7B 59 17 EA 02 5B DB 01 00 00 00 00 00 00 00 00 0C 0C 3B EA 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B1A03158-0E8C-4CA8-8DB7-43E894A037E6}\DynamicInfo: 03 00 00 00 70 E0 61 82 23 39 DB 01 FD FD 4B 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 25 34 F6 3B 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B1A03158-0E8C-4CA8-8DB7-43E894A037E6}\DynamicInfo: 03 00 00 00 70 E0 61 82 23 39 DB 01 F4 02 09 EA 02 5B DB 01 00 00 00 00 00 00 00 00 56 D8 DD EC 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B43CBAFA-D55B-4077-AE2E-800F43C362D7}\DynamicInfo: 03 00 00 00 9A 7A 47 E6 1B 34 DB 01 EA 5B 4E 1C 5F 59 DB 01 00 00 00 00 C7 04 07 80 D7 C9 63 1C 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B43CBAFA-D55B-4077-AE2E-800F43C362D7}\DynamicInfo: 03 00 00 00 9A 7A 47 E6 1B 34 DB 01 F3 CA 19 EA 02 5B DB 01 00 00 00 00 C7 04 07 80 7C 93 50 EA 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B5108B49-C39A-43DE-AC49-06155873BAE9}\DynamicInfo: 03 00 00 00 9A 7A 47 E6 1B 34 DB 01 E4 FD 24 7B 56 59 DB 01 00 00 00 00 00 00 00 00 E4 FD 24 7B 56 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B5108B49-C39A-43DE-AC49-06155873BAE9}\DynamicInfo: 03 00 00 00 9A 7A 47 E6 1B 34 DB 01 60 E1 01 EA 02 5B DB 01 00 00 00 00 00 00 00 00 10 35 1B EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BAF4B9A8-1B02-4B38-B231-7EA97230256B}\DynamicInfo: 03 00 00 00 05 42 4C E6 1B 34 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 00 00 00 00 FC 56 30 2B 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BAF4B9A8-1B02-4B38-B231-7EA97230256B}\DynamicInfo: 03 00 00 00 05 42 4C E6 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 00 00 00 00 BA D2 40 11 03 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C483CE25-B1C5-4BEB-AA31-5CADC8C66692}\DynamicInfo: 03 00 00 00 67 C8 55 E6 1B 34 DB 01 B9 B5 50 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 FC 8B 57 42 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C483CE25-B1C5-4BEB-AA31-5CADC8C66692}\DynamicInfo: 03 00 00 00 67 C8 55 E6 1B 34 DB 01 F3 CA 19 EA 02 5B DB 01 00 00 00 00 00 00 00 00 46 EE 7C EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C9EC268B-1D36-4AF0-A1EB-2C1BC3B455D9}\DynamicInfo: 03 00 00 00 76 2E 58 E6 1B 34 DB 01 B9 B5 50 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 10 D8 A1 1C 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C9EC268B-1D36-4AF0-A1EB-2C1BC3B455D9}\DynamicInfo: 03 00 00 00 76 2E 58 E6 1B 34 DB 01 F3 CA 19 EA 02 5B DB 01 00 00 00 00 00 00 00 00 17 CF 37 EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D5A9F0F2-D7CA-4A2B-8871-C67F2CBEADF1}\DynamicInfo: 03 00 00 00 F2 55 5F E6 1B 34 DB 01 34 4A 68 1F 5F 59 DB 01 00 00 00 00 00 00 00 00 58 E8 93 29 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D5A9F0F2-D7CA-4A2B-8871-C67F2CBEADF1}\DynamicInfo: 03 00 00 00 F2 55 5F E6 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 00 00 00 00 FD 30 43 11 03 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D9353C30-D505-4F11-8F95-55F3DDA1E214}\DynamicInfo: 03 00 00 00 F2 55 5F E6 1B 34 DB 01 B8 14 F9 20 5F 59 DB 01 00 00 00 00 2B 04 07 80 DD 3E CD 27 6D 3E DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D9353C30-D505-4F11-8F95-55F3DDA1E214}\DynamicInfo: 03 00 00 00 F2 55 5F E6 1B 34 DB 01 BB 21 AE EC 02 5B DB 01 00 00 00 00 2B 04 07 80 DD 3E CD 27 6D 3E DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E51EADD7-C4F7-43E7-A9CB-FEC8EC1E204F}\DynamicInfo: 03 00 00 00 5B DD 68 E6 1B 34 DB 01 B9 B5 50 1C 5F 59 DB 01 00 00 00 00 2B 04 07 80 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E51EADD7-C4F7-43E7-A9CB-FEC8EC1E204F}\DynamicInfo: 03 00 00 00 5B DD 68 E6 1B 34 DB 01 D3 81 1E EA 02 5B DB 01 00 00 00 00 2B 04 07 80 00 00 00 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F472261A-A57A-465B-A695-5F2E75E37782}\DynamicInfo: 03 00 00 00 70 CF 74 E6 1B 34 DB 01 B9 B5 50 1C 5F 59 DB 01 00 00 00 00 00 00 00 00 3A E3 98 1E 5F 59 DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F472261A-A57A-465B-A695-5F2E75E37782}\DynamicInfo: 03 00 00 00 70 CF 74 E6 1B 34 DB 01 04 E7 20 EA 02 5B DB 01 00 00 00 00 00 00 00 00 B1 34 78 EB 02 5B DB 01
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-914199523-3388888877-1504927903-1001\RefCount: 09 00 00 00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-914199523-3388888877-1504927903-1001\RefCount: 0A 00 00 00
HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727\NGenService\State\LastSuccess: 0x08DD277EAF66ED0B
HKLM\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727\NGenService\State\LastSuccess: 0x08DD29229579DEF3
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\LastStartedAU: 0x67730E86
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\LastStartedAU: 0x67731323
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\CurrentState\StateValue: 0x00000011
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\CurrentState\StateValue: 0x00000003
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\goopdate_main: 03 00 00 00 00 00 00 00
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\goopdate_main: 04 00 00 00 00 00 00 00
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\goopdate_constructor: 03 00 00 00 00 00 00 00
HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\UsageStats\Daily\Counts\goopdate_constructor: 04 00 00 00 00 00 00 00
HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\SequenceNumber: 0x00000071
HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\SequenceNumber: 0x00000072
HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Windows\System32\rundll32.exe: 88 2F D9 6F 6E 59 DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
HKLM\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Windows\System32\rundll32.exe: 92 63 5C EA 02 5B DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Map\S-1-5-19#SmsRouter#SmsDropAcceptImmediate: "{135A9849-00A9-466F-B08A-018EC1088A6F}"
HKLM\SYSTEM\ControlSet001\Services\SmsRouter\State\Registration\Map\S-1-5-19#SmsRouter#SmsDropAcceptImmediate: "{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}"
HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeEstimated: 0x01DB584FD33A36F0
HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeEstimated: 0x01DB58518068AAE0
HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeHigh: 0x01DB5B0BE8DB84F0
HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeHigh: 0x01DB5B0D9609F8E0
HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeLow: 0x01DB56E104E0BFF0
HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\SecureTimeLow: 0x01DB56E2B20F33E0
HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCount: 0x000000000040F64F
HKLM\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCount: 0x00000000004BF2FE
HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\SequenceNumber: 0x00000071
HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\SequenceNumber: 0x00000072
HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Windows\System32\rundll32.exe: 88 2F D9 6F 6E 59 DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-914199523-3388888877-1504927903-1001\\Device\HarddiskVolume2\Windows\System32\rundll32.exe: 92 63 5C EA 02 5B DB 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Map\S-1-5-19#SmsRouter#SmsDropAcceptImmediate: "{135A9849-00A9-466F-B08A-018EC1088A6F}"
HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter\State\Registration\Map\S-1-5-19#SmsRouter#SmsDropAcceptImmediate: "{E1F1ECD2-4888-4B16-A0CA-F37CC5FB10D4}"
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimated: 0x01DB584FD33A36F0
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimated: 0x01DB58518068AAE0
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHigh: 0x01DB5B0BE8DB84F0
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHigh: 0x01DB5B0D9609F8E0
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLow: 0x01DB56E104E0BFF0
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLow: 0x01DB56E2B20F33E0
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCount: 0x000000000040F64F
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCount: 0x00000000004BF2FE
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct: "0.000000"
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct: "0.013006"
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB: 0x0000000000000AC8
HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB: 0x0000000000000B78
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\ActivityDataModel\ReaderRevisionInfo\A8C38C74-243D-7FA9-5871-37DD1BDCB98D: 31 00 38 32 00 30 00 7B 0A 20 20 20 22 44 61 74 61 62 61 73 65 49 6E 73 74 61 6E 63 65 49 64 22 20 3A 20 35 39 34 34 32 2C 0A 20 20 20 22 53 65 71 75 65 6E 63 65 22 20 3A 20 32 31 34 34 2C 0A 20 20 20 22 61 63 74 69 76 69 74 79 53 74 6F 72 65 49 64 22 20 3A 20 22 41 38 43 33 38 43 37 34 2D 32 34 33 44 2D 37 46 41 39 2D 35 38 37 31 2D 33 37 44 44 31 42 44 43 42 39 38 44 22 2C 0A 20 20 20 22 66 69 6C 74 65 72 22 20 3A 20 7B 0A 20 20 20 20 20 20 22 69 73 52 65 61 64 46 69 6C 74 65 72 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 6F 72 69 67 69 6E 46 69 6C 74 65 72 4B 65 79 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 73 74 61 74 65 46 69 6C 74 65 72 4B 65 79 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 75 73 65 72 41 63 74 69 6F 6E 53 74 61 74 65 46 69 6C 74 65 72 22 20 3A 20 30 0A 20 20 20 7D 0A 7D 0A 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\ActivityDataModel\ReaderRevisionInfo\A8C38C74-243D-7FA9-5871-37DD1BDCB98D: 31 00 38 32 00 30 00 7B 0A 20 20 20 22 44 61 74 61 62 61 73 65 49 6E 73 74 61 6E 63 65 49 64 22 20 3A 20 35 39 34 34 32 2C 0A 20 20 20 22 53 65 71 75 65 6E 63 65 22 20 3A 20 32 31 35 37 2C 0A 20 20 20 22 61 63 74 69 76 69 74 79 53 74 6F 72 65 49 64 22 20 3A 20 22 41 38 43 33 38 43 37 34 2D 32 34 33 44 2D 37 46 41 39 2D 35 38 37 31 2D 33 37 44 44 31 42 44 43 42 39 38 44 22 2C 0A 20 20 20 22 66 69 6C 74 65 72 22 20 3A 20 7B 0A 20 20 20 20 20 20 22 69 73 52 65 61 64 46 69 6C 74 65 72 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 6F 72 69 67 69 6E 46 69 6C 74 65 72 4B 65 79 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 73 74 61 74 65 46 69 6C 74 65 72 4B 65 79 22 20 3A 20 30 2C 0A 20 20 20 20 20 20 22 75 73 65 72 41 63 74 69 6F 6E 53 74 61 74 65 46 69 6C 74 65 72 22 20 3A 20 30 0A 20 20 20 7D 0A 7D 0A 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$de${99316baa-455a-42b1-813d-e1ff15407f89}$$windows.data.unifiedtile.localstartvolatiletilepropertiesmap\Current\Data: 02 00 00 00 B2 36 DF 6F 6E 59 DB 01 00 00 00 00 43 42 01 00 0D 12 0A 0D 39 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 53 00 45 00 43 00 48 00 45 00 41 00 4C 00 54 00 48 00 55 00 49 00 5F 00 43 00 57 00 35 00 4E 00 31 00 48 00 32 00 54 00 58 00 59 00 45 00 57 00 59 00 21 00 53 00 45 00 43 00 48 00 45 00 41 00 4C 00 54 00 48 00 55 00 49 00 C7 0A F2 98 5E 3B C5 14 01 C6 1E 90 F5 8C E3 AB FA CC ED 01 00 2F 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 43 00 41 00 4C 00 43 00 55 00 4C 00 41 00 54 00 4F 00 52 00 5F 00 38 00 57 00 45 00 4B 00 59 00 42 00 33 00 44 00 38 00 42 00 42 00 57 00 45 00 21 00 41 0
0 50 00 50 00 C7 0A DE 60 89 3C C6 1E FE C8 B1 FC 8B FA CC ED 01 00 2D 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 54 00 45 00 52 00 4D 00 49 00 4E 00 41 00 4C 00 5F 00 38 00 57 00 45 00 4B 00 59 00 42 00 33 00 44 00 38 00 42 00 42 00 57 00 45 00 21 00 41 00 50 00 50 00 C7 0A C9 BE 41 3D C5 14 08 C6 1E 80 A5 E4 AD 98 AC D6 ED 01 00 55 50 00 7E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 49 00 4D 00 4D 00 45 00 52 00 53 00 49 00 56 00 45 00 43 00 4F 00 4E 00 54 00 52 00 4F 00 4C 00 50 00 41 00 4E 00 45 00 4C 00 5F 00 43 00 57 00 35 00 4E 00 31 00 48 00 32 00 54 00 58 00 59 00 45 00 57 00 59 00 21 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 49 00 4D 00 4D 00 45 00 52 00 53 00 49 00 56 00 45 00 43 00 4F 00 4E 00 54 00 52 00 4F 00 4C 00 50 00 41 00 4E 00 45 00 4C 00 C7 0A A2 59 8E 3D C5 14 0D C6 1E C0 99 B0 FA 9E AC D6 ED 01 00 08 57 00 7E 00 43 00
 48 00 52 00 4F 00 4D 00 45 00 C7 0A 88 BC E6 3D C5 14 24 C6 1E F0 EB F8 FE E6 AD D6 ED 01 00 1C 57 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 45 00 58 00 50 00 4C 00 4F 00 52 00 45 00 52 00 C7 0A 13 5E B7 3D C5 14 04 C6 1E 80 B4 8A D0 DA 8C D6 ED 01 00 08 57 00 7E 00 4D 00 53 00 45 00 44 00 47 00 45 00 C7 0A 2E 89 36 3D C5 14 12 C6 1E B0 8A A8 E1 97 AC D6 ED 01 00 30 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 43 00 4D 00 44 00 2E 00 45 00 58 00 45 00 C7 0A 69 40 56 3C C5 14 02 C6 1E C0 C8 93 DA 96 AB D6 ED 01 00 34 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 
00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 4D 00 53 00 50 00 41 00 49 00 4E 00 54 00 2E 00 45 00 58 00 45 00 C7 0A 6C 63 A7 3C C5 14 04 C6 1E 80 EF C4 9A C8 88 CD ED 01 00 34 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 4E 00 4F 00 54 00 45 00 50 00 41 00 44 00 2E 00 45 00 58 00 45 00 C7 0A 2C 50 45 3D C5 14 1D C6 1E D0 BC D5 BB C6 AB D6 ED 01 00 39 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 53 00 4E 00 49 00 50 00 50 00 49 00 4E 00 47 00 54 00 4F 00 4F 00 4C 00 2E 00 45 00 58 00 45 00 C7 0A 82 AF A2 3C C6 1E FE C8 B1 FC 8B FA CC ED 01 00 4E 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 0
0 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 50 00 4F 00 57 00 45 00 52 00 53 00 48 00 45 00 4C 00 4C 00 5C 00 56 00 31 00 2E 00 30 00 5C 00 50 00 4F 00 57 00 45 00 52 00 53 00 48 00 45 00 4C 00 4C 00 2E 00 45 00 58 00 45 00 C7 0A 7A 06 FE 3B C5 14 02 C6 1E B0 E9 90 FD B6 FA CC ED 01 00 37 57 00 7E 00 7B 00 36 00 44 00 38 00 30 00 39 00 33 00 37 00 37 00 2D 00 36 00 41 00 46 00 30 00 2D 00 34 00 34 00 34 00 42 00 2D 00 38 00 39 00 35 00 37 00 2D 00 41 00 33 00 37 00 37 00 33 00 46 00 30 00 32 00 32 00 30 00 30 00 45 00 7D 00 5C 00 37 00 2D 00 5A 00 49 00 50 00 5C 00 37 00 5A 00 46 00 4D 00 2E 00 45 00 58 00 45 00 C7 0A D6 EE 5E 3C C5 14 0B C6 1E 80 A2 DA DC D2 AB D6 ED 01 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$de${99316baa-455a-42b1-813d-e1ff15407f89}$$windows.data.unifiedtile.localstartvolatiletilepropertiesmap\Current\Data: 02 00 00 00 47 3D A2 EF 01 5B DB 01 00 00 00 00 43 42 01 00 0D 12 0A 0D 39 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 53 00 45 00 43 00 48 00 45 00 41 00 4C 00 54 00 48 00 55 00 49 00 5F 00 43 00 57 00 35 00 4E 00 31 00 48 00 32 00 54 00 58 00 59 00 45 00 57 00 59 00 21 00 53 00 45 00 43 00 48 00 45 00 41 00 4C 00 54 00 48 00 55 00 49 00 C7 0A 14 EF 60 3B C5 14 01 C6 1E 90 F5 8C E3 AB FA CC ED 01 00 2F 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 43 00 41 00 4C 00 43 00 55 00 4C 00 41 00 54 00 4F 00 52 00 5F 00 38 00 57 00 45 00 4B 00 59 00 42 00 33 00 44 00 38 00 42 00 42 00 57 00 45 00 21 00 41 0
0 50 00 50 00 C7 0A 3F 29 8E 3C C6 1E FE C8 B1 FC 8B FA CC ED 01 00 2D 50 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 54 00 45 00 52 00 4D 00 49 00 4E 00 41 00 4C 00 5F 00 38 00 57 00 45 00 4B 00 59 00 42 00 33 00 44 00 38 00 42 00 42 00 57 00 45 00 21 00 41 00 50 00 50 00 C7 0A 0B 31 3F 3D C5 14 08 C6 1E 80 A5 E4 AD 98 AC D6 ED 01 00 55 50 00 7E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 49 00 4D 00 4D 00 45 00 52 00 53 00 49 00 56 00 45 00 43 00 4F 00 4E 00 54 00 52 00 4F 00 4C 00 50 00 41 00 4E 00 45 00 4C 00 5F 00 43 00 57 00 35 00 4E 00 31 00 48 00 32 00 54 00 58 00 59 00 45 00 57 00 59 00 21 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 49 00 4D 00 4D 00 45 00 52 00 53 00 49 00 56 00 45 00 43 00 4F 00 4E 00 54 00 52 00 4F 00 4C 00 50 00 41 00 4E 00 45 00 4C 00 C7 0A 3E 90 A9 3D C5 14 0D C6 1E 90 A0 92 85 9C AD D6 ED 01 00 08 57 00 7E 00 43 00
 48 00 52 00 4F 00 4D 00 45 00 C7 0A CB 36 F5 3D C5 14 24 C6 1E F0 EB F8 FE E6 AD D6 ED 01 00 1C 57 00 7E 00 4D 00 49 00 43 00 52 00 4F 00 53 00 4F 00 46 00 54 00 2E 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 2E 00 45 00 58 00 50 00 4C 00 4F 00 52 00 45 00 52 00 C7 0A 60 BD CE 3D C5 14 04 C6 1E 80 B4 8A D0 DA 8C D6 ED 01 00 08 57 00 7E 00 4D 00 53 00 45 00 44 00 47 00 45 00 C7 0A 0D 66 39 3D C5 14 12 C6 1E B0 8A A8 E1 97 AC D6 ED 01 00 30 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 43 00 4D 00 44 00 2E 00 45 00 58 00 45 00 C7 0A ED B5 51 3C C5 14 02 C6 1E C0 C8 93 DA 96 AB D6 ED 01 00 34 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 
00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 4D 00 53 00 50 00 41 00 49 00 4E 00 54 00 2E 00 45 00 58 00 45 00 C7 0A DC B3 AF 3C C5 14 04 C6 1E 80 EF C4 9A C8 88 CD ED 01 00 34 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 4E 00 4F 00 54 00 45 00 50 00 41 00 44 00 2E 00 45 00 58 00 45 00 C7 0A 95 2D 4B 3D C5 14 1D C6 1E D0 BC D5 BB C6 AB D6 ED 01 00 39 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 00 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 53 00 4E 00 49 00 50 00 50 00 49 00 4E 00 47 00 54 00 4F 00 4F 00 4C 00 2E 00 45 00 58 00 45 00 C7 0A 5D C7 A7 3C C6 1E FE C8 B1 FC 8B FA CC ED 01 00 4E 57 00 7E 00 7B 00 31 00 41 00 43 00 31 00 34 0
0 45 00 37 00 37 00 2D 00 30 00 32 00 45 00 37 00 2D 00 34 00 45 00 35 00 44 00 2D 00 42 00 37 00 34 00 34 00 2D 00 32 00 45 00 42 00 31 00 41 00 45 00 35 00 31 00 39 00 38 00 42 00 37 00 7D 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 50 00 4F 00 57 00 45 00 52 00 53 00 48 00 45 00 4C 00 4C 00 5C 00 56 00 31 00 2E 00 30 00 5C 00 50 00 4F 00 57 00 45 00 52 00 53 00 48 00 45 00 4C 00 4C 00 2E 00 45 00 58 00 45 00 C7 0A 88 60 FD 3B C5 14 02 C6 1E B0 E9 90 FD B6 FA CC ED 01 00 37 57 00 7E 00 7B 00 36 00 44 00 38 00 30 00 39 00 33 00 37 00 37 00 2D 00 36 00 41 00 46 00 30 00 2D 00 34 00 34 00 34 00 42 00 2D 00 38 00 39 00 35 00 37 00 2D 00 41 00 33 00 37 00 37 00 33 00 46 00 30 00 32 00 32 00 30 00 30 00 45 00 7D 00 5C 00 37 00 2D 00 5A 00 49 00 50 00 5C 00 37 00 5A 00 46 00 4D 00 2E 00 45 00 58 00 45 00 C7 0A 47 BD 67 3C C5 14 0B C6 1E 80 A2 DA DC D2 AB D6 ED 01 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA: 00 00 00 00 CF 00 00 00 6A 02 00 00 1C 54 3B 01 26 00 00 00 2A 00 00 00 1E D8 08 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 69 00 6D 00 6D 00 65 00 72 00 73 00 69 00 76 00 65 00 63 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 70 00 61 00 6E 00 65 00 6C 00 5F 00 63 00 77 00 35 00 6E 00 31 00 68 00 32 00 74 00 78 00 79 00 65 00 77 00 79 00 21 00 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 69 00 6D 00 6D 00 65 00 72 00 73 00 69 00 76 00 65 00 63 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 70 00 61 00 6E 00 65 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 00 00 6F 00 00 00 0B 6F 22 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65
 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1A 00 00 00 34 00 00 00 D8 2B 3D 00 43 00 68 00 72 00 6F 00 6D 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA: 00 00 00 00 D0 00 00 00 70 02 00 00 BE D1 3D 01 26 00 00 00 2A 00 00 00 1E D8 08 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 69 00 6D 00 6D 00 65 00 72 00 73 00 69 00 76 00 65 00 63 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 70 00 61 00 6E 00 65 00 6C 00 5F 00 63 00 77 00 35 00 6E 00 31 00 68 00 32 00 74 00 78 00 79 00 65 00 77 00 79 00 21 00 6D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 69 00 6D 00 6D 00 65 00 72 00 73 00 69 00 76 00 65 00 63 00 6F 00 6E 00 74 00 72 00 6F 00 6C 00 70 00 61 00 6E 00 65 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0A 00 00 00 72 00 00 00 CD 7C 24 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65
 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1A 00 00 00 34 00 00 00 D8 2B 3D 00 43 00 68 00 72 00 6F 00 6D 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 00 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.Rkcybere: 00 00 00 00 0A 00 00 00 6F 00 00 00 0B 6F 22 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 9A 02 AA 65 58 DB 01 00 00 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.Rkcybere: 00 00 00 00 0A 00 00 00 72 00 00 00 CD 7C 24 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 9A 02 AA 65 58 DB 01 00 00 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Gbbyf\Ertfubg-k64-Havpbqr\Ertfubg-k64-Havpbqr.rkr: 00 00 00 00 01 00 00 00 03 00 00 00 04 99 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 90 E2 06 F8 00 5B DB 01 00 00 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Gbbyf\Ertfubg-k64-Havpbqr\Ertfubg-k64-Havpbqr.rkr: 00 00 00 00 01 00 00 00 05 00 00 00 96 08 01 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 90 E2 06 F8 00 5B DB 01 00 00 00 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\InstalledWin32AppsRevision: "{077403C2-0BB2-4B02-AAFF-D5AFA6D355C9}"
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\InstalledWin32AppsRevision: "{113B7465-8E33-4F33-9ABE-54514340D483}"
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex\LatestConstraintIndexFolder: "C:\Users\husky\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{373250f9-43e3-4f1b-9782-fedd9679eb6b}"
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex\LatestConstraintIndexFolder: "C:\Users\husky\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{ae70ddfc-a173-4dfc-9ded-a9587dd7a9c9}"
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}.check.800\CheckSetting: 23 00 41 00 43 00 42 00 6C 00 6F 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 73 00 00 00 70 00
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}.check.800\CheckSetting: 23 00 41 00 43 00 42 00 6C 00 6F 00 62 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 05 40 00 80
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).left: 0x000002F0
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).left: 0x00000333
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).top: 0x00000060
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).top: 0x00000073
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).right: 0x0000067E
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).right: 0x000006C1
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).bottom: 0x000002E1
HKU\S-1-5-21-914199523-3388888877-1504927903-1001\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).bottom: 0x000002F4
HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).left: 0x000002F0
HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).left: 0x00000333
HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).top: 0x00000060
HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).top: 0x00000073
HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).right: 0x0000067E
HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).right: 0x000006C1
HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).bottom: 0x000002E1
HKU\S-1-5-21-914199523-3388888877-1504927903-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1920x984x96(1).bottom: 0x000002F4

----------------------------------
Total changes: 199
----------------------------------




=======================================
Networking 
---------------------------------------
inetsim report:
2024-11-11 15:23:09 DNS connection, type: A, class: IN, requested name: slscr.update.microsoft[.]com
2024-11-11 15:23:09 DNS connection, type: A, class: IN, requested name: ctldl.windowsupdate[.]com
2024-11-11 15:23:09 HTTP connection, method: GET, URL: hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl[.]cab?95cb98bf48371ef4, file name: /var/lib/inetsim/http/fakefiles/sample.html
2024-11-11 15:23:09 DNS connection, type: A, class: IN, requested name: fe3cr.delivery.mp.microsoft[.]com
2024-11-11 15:23:33 HTTP connection, method: GET, URL: hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl[.]cab?02ff515d0ff4a002, file name: /var/lib/inetsim/http/fakefiles/sample.html
2024-11-11 15:25:35 DNS connection, type: A, class: IN, requested name: update.googleapis[.]com
2024-11-11 15:26:09 DNS connection, type: A, class: IN, requested name: en.wikipedia[.]org
2024-11-11 15:29:00 DNS connection, type: A, class: IN, requested name: node2.feed43[.]com
2024-11-11 15:29:00 HTTP connection, method: POST, URL: hxxp://node2.feed43.com/2665675887512026[.]xml, file name: /var/lib/inetsim/http/fakefiles/sample.html --> each second from here
2024-11-11 15:29:00 DNS connection, type: A, class: IN, requested name: raw.githubusercontent[.]com
2024-11-11 15:29:00 HTTP connection, method: POST, URL: hxxp://raw.githubusercontent.com/johnhenery12/testy/master/xml[.]xml, file name: /var/lib/inetsim/http/fakefiles/sample.html --> each second from here
...
2024-11-11 15:35:17 HTTP connection, method: GET, URL: hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl[.]cab?09d5b0702e00c362, file name: /var/lib/inetsim/http/fakefiles/sample.html
..
2024-11-11 15:37:00 DNS connection, type: A, class: IN, requested name: conemu.github[.]io
2024-11-11 15:37:00 HTTP connection, method: GET, URL: hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl[.]cab?35f6e629126ba3d4, file name: /var/lib/inetsim/http/fakefiles/sample.html
...
wiresark github github henery wireshark node32 google node32 wireshark msupdate urlscan msupdate

https://www.virustotal.com/gui/domain/ctldl.windowsupdate.com/relations


=======================================
Detection rule
---------------------------------------
I scanned the malware with Loki, and created this detection rule with yarGen:
python3 yarGen.py -m C:\Users\husky\Desktop\sample\ --excludegood -o C:\Users\husky\Desktop\sample\ad_final.yar
/*
   YARA Rule Set
   Author: yarGen Rule Generator
   Date: 2024-12-28
   Identifier: cc
   Reference: https://github.com/Neo23x0/yarGen
*/

/* Rule Set ----------------------------------------------------------------- */

rule cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57 {
   meta:
      description = "detection for dwm johnhenery12 malware"
      author = "AD added - yarGen Rule Generator"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2024-12-28"
      hash1 = "cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57"
   strings:
      $s1 = "escanmon.exe" fullword ascii
      $s2 = "escanpro.exe" fullword ascii
      $s3 = "AkSA.exe" fullword ascii
      $s4 = "Tray.exe" fullword ascii
      $s5 = "apvui.exe" fullword ascii
      $s6 = "onlinent.exe" fullword ascii
      $s7 = "Prd.EventViewer.exe" fullword ascii
      $s8 = "zatray.exe" fullword ascii
      $s9 = "uiSeAgnt.exe" fullword ascii
      $s10 = "egui.exe" fullword ascii
      $s11 = "PSUAMain.exe" fullword ascii
      $s12 = "norton" fullword ascii /* reversed goodware string 'notron' */
      $s13 = "bitdefender_isecurity.exe" fullword ascii
      $s14 = "nis.exe" fullword ascii
      $s15 = "ns.exe" fullword ascii
      $s16 = "\\MsUpdte.exe" fullword ascii
      $s17 = "  VirtualQuery failed for %d bytes at address %p" fullword ascii
      $s18 = "bdagent" fullword ascii
      $s19 = "ouemm/emm!!!!!!!!!!!!!" fullword ascii
      $s20 = "vakn.jUt p" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 700KB and
      8 of them
}
Loki check


=======================================
* Analysis notes
---------------------------------------
Malware enumerates processes on the system:
ekrn.exe
egui.exe
avg
AVGUI
bdagent
gziface
bitdefender_isecurity.exe
uiSeAgnt.exe
ccSvcHst.exe
norton
AvkTray
apvui.exe
avp
AvastUI
onlinent.exe
PSUAMain.exe
escanmon.exe
escanpro.exe
Tray.exe
Prd.EventViewer.exe
zatray.exe
AkSA.exe
ghidra - find enum processes joint function msdn snapshot
Decompile: FUN_00402820
/* WARNING: Globals starting with '_' overlap smaller symbols at the same address */

int FUN_00402820(void)

{
  HMODULE pHVar1;
  HANDLE hObject;
  char *pcVar2;
  int iVar3;
  undefined4 *puVar4;
  undefined4 local_20c;
  undefined local_208;
  undefined local_207;
  undefined local_206;
  undefined local_205;
  undefined local_204;
  undefined local_203;
  undefined local_202;
  undefined local_201;
  undefined4 local_1a8;
  undefined local_1a4;
  undefined local_1a3;
  undefined local_1a2;
  undefined local_1a1;
  undefined local_1a0;
  undefined local_19f;
  undefined local_19e;
  undefined local_19d;
  undefined local_19c;
  undefined local_19b;
  undefined local_19a;
  undefined local_199;
  undefined local_198;
  undefined local_197;
  undefined local_196;
  undefined local_195;
  undefined local_194;
  undefined local_193;
  undefined local_192;
  undefined local_191;
  undefined local_190;
  undefined4 local_144 [9];
  CHAR local_120 [272];
  
  puVar4 = &local_20c;
  for (iVar3 = 0x19; iVar3 != 0; iVar3 = iVar3 + -1) {
    *puVar4 = 0;
    puVar4 = puVar4 + 1;
  }
  local_20c._0_1_ = 'k';
  local_20c._1_1_ = 0x65;
  local_20c._2_1_ = 0x72;
  local_20c._3_1_ = 0x6e;
  puVar4 = &local_1a8;
  for (iVar3 = 0x19; iVar3 != 0; iVar3 = iVar3 + -1) {
    *puVar4 = 0;
    puVar4 = puVar4 + 1;
  }
  local_208 = 0x65;
  local_207 = 0x6c;
  local_206 = 0x33;
  local_205 = 0x32;
  local_204 = 0x2e;
  local_203 = 100;
  local_202 = 0x6c;
  local_201 = 0x6c;
  pHVar1 = GetModuleHandleA((LPCSTR)&local_20c);
  local_1a8._0_1_ = 'L';
  local_1a8._1_1_ = 0x6f;
  local_1a8._2_1_ = 0x61;
  local_1a8._3_1_ = 100;
  local_1a4 = 0x4c;
  local_1a3 = 0x69;
  local_1a2 = 0x62;
  local_1a1 = 0x72;
  local_1a0 = 0x61;
  local_19f = 0x72;
  local_19e = 0x79;
  local_19d = 0x41;
  local_19c = 0;
  DAT_0041104c = (code *)FUN_00401760((int)pHVar1,(LPCSTR)&local_1a8);
  iVar3 = (*DAT_0041104c)(&local_20c);
  local_1a8._0_1_ = 'C';
  local_1a8._1_1_ = 0x72;
  local_1a8._2_1_ = 0x65;
  local_1a8._3_1_ = 0x61;
  local_1a4 = 0x74;
  local_1a3 = 0x65;
  local_1a2 = 0x54;
  local_1a1 = 0x6f;
  local_1a0 = 0x6f;
  local_19f = 0x6c;
  local_19e = 0x68;
  local_19d = 0x65;
  local_19c = 0x6c;
  local_19b = 0x70;
  local_19a = 0x33;
  local_199 = 0x32;
  local_198 = 0x53;
  local_197 = 0x6e;
  local_196 = 0x61;
  local_195 = 0x70;
  local_194 = 0x73;
  local_193 = 0x68;
  local_192 = 0x6f;
  local_191 = 0x74;
  local_190 = 0;
  _DAT_00411048 = (code *)FUN_00401760(iVar3,(LPCSTR)&local_1a8);
  hObject = (HANDLE)(*_DAT_00411048)(2,0);
  if (hObject == (HANDLE)0xffffffff) {
    return 0;
  }
  local_144[0] = 0x128;
  iVar3 = Process32First(hObject,local_144);
  if (iVar3 != 0) {
    do {
      iVar3 = lstrcmpA(local_120,"ekrn.exe");
      if ((iVar3 == 0) || (iVar3 = lstrcmpA(local_120,"egui.exe"), iVar3 == 0)) {
        CloseHandle(hObject);
        return 1;
      }
      pcVar2 = strstr(local_120,"avg");
      if ((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"AVGUI"), pcVar2 != (char *)0x0)) {
        CloseHandle(hObject);
        return 2;
      }
      pcVar2 = strstr(local_120,"bdagent");
      if (((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"gziface"), pcVar2 != (char *)0x0))
         || (pcVar2 = strstr(local_120,"bitdefender_isecurity.exe"), pcVar2 != (char *)0x0)) {
        CloseHandle(hObject);
        return 3;
      }
      pcVar2 = strstr(local_120,"uiSeAgnt.exe");
      if (pcVar2 != (char *)0x0) {
        CloseHandle(hObject);
        return 4;
      }
      pcVar2 = strstr(local_120,"ccSvcHst.exe");
      if (((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"norton"), pcVar2 != (char *)0x0))
         || ((pcVar2 = strstr(local_120,"nis.exe"), pcVar2 != (char *)0x0 ||
             (pcVar2 = strstr(local_120,"ns.exe"), pcVar2 != (char *)0x0)))) {
        CloseHandle(hObject);
        return 5;
      }
      pcVar2 = strstr(local_120,"AvkTray");
      if ((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"AVKTray"), pcVar2 != (char *)0x0))
      {
        CloseHandle(hObject);
        return 6;
      }
      pcVar2 = strstr(local_120,"apvui.exe");
      if ((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"avp"), pcVar2 != (char *)0x0)) {
        CloseHandle(hObject);
        return 7;
      }
      pcVar2 = strstr(local_120,"AvastUI");
      if (pcVar2 != (char *)0x0) {
        CloseHandle(hObject);
        return 8;
      }
      pcVar2 = strstr(local_120,"onlinent.exe");
      if (pcVar2 != (char *)0x0) {
        CloseHandle(hObject);
        return 10;
      }
      pcVar2 = strstr(local_120,"PSUAMain.exe");
      if (pcVar2 != (char *)0x0) {
        CloseHandle(hObject);
        return 9;
      }
      pcVar2 = strstr(local_120,"escanmon.exe");
      if ((pcVar2 != (char *)0x0) ||
         (pcVar2 = strstr(local_120,"escanpro.exe"), pcVar2 != (char *)0x0)) {
        CloseHandle(hObject);
        return 0xb;
      }
      pcVar2 = strstr(local_120,"Tray.exe");
      if ((pcVar2 != (char *)0x0) ||
         (pcVar2 = strstr(local_120,"Prd.EventViewer.exe"), pcVar2 != (char *)0x0)) {
        CloseHandle(hObject);
        return 0xd;
      }
      pcVar2 = strstr(local_120,"zatray.exe");
      if ((pcVar2 != (char *)0x0) || (pcVar2 = strstr(local_120,"AkSA.exe"), pcVar2 != (char *)0x0))
      {
        CloseHandle(hObject);
        return 0xc;
      }
      iVar3 = Process32Next(hObject,local_144);
    } while (iVar3 != 0);
    iVar3 = 0;
  }
  CloseHandle(hObject);
  return iVar3;

Capa detected XOR encoded data, I found the XOR keys with Ghidra: 0x03, 0x0A
ghidra - xor key 0a ghidra - xor key 03 cyberchef xorbruteforced 0a cyberchef xorbruteforced 03


=======================================
Online research
---------------------------------------
- Sandboxes:
https://bazaar.abuse.ch/sample/cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57/

https://app.any.run/tasks/0c22d364-518a-46bd-a82b-8c454c459cb3?p=67714d1b7bc927e79eaaff39
any run
https://tria.ge/200829-srk9q9pera
https://www.virustotal.com/gui/file/cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57/details
https://www.hybrid-analysis.com/sample/cc8867a5fd62b82e817afc405807f88716960af5744040999b619b126a9ecf57/677187644771dbe8bd0f38d0

https://www.useragents.me/
https://useragentstring.com/index.php


- Relevant Info to review:
https://bazaar.abuse.ch/browse/tag/BozokRAT/
https://x.com/arkbird_solg/status/1299450788163575808 "#APT #Patchwork Edited BozokRAT with the same Xor keys (0x3, 0xA) that the last BozokRAT sample ... "
https://otx.alienvault.com/pulse/60f02c152b68bec1ace00c85 "#Patchwork #APT maldoc is dropping #BozokRAT ... "
https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok
https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews
https://attack.mitre.org/software/S0128/ "BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control ... "

https://openhunting.io/threat-library-detail?data=bozok
openhunting associated names https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Patchwork%2C%20Dropping%20Elephant
https://www.virusbulletin.com/conference/vb2023/abstracts/dropping-elephant-never-dropped/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf#page=121 "Kaspersky Crimeware Reports Common TTPs of the modern ransomware groups"

https://unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/
rss feeds github


=======================================
Learning Resources
---------------------------------------
  1. TCM Security [referral link]: Practical Malware Analysis & Triage (PMAT) course (Practical Malware Research Professional (PMRP) exam)
  2. Infosec Skills: Reverse Engineering path, Hands-on Ransomware Mitigation path
  3. TryHackMe: Malware Analysis module, Yara room
  4. HackTheBox Academy [referral link]: Introduction to Malware Analysis, YARA & Sigma for SOC Analysts
  5. Rangeforce Community Theme: Reverse Engineering
  6. Practical Malware Analysis ebook + Jai Minton Practical Malware Analysis - Lab Write-up
  7. SANS Digital Forensics and Incident Response
* to be continued