[files] Total=2 [cmd] numSections=17 1=FILE_BASED VERB_FILE_COPY OBJ_FILE 1 Total=20 2=FILE_BASED VERB_FILE_COPY OBJ_FILE 2 3=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 3 4=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 4 5=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 5 6=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 6 7=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 7 8=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 8 9=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 9 10=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 10 11=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 11 12=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 12 13=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 13 14=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 14 15=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 15 16=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 16 17=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 17 18=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 3 19=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 4 20=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 14 [1] name=srvinitconfig.exe.bak orig=%SystemRoot%\system32\srvinitconfig.exe DateA=2021/04/19 09:17:55 SD=O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;BA)(A;;0x1200a9;;;SY)(A;;0x1200a9;;;BU)(A;;0x1200a9;;;AC)(A;;0x1200a9;;;S-1-15-2-2)S:AI(AU;SAFA;DCLCRPCRSDWDWO;;;WD) attrib=32 DateC=2021/04/19 09:17:55 DateM=2021/04/19 09:17:55 hash=DA84962C [2] name=Server Initial Configuration Task.bak orig=%SystemRoot%\System32\Tasks\Microsoft\Windows\Server Initial Configuration Task DateA=2021/03/31 11:34:18 SD=O:BAG:S-1-5-21-2743313341-953768110-731478292-513D:(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA) attrib=32 DateC=2021/03/31 11:08:37 DateM=2021/03/31 11:34:18 hash=BAF1F305 [reg] Total=15 [3] hive=HKLM type=REG_SZ redir=0 empty=-1 DateM=2018/09/15 02:08:07 SD=O:BAG:S-1-5-21-2743313341-953768110-731478292-513D:AI(A;OICIID;CCSWRPSDRC;;;BA)(A;OICIID;KA;;;SY) key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{802FFB97-5867-422A-9F85-7D0DB542EA7B} param= data= dataDecoded= hash=00000000 [4] hive=HKLM type=REG_SZ redir=0 empty=-1 DateM=2021/03/31 11:34:18 SD=O:BAG:S-1-5-21-2743313341-953768110-731478292-513D:AI(A;OICIID;CCSWRPSDRC;;;BA)(A;OICIID;KA;;;SY) key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802FFB97-5867-422A-9F85-7D0DB542EA7B} param= data= dataDecoded= hash=00000000 [5] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802FFB97-5867-422A-9F85-7D0DB542EA7B} param=Path data=\u005C\u004D\u0069\u0063\u0072\u006F\u0073\u006F\u0066\u0074\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0053\u0065\u0072\u0076\u0065\u0072\u0020\u0049\u006E\u0069\u0074\u0069\u0061\u006C\u0020\u0043\u006F\u006E\u0066\u0069\u0067\u0075\u0072\u0061\u0074\u0069\u006F\u006E\u0020\u0054\u0061\u0073\u006B dataDecoded=\Microsoft\Windows\Server Initial Configuration Task hash=582E0218 [6] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802FFB97-5867-422A-9F85-7D0DB542EA7B} param=Hash data=575E881CE511CF42741088201C060C33519EEB15845CAF333FD687B99EF758E4 dataDecoded=575E881CE511CF42741088201C060C33519EEB15845CAF333FD687B99EF758E4 hash=DBFF1289 [7] hive=HKLM type=REG_DWORD redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802FFB97-5867-422A-9F85-7D0DB542EA7B} param=Schema data=65540 dataDecoded=65540 hash=90E55688 [8] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802FFB97-5867-422A-9F85-7D0DB542EA7B} param=Author data=\u0024\u0028\u0040\u0025\u0073\u0079\u0073\u0074\u0065\u006D\u0072\u006F\u006F\u0074\u0025\u005C\u0073\u0079\u0073\u0074\u0065\u006D\u0033\u0032\u005C\u0053\u0072\u0076\u0049\u006E\u0069\u0074\u0043\u006F\u006E\u0066\u0069\u0067\u002E\u0065\u0078\u0065\u002C\u002D\u0031\u0030\u0030\u0029 dataDecoded=$(@%systemroot%\system32\SrvInitConfig.exe,-100) hash=B18E15F8 [9] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802FFB97-5867-422A-9F85-7D0DB542EA7B} param=Description data=\u0024\u0028\u0040\u0025\u0073\u0079\u0073\u0074\u0065\u006D\u0072\u006F\u006F\u0074\u0025\u005C\u0073\u0079\u0073\u0074\u0065\u006D\u0033\u0032\u005C\u0053\u0072\u0076\u0049\u006E\u0069\u0074\u0043\u006F\u006E\u0066\u0069\u0067\u002E\u0065\u0078\u0065\u002C\u002D\u0031\u0030\u0031\u0029 dataDecoded=$(@%systemroot%\system32\SrvInitConfig.exe,-101) hash=17F91E4C [10] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802FFB97-5867-422A-9F85-7D0DB542EA7B} param=URI data=\u005C\u004D\u0069\u0063\u0072\u006F\u0073\u006F\u0066\u0074\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0053\u0065\u0072\u0076\u0065\u0072\u0020\u0049\u006E\u0069\u0074\u0069\u0061\u006C\u0020\u0043\u006F\u006E\u0066\u0069\u0067\u0075\u0072\u0061\u0074\u0069\u006F\u006E\u0020\u0054\u0061\u0073\u006B dataDecoded=\Microsoft\Windows\Server Initial Configuration Task hash=582E0218 [11] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802FFB97-5867-422A-9F85-7D0DB542EA7B} param=Triggers data=170000000000000000355847FB7F0000000000000000000000355847FB7F0000FFFFFFFFFFFFFFFF38210243484848484E95BE9F4848484818000000484848484C006F00630061006C00530079007300740065006D00000000000000484848480048484848484848004848484848484805000000484848480C000000484848480101000000000005120000004848484800000000484848482C0000004848484800000000FFFFFFFF80F40300FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848FFFF00000000000000355847FB7F0000000000000000000000355847FB7F0000FFFFFFFFFFFFFFFF00000000FFFFFFFF000000000000000000000000007F0000010076006500640044006100740061000000000048484848 dataDecoded=170000000000000000355847FB7F0000000000000000000000355847FB7F0000FFFFFFFFFFFFFFFF38210243484848484E95BE9F4848484818000000484848484C006F00630061006C00530079007300740065006D00000000000000484848480048484848484848004848484848484805000000484848480C000000484848480101000000000005120000004848484800000000484848482C0000004848484800000000FFFFFFFF80F40300FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848FFFF00000000000000355847FB7F0000000000000000000000355847FB7F0000FFFFFFFFFFFFFFFF00000000FFFFFFFF000000000000000000000000007F0000010076006500640044006100740061000000000048484848 hash=BD84E33C [12] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802FFB97-5867-422A-9F85-7D0DB542EA7B} param=Actions data=0300160000004C006F00630061006C00530079007300740065006D00666600000000460000002500770069006E0064006900720025005C00730079007300740065006D00330032005C0073007200760069006E006900740063006F006E006600690067002E00650078006500240000002F00640069007300610062006C00650063006F006E006600690067007400610073006B00000000000000 dataDecoded=0300160000004C006F00630061006C00530079007300740065006D00666600000000460000002500770069006E0064006900720025005C00730079007300740065006D00330032005C0073007200760069006E006900740063006F006E006600690067002E00650078006500240000002F00640069007300610062006C00650063006F006E006600690067007400610073006B00000000000000 hash=2E4B489C [13] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{802FFB97-5867-422A-9F85-7D0DB542EA7B} param=DynamicInfo data=03000000DE2D4ADF5826D701C95A0C6A5C26D7010000000000000000E14E00765C26D701 dataDecoded=03000000DE2D4ADF5826D701C95A0C6A5C26D7010000000000000000E14E00765C26D701 hash=1254D52D [14] hive=HKLM type=REG_SZ redir=0 empty=-1 DateM=2018/09/15 02:08:07 SD=O:BAG:S-1-5-21-2743313341-953768110-731478292-513D:AI(A;OICIID;CCSWRPSDRC;;;BA)(A;OICIID;KA;;;SY) key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Server Initial Configuration Task param= data= dataDecoded= hash=00000000 [15] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Server Initial Configuration Task param=SD data=0100048C9C000000AC00000000000000140000000200880006000000001018009F011F0001020000000000052000000020020000001014009F011F00010100000000000512000000001014008900120001010000000000050B0000000010140089001200010100000000000513000000001014008900120001010000000000051400000000101800FF011F000102000000000005200000002002000001020000000000052000000020020000010500000000000515000000BDA383A3AE58D9381479992B01020000 dataDecoded=0100048C9C000000AC00000000000000140000000200880006000000001018009F011F0001020000000000052000000020020000001014009F011F00010100000000000512000000001014008900120001010000000000050B0000000010140089001200010100000000000513000000001014008900120001010000000000051400000000101800FF011F000102000000000005200000002002000001020000000000052000000020020000010500000000000515000000BDA383A3AE58D9381479992B01020000 hash=1187510D [16] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Server Initial Configuration Task param=Id data=\u007B\u0038\u0030\u0032\u0046\u0046\u0042\u0039\u0037\u002D\u0035\u0038\u0036\u0037\u002D\u0034\u0032\u0032\u0041\u002D\u0039\u0046\u0038\u0035\u002D\u0037\u0044\u0030\u0044\u0042\u0035\u0034\u0032\u0045\u0041\u0037\u0042\u007D dataDecoded={802FFB97-5867-422A-9F85-7D0DB542EA7B} hash=040D97D5 [17] hive=HKLM type=REG_DWORD redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Server Initial Configuration Task param=Index data=1 dataDecoded=1 hash=83DCEFB7