[files]
Total=2

[cmd]
numSections=16
1=FILE_BASED VERB_FILE_COPY OBJ_FILE 1
Total=19
2=FILE_BASED VERB_FILE_COPY OBJ_FILE 2
3=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 3
4=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 4
5=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 5
6=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 6
7=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 7
8=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 8
9=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 9
10=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 10
11=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 11
12=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 12
13=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 13
14=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 14
15=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 15
16=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 16
17=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 3
18=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 4
19=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 13

[1]
name=operfmon.exe.bak
orig=%ProgramFiles%\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\operfmon.exe
DateA=2024/06/02 10:29:35
SD=O:BAG:SYD:AI(A;ID;0x1200a9;;;AC)(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;S-1-15-2-2)
attrib=32
DateC=2024/06/02 10:29:35
DateM=2024/06/02 10:29:35
hash=179E58EB

[2]
name=Office Performance Monitor.bak
orig=%SystemRoot%\System32\Tasks\Microsoft\Office\Office Performance Monitor
DateA=2024/06/17 09:43:37
SD=O:BAG:SYD:AI(A;;FR;;;SY)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA)
attrib=32
DateC=2022/03/05 00:51:57
DateM=2024/06/17 09:43:37
hash=F1F63462

[reg]
Total=14

[3]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/17 09:43:37
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DF9ACE95-2CB4-4A97-8674-DDFDEDE25D32}
param=
data=
dataDecoded=
hash=00000000

[4]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/17 09:43:37
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF9ACE95-2CB4-4A97-8674-DDFDEDE25D32}
param=
data=
dataDecoded=
hash=00000000

[5]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF9ACE95-2CB4-4A97-8674-DDFDEDE25D32}
param=Path
data=\u005C\u004D\u0069\u0063\u0072\u006F\u0073\u006F\u0066\u0074\u005C\u004F\u0066\u0066\u0069\u0063\u0065\u005C\u004F\u0066\u0066\u0069\u0063\u0065\u0020\u0050\u0065\u0072\u0066\u006F\u0072\u006D\u0061\u006E\u0063\u0065\u0020\u004D\u006F\u006E\u0069\u0074\u006F\u0072
dataDecoded=\Microsoft\Office\Office Performance Monitor
hash=74C509EE

[6]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF9ACE95-2CB4-4A97-8674-DDFDEDE25D32}
param=Hash
data=CD8B48BEC6B1D2244A3DE066131B1DB0602B5B3372EAA352D9697BBAA933810F
dataDecoded=CD8B48BEC6B1D2244A3DE066131B1DB0602B5B3372EAA352D9697BBAA933810F
hash=7BA13052

[7]
hive=HKLM
type=REG_DWORD
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF9ACE95-2CB4-4A97-8674-DDFDEDE25D32}
param=Schema
data=65538
dataDecoded=65538
hash=D17F487D

[8]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF9ACE95-2CB4-4A97-8674-DDFDEDE25D32}
param=Description
data=\u0054\u0068\u0069\u0073\u0020\u0074\u0061\u0073\u006B\u0020\u0065\u006E\u0073\u0075\u0072\u0065\u0073\u0020\u0074\u0068\u0061\u0074\u0020\u0079\u006F\u0075\u0072\u0020\u004D\u0069\u0063\u0072\u006F\u0073\u006F\u0066\u0074\u0020\u004F\u0066\u0066\u0069\u0063\u0065\u0020\u0069\u006E\u0073\u0074\u0061\u006C\u006C\u0061\u0074\u0069\u006F\u006E\u0020\u0063\u0061\u006E\u0020\u0062\u0065\u0020\u006D\u006F\u006E\u0069\u0074\u006F\u0072\u0065\u0064\u0020\u0066\u006F\u0072\u0020\u0070\u0065\u0072\u0066\u006F\u0072\u006D\u0061\u006E\u0063\u0065\u0020\u0069\u0073\u0073\u0075\u0065\u0073\u002E
dataDecoded=This task ensures that your Microsoft Office installation can be monitored for performance issues.
hash=A5E4D371

[9]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF9ACE95-2CB4-4A97-8674-DDFDEDE25D32}
param=URI
data=\u005C\u004D\u0069\u0063\u0072\u006F\u0073\u006F\u0066\u0074\u005C\u004F\u0066\u0066\u0069\u0063\u0065\u005C\u004F\u0066\u0066\u0069\u0063\u0065\u0020\u0050\u0065\u0072\u0066\u006F\u0072\u006D\u0061\u006E\u0063\u0065\u0020\u004D\u006F\u006E\u0069\u0074\u006F\u0072
dataDecoded=\Microsoft\Office\Office Performance Monitor
hash=74C509EE

[10]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF9ACE95-2CB4-4A97-8674-DDFDEDE25D32}
param=Triggers
data=1700000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF4021424348484848F955BCA3484848480E0000004848484841007500740068006F0072000000484800000000484848480048484848484848004848484848484805000000484848480C000000484848480101000000000005120000004848484800000000484848482C0000004848484800000000FFFFFFFF00000000FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848CCCC000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF00000000FFFFFFFF000000000000000000000000000000000100650073005C00410064006F0062000000000048484848A5000000000000003C00510075006500720079004C006900730074003E003C00510075006500720079002000490064003D00220030002200200050006100740068003D0022004100700070006C00690063006100740069006F006E0022003E003C00530065006C00650063007400200050006100740068003D0022004100700070006C00690063006100740069006F006E0022003E002A005B00530079007300740065006D005B00500072006F00760069006400650072005B0040004E0061006D0065003D0027004D006900630072006F0073006F006600740020004F006600660069006300650020003100360027005D00200061006E00640020004500760065006E007400490044003D0032003000350030005D005D003C002F00530065006C006500630074003E003C002F00510075006500720079003E003C002F00510075006500720079004C006900730074003E00000048484848000000000000000000000000000000000000000000000000
dataDecoded=1700000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF4021424348484848F955BCA3484848480E0000004848484841007500740068006F0072000000484800000000484848480048484848484848004848484848484805000000484848480C000000484848480101000000000005120000004848484800000000484848482C0000004848484800000000FFFFFFFF00000000FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848CCCC000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFF00000000FFFFFFFF000000000000000000000000000000000100650073005C00410064006F0062000000000048484848A5000000000000003C00510075006500720079004C006900730074003E003C00510075006500720079002000490064003D00220030002200200050006100740068003D0022004100700070006C00690063006100740069006F006E0022003E003C00530065006C00650063007400200050006100740068003D0022004100700070006C00690063006100740069006F006E0022003E002A005B00530079007300740065006D005B00500072006F00760069006400650072005B0040004E0061006D0065003D0027004D006900630072006F0073006F006600740020004F006600660069006300650020003100360027005D00200061006E00640020004500760065006E007400490044003D0032003000350030005D005D003C002F00530065006C006500630074003E003C002F00510075006500720079003E003C002F00510075006500720079004C006900730074003E00000048484848000000000000000000000000000000000000000000000000
hash=947B8965

[11]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF9ACE95-2CB4-4A97-8674-DDFDEDE25D32}
param=Actions
data=03000C00000041007500740068006F007200666600000000CE00000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065005C0072006F006F0074005C005600460053005C00500072006F006700720061006D00460069006C006500730043006F006D006D006F006E005800360034005C004D006900630072006F0073006F006600740020005300680061007200650064005C004F0066006600690063006500310036005C006F0070006500720066006D006F006E002E0065007800650000000000000000000000
dataDecoded=03000C00000041007500740068006F007200666600000000CE00000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065005C0072006F006F0074005C005600460053005C00500072006F006700720061006D00460069006C006500730043006F006D006D006F006E005800360034005C004D006900630072006F0073006F006600740020005300680061007200650064005C004F0066006600690063006500310036005C006F0070006500720066006D006F006E002E0065007800650000000000000000000000
hash=06817332

[12]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF9ACE95-2CB4-4A97-8674-DDFDEDE25D32}
param=DynamicInfo
data=030000008B1C8580D5C0DA01000000000000000000000000000000000000000000000000
dataDecoded=030000008B1C8580D5C0DA01000000000000000000000000000000000000000000000000
hash=5EE7A5F9

[13]
hive=HKLM
type=REG_SZ
redir=0
empty=-1
DateM=2024/06/17 09:43:37
SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY)
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Performance Monitor
param=
data=
dataDecoded=
hash=00000000

[14]
hive=HKLM
type=REG_BINARY
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Performance Monitor
param=SD
data=01000480B4000000C400000000000000140000000200A00007000000001018009F011F0001020000000000052000000020020000001014009F011F00010100000000000512000000001014008900120001010000000000050B0000000010140089001200010100000000000513000000001014008900120001010000000000051400000000101800FF011F000102000000000005200000002002000000001400890012000101000000000005120000000000000001020000000000052000000020020000010100000000000512000000
dataDecoded=01000480B4000000C400000000000000140000000200A00007000000001018009F011F0001020000000000052000000020020000001014009F011F00010100000000000512000000001014008900120001010000000000050B0000000010140089001200010100000000000513000000001014008900120001010000000000051400000000101800FF011F000102000000000005200000002002000000001400890012000101000000000005120000000000000001020000000000052000000020020000010100000000000512000000
hash=04F0BE22

[15]
hive=HKLM
type=REG_SZ
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Performance Monitor
param=Id
data=\u007B\u0044\u0046\u0039\u0041\u0043\u0045\u0039\u0035\u002D\u0032\u0043\u0042\u0034\u002D\u0034\u0041\u0039\u0037\u002D\u0038\u0036\u0037\u0034\u002D\u0044\u0044\u0046\u0044\u0045\u0044\u0045\u0032\u0035\u0044\u0033\u0032\u007D
dataDecoded={DF9ACE95-2CB4-4A97-8674-DDFDEDE25D32}
hash=32397D8F

[16]
hive=HKLM
type=REG_DWORD
redir=0
empty=0
key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Office\Office Performance Monitor
param=Index
data=3
dataDecoded=3
hash=6DD28E9B