[files] Total=2 [cmd] numSections=17 1=FILE_BASED VERB_FILE_COPY OBJ_FILE 1 Total=20 2=FILE_BASED VERB_FILE_COPY OBJ_FILE 2 3=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 3 4=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 4 5=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 5 6=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 6 7=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 7 8=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 8 9=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 9 10=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 10 11=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 11 12=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 12 13=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 13 14=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 14 15=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 15 16=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 16 17=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 17 18=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 3 19=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 4 20=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 15 [1] name=LsaIso.exe.bak orig=%APPDATA%\Microsoft\Windows\Themes\LsaIso.exe DateA=2024/06/18 02:10:20 SD=O:BAG:S-1-5-21-3339660976-4175652973-1130352044-513D:(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;LA) attrib=32 DateC=2024/06/18 02:10:20 DateM=2024/06/18 02:06:22 hash=DE391235 [2] name=LsaIso.bak orig=%SystemRoot%\System32\Tasks\Microsoft\Windows\UPnP\LsaIso DateA=2024/06/18 02:10:20 SD=O:BAG:S-1-5-21-3339660976-4175652973-1130352044-513D:AI(A;;FR;;;LA)(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FR;;;AU)(A;ID;FR;;;LS)(A;ID;FR;;;NS)(A;ID;FA;;;BA) attrib=34 DateC=2024/06/18 02:10:20 DateM=2024/06/18 02:10:20 hash=F175F667 [reg] Total=15 [3] hive=HKLM type=REG_SZ redir=0 empty=-1 DateM=2024/06/18 02:10:20 SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY) key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param= data= dataDecoded= hash=00000000 [4] hive=HKLM type=REG_SZ redir=0 empty=-1 DateM=2024/06/18 07:04:20 SD=O:SYG:SYD:P(A;OICI;CCSWRPSDRC;;;BA)(A;OICI;KA;;;SY) key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param= data= dataDecoded= hash=00000000 [5] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param=Path data=\u005C\u004D\u0069\u0063\u0072\u006F\u0073\u006F\u0066\u0074\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0055\u0050\u006E\u0050\u005C\u004C\u0073\u0061\u0049\u0073\u006F dataDecoded=\Microsoft\Windows\UPnP\LsaIso hash=115A3763 [6] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param=Hash data=D46E30A72334182D16D1B78A2199234DE5BCACB6A269F9405DD34661593C1C7D dataDecoded=D46E30A72334182D16D1B78A2199234DE5BCACB6A269F9405DD34661593C1C7D hash=452E6D2B [7] hive=HKLM type=REG_DWORD redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param=Schema data=65538 dataDecoded=65538 hash=D17F487D [8] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param=Date data=\u0032\u0030\u0032\u0034\u002D\u0030\u0036\u002D\u0031\u0038\u0054\u0030\u0032\u003A\u0031\u0030\u003A\u0032\u0030\u002E\u0034\u0033\u0037\u002D\u0030\u0037\u003A\u0030\u0030 dataDecoded=2024-06-18T02:10:20.437-07:00 hash=E6B2C034 [9] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param=Author data=\u004D\u0069\u0063\u0072\u006F\u0073\u006F\u0066\u0074 dataDecoded=Microsoft hash=50C1CA2C [10] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param=Description data=\u0055\u0050\u006E\u0050\u0048\u006F\u0073\u0074\u0020\u0053\u0065\u0072\u0076\u0069\u0063\u0065\u0020\u0053\u0065\u0074\u0074\u0069\u006E\u0067\u0073 dataDecoded=UPnPHost Service Settings hash=6F7F0055 [11] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param=URI data=\u005C\u004D\u0069\u0063\u0072\u006F\u0073\u006F\u0066\u0074\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0055\u0050\u006E\u0050\u005C\u004C\u0073\u0061\u0049\u0073\u006F dataDecoded=\Microsoft\Windows\UPnP\LsaIso hash=115A3763 [12] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param=Triggers data=1700000000000000000706000000120000A6CD575FC1DA010007060000001200FFFFFFFFFFFFFFFF3821414248484848D8443C19484848480E0000004848484841007500740068006F0072000000484800000000484848480048484848484848004848484848484801000000484848481C00000048484848010500000000000515000000B02E0FC76D68E3F8ACCD5F43F4010000484848483400000048484848530051004C005300450052005600450052005C00410064006D0069006E006900730074007200610074006F007200000000000000484848482C0000004848484858020000100E000080F40300FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848DDDD000000000000000706000000120000A6CD575FC1DA0100000000000000000000000000000000000000000000000000000000000000003C00000000000000FFFFFFFF0000000000000000000000000001404601000000000000007A9D00000000000048484848 dataDecoded=1700000000000000000706000000120000A6CD575FC1DA010007060000001200FFFFFFFFFFFFFFFF3821414248484848D8443C19484848480E0000004848484841007500740068006F0072000000484800000000484848480048484848484848004848484848484801000000484848481C00000048484848010500000000000515000000B02E0FC76D68E3F8ACCD5F43F4010000484848483400000048484848530051004C005300450052005600450052005C00410064006D0069006E006900730074007200610074006F007200000000000000484848482C0000004848484858020000100E000080F40300FFFFFFFF0700000000000000000000000000000000000000000000000000000048484848DDDD000000000000000706000000120000A6CD575FC1DA0100000000000000000000000000000000000000000000000000000000000000003C00000000000000FFFFFFFF0000000000000000000000000001404601000000000000007A9D00000000000048484848 hash=A3F973EA [13] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param=Actions data=03000C00000041007500740068006F0072006666000000009400000043003A005C00550073006500720073005C00410064006D0069006E006900730074007200610074006F0072005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005400680065006D00650073005C004C0073006100490073006F002E0065007800650000000000000000000000 dataDecoded=03000C00000041007500740068006F0072006666000000009400000043003A005C00550073006500720073005C00410064006D0069006E006900730074007200610074006F0072005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005400680065006D00650073005C004C0073006100490073006F002E0065007800650000000000000000000000 hash=690FF47E [14] hive=HKLM type=REG_BINARY redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} param=DynamicInfo data=030000000CC71E585FC1DA016D21386A88C1DA0100000000E0100780CA189D9A87C1DA01 dataDecoded=030000000CC71E585FC1DA016D21386A88C1DA0100000000E0100780CA189D9A87C1DA01 hash=1F46CE81 [15] hive=HKLM type=REG_SZ redir=0 empty=-1 DateM=2024/06/18 02:10:20 SD=O:BAG:SYD:AI(A;;KA;;;BA)(A;OICIID;CCSWRPSDRC;;;BA)(A;OICIID;KA;;;SY) key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP\LsaIso param= data= dataDecoded= hash=00000000 [16] hive=HKLM type=REG_SZ redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP\LsaIso param=Id data=\u007B\u0041\u0034\u0044\u0046\u0041\u0033\u0031\u0043\u002D\u0043\u0034\u0044\u0030\u002D\u0034\u0041\u0035\u0031\u002D\u0041\u0042\u0046\u0032\u002D\u0036\u0037\u0035\u0041\u0031\u0041\u0043\u0044\u0030\u0033\u0034\u0043\u007D dataDecoded={A4DFA31C-C4D0-4A51-ABF2-675A1ACD034C} hash=94A35823 [17] hive=HKLM type=REG_DWORD redir=0 empty=0 key=SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP\LsaIso param=Index data=0 dataDecoded=0 hash=F4DBDF21