regf''A; C:\Users\exploitfil1\ntuser.datkL:o~kL:o~lL:o~rmtm,g/{HvLE' Հꎯ$thhbinA;pnk,, ( v(839CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}91Enk x<& XBYQ Environment?nk e, @( &!SoftwareEUDC.TTEftnk AdJ$xyh8 MicrosoftlfPowenk oXU&Hh.hWindowsvkemNodeSlotlf8'HandlfbTrusHskHv#l$? ذĤi 2??  0sk$? ذĤi 2??  0sk0N$? ذĤi 2??  Onk FWƱ$pVh8!CurrentVersionnk 2-$(0X, 8$!Explorernk x<&`(Z(L!User Shell Foldersvk,@Desktop%USERPROFILE%\Desktopvk 8Local AppData%USERPROFILE%\AppData\LocalvkStartup`%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartupvktCookies%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookiesEUDC.TTE9vknhSendTo%USERPROFILE%\AppData\Roaming\Microsoft\Windows\SendTovk0 Personal%USERPROFILE%\Documentsvk NetHoodvknx Recent%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recentvk 0 Favorites%USERPROFILE%\Favoritesvk(8 My Musicvk . My Pictures%USERPROFILE%\Picturesvk v Start Menu%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menuvk* My Video x%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Network Shortcuts%USERPROFILE%\Musicvk ProgramsEUDC.TTE%USERPROFILE%\Videosvkp Cache%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCachevk&0{374DE290-123F-4565-9164-39C4925E467B}p%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\ProgramsvklXHistory%USERPROFILE%\AppData\Local\Microsoft\Windows\Historyvk<pAppDatavkBTMPh %USERPROFILE%\Downloadsvk tpTemplates%USERPROFILE%\AppData\Roaming\Microsoft\Windows\TemplatesEUDC.TTEHvLE' %v?U޽  0  p hbinA;pnk,, ( v(839CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}91Enk x<& XBYQ Environment?nk e, @( &!SoftwareEUDC.TTEftnk AdJ$xyh8 MicrosoftlfPowenk oXU&Hh.hWindowsvkemNodeSlotlf8'HandlfbTrusHskHv#l$? ذĤi 2??  0sk$? ذĤi 2??  0sk0N$? ذĤi 2??  Onk FWƱ$pVh8!CurrentVersionnk 2-$(0X, 8$!Explorernk x<&`(Z(L!User Shell Foldersvk,@Desktop%USERPROFILE%\Desktopvk 8Local AppData%USERPROFILE%\AppData\LocalvkStartup`%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartupvktCookies%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCookiesEUDC.TTE9vknhSendTo%USERPROFILE%\AppData\Roaming\Microsoft\Windows\SendTovk0 Personal%USERPROFILE%\Documentsvk NetHoodvknx Recent%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recentvk 0 Favorites%USERPROFILE%\Favoritesvk(8 My Musicvk . My Pictures%USERPROFILE%\Picturesvk v Start Menu%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menuvk* My Video x%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Network Shortcuts%USERPROFILE%\Musicvk ProgramsEUDC.TTE%USERPROFILE%\Videosvkp Cache%USERPROFILE%\AppData\Local\Microsoft\Windows\INetCachevk&0{374DE290-123F-4565-9164-39C4925E467B}p%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\ProgramsvklXHistory%USERPROFILE%\AppData\Local\Microsoft\Windows\Historyvk<pAppDatavkBTMPh %USERPROFILE%\Downloadsvk tpTemplates%USERPROFILE%\AppData\Roaming\Microsoft\Windows\TemplatesEUDC.TTEhbin nk Kx&`8!DWMlf`0lfUrlA0nk x<&xXWinTrustpMvk'ecRequestMakeCallm!nk :9&P0LowMicklfHLowM8XVisited:oknk ,P У "j! ThemeManager nk &a (]X2v!Themesnk ՙe> ((!Storenk u;& 6h5 !PrecisionTouchPadnk x<&X!AppHostnk u;&- !imevkFavoritesRemovedChangeslfAssoBagMP"BagsFirstRunnk u;&h" Telephony8skUW$? ذĤi 2??  vkStoreAppsOnTaskbarvkTabsStickyModelf OpenHUserHnk vP HHX2!Internet Settingsnk u;&!OnDemandInterfaceCachenk B4x t!PushNotificationsnk u;&P$(!!HandoffPrioritiesDIALER.EXEnk u;&8' MediaModesvk T(User Agentnk ko<+H "LowCachelfXPostXlfXLowDlfScriMozilla/4.0 (compatible; MSIE 8.0; Win32)vkIE5_UA_Backup_Flagmicrnk x<&&,(P3Pnk a9&&((!Passport3nk <&h)(28 Connectionsnk x<&&`-(! Http Filters nk T&&W(5.0vk nnDisplayNameP3Pvknk A&+LxO( : Cachenk x<&*(!RPAnk x<&x)(!HistorylfH,Histnk u;&#3AQ6IMTC70lf,IMTCvkp-Legacy.AutoFinalizelf[Even[Userlf+RPA0x00000000vk -PuncEnable 0x00000001vk.Quick.AssociatedWord0x00000001vkP.Intellegnt.Eudp0x00000001vkvk .Legacy.Eudp0x00000000vk.Domain0x000000010x000000000/vk`/Intelligent.EscapeFunc0x00000000vk/Legacy.AutoInputSwitch0x00000000vk0VirtualInputModehbinvk@Hashwk8/nfYDOgI=vkProgId `vk $ShellStatewserCo:N&nk U&httpslfHhttpАhttpnk U&А  UserChoicevkHashLeywmmRp/YE=vkProgIdIE.HTTPSnk U&httpslf http(httpnk U&(p  UserChoicevkHashLeywmmRp/YE=vkXProgIdIE.HTTPS8vkFileAssociationsUpdateVersionȓȓvk DesktopOverridenk ,,? Group Policynk _l&`\ ذGroupMembershippevk\Group0vk@Group1sk?? $ ذĤi 2 $ ذĤi 2   sk$ ذĤi 2 $ ذĤi 2? ?   S-1-5-21-3299923977-2355747492-3265540621-513S-1-1-0-1125vkGroup2S-1-5-114vkGroup3S-1-5-32-545S-1-5-4vkGroup4S-1-5-32-544vkXGroup5S-1-5-14vkGroup8vkGroup6vkИGroup7S-1-5-11vkGroup10eS-1-5-15vkHGroup9S-1-5-113vk Group12S-1-2-0vkșGroup11S-1-5-64-10lfPGrouHistvkLsCLSIDS-1-16-12288vk Counth8p(`@nk J&Historyvk PolicyOverduevk CleanShutdownnk G1&w SmartCardRootsk $? ذĤi 2??    ذĤi 2 ذĤi 2nk G1&H Certificatesnk G1&HCRLsnk G1&HCTLslfCertCRLsHCTLsnk _FP P Printerssk8$? ذĤi 2??   ذĤi 2 ذĤi 2nk ~brh? $XDevicesvk~ SInactive Fontstw vktMicrosoft XPS Document WritervkProfilehbinnk ~br$X* ذ PrinterPorts?vk*Microsoft XPS Document Writer$winspool,Ne01:,15,45C:\galaxie\jobs\GALAXIE__JOBs\resources\confnk & RemoteSessionvkKeyboardLayoutvkWin8DpiScalingnk u}&Pؗ.Currentvkvkvkvk 1ThemeActivevk ]LastUserLangIDvk LastLoadedDPIvk 8LastLoadedPPI96-60$NormalColorvkSizeNameNormalSizeaPb(vkHPaddedBorderWidthvk `IconVerticalSpacingH-1125p@vkXUserPreferencesMaskvk FirstLogonnk y[&ȝ8DevModePerUsersk $? ذĤi 2??   ذĤi 2 ذĤi 2nk - -L EventSystemvk<д1132vkUpgradevkT{7F75058C-9A21-4F22-A7CA-110205479EF9} {05B2F74E-2712-46BA-BCA3-F65A46BF0E00} 0xFFFFpovk ,040C:0000040Cnk - - &{26c409cc-ae86-11d1-b616-00805fc79216}vkCheckedUnattendLaunchSettingfЧnk &RunvkExplorerStartupTraceRecordedlf(Cachnk n&wMY9s&CRLsvk  SchemeLangIDvk XIconSpacingHpإ(PpHPhШ@P0vkStartMenuAdminToolslfNCoun&vk ServerAdminUIvk?StartMenu_Start_Timenk _&pImmersiveShellnk k>3pسF StateStorelf Listnk 4Ъ   WriteAccesslf@Writvk812SIDnk c{&L8$wpnidmatvk plCachePrefixnk vk xCachePathP@%USERPROFILE%\AppData\Local\Microsoft\Windows\Notifications\21950834341a11e480be005056a25b290vk  CacheOptions`vk CacheRepairType$>(bvkHiddenvkWebViewvk ShowCompColorvk HideFileExtvk HideIconshvkDontPrettyPathvk ShowInfoTipvkFilterlfPMicrvk MapNetDrvBtnvkShowSuperHiddenvkAutoCheckSelectvk IconsOnlyvkSeparateProcessvkShowTypeOverlayvk ShowStatusBarhbinC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++\Notepad++.lnkC:\Program Files (x86)\Notepad++\notepad++.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnkC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell (x86).lnkC:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exeysmon_wmivkItemsStateStoreLastWritenk &AppModelnk & StateChangevk"ProcessedPackageStateChangeVersionvk# ProcessedPackageInstallationVersionnk >4`Shutdownnk H~C*GlobalSettingsunnk 1}=p*(ProperTreeModuleInnerserShellnk &0ؗPlayToReceivervk AutoStartvk FirstNamenk ;H7ؗ&{34745C63-B2F0-4784-8B67-5E12C8701A31}vk PreferredUILanguages`fr-FRnk T$&@14AccountPicture4exploitfil1E5nk ~#.pH Gridvk plPreviousRTLData\vkPrnPreviousScaleFactoraunchvkderPreviousLogoScaleFactorvk$LauncherGridControl_HasPreviouslyRun*fvkServicesvk  Favoritesvk" .Layout_MaximumAvailableHeightCellsV1vk Layout_AvailableHeightCellsvk(Logo100C:\REPORTS\SR_TiersFil.rptptvk MRUListExnghePatvk29HlfPainRegeSysTWordvkTA{04731B67-D933-450A-90E6-4ACD2E9408FE} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFFMa&PzvkFavoritesChangesvkFavoritesVersionzT6Y7lC:\Windows\web\wallpaper\Windows\img0.jpg98vkTXP{98F275B4-4FFF-11E0-89E2-7B86DFD72085} {000214E6-0000-0000-C000-000000000046} 0xFFFF3P&nk &w0CAvk saCertificatesSmarlfMCounhbinnk &p Certificatesnk &pCRLsnk &pCTLslf CertCRLsCTLsnk &w Disallowednk &X Certificatesnk &XCRLsnk &XCTLslfCertCRLspCTLsnk &wRootlfCertCRLsXCTLsRootvkusnk "o&hProtectedRoots0X&nk "o& Certificateslf(*GlobPlfCertCRLsCTLsProtlfRegisk(00l(?Pw WD3$ ذĤi 2  ذĤi 2 ذĤi 2nk &CRLsnk &CTLsnk &w TrustedPeoplenk &X Certificatesnk &XCRLsnk &XCTLslfCertCRLspCTLsnk &wXtrustnk & Certificatesnk &CRLsnk &CTLslfHCertCRLsCTLsvkTickle80H%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer\TileCacheTickle-81779250_80.datvkt 0AppDBXvk StartView80H%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer\TileCacheStartView-81779265_80.datnk gAppletsnk *r&`xSysTrayvkT{2227A280-3AEA-1069-A2DE-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFFvk$ @FFlagsvk DesktopTileCachedData6Y7lC:\Windows\web\wallpaper\Windows\img0.jpgvk StartView140nk &MSFnk &(0 Registrationwpnidm:|hbin0 HNPWB4 Windows.SystemToast.AutoPlaysystem$0@Windows.SystemToast.BdeUnlocksystem$0@Windows.SystemToast.Devicessystem$0@Windows.SystemToast.Explorersystem$0@Windows.SystemToast.OpenWithsystem$0@Windows.SystemToast.Print.Notificationsystem$0@Windows.SystemToast.RasToastNotifiersystem$0@Windows.SystemToast.Sharesystem$0@Microsoft.InternetExplorer.Defaultdefaultbrowser_nopublisherid_0vk CacheLimitvkT0G{F02C1A0D-BE21-4350-88B0-7367FC96EF3C} {000214E6-0000-0000-C000-000000000046} 0xFFFFK&vkTG{E345F35F-9397-435C-8F95-4E922C26259E} {000214E6-0000-0000-C000-000000000046} 0xFFFFA&vk 1ParseAutoexecFvkT("{B2952B16-0E07-4E5A-B993-58C52CB94CAE} {000214E6-0000-0000-C000-000000000046} 0xFFFFnk #X& Lock Screenvk HDefault80H%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer\TileCacheDefault-81780656_80.datnk v)&@" SettingSyncvk PriorLogonsvkAppReadinessLogonComplete 100nk ҳ&` 'L UserAssistnk ҳ&J ZH" &{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}vkVersionnk WGJ0 LCountnk ҳ&JP$ &{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}vkVersionnk ];K8LCountnk ҳ&J  &{B267E3AD-A825-4A09-82B9-EEC22AA3B847}vk26VersionBHMvkVersionnk ҳ&LCountnk ҳ&J &{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}vkVersionnk ҳ&MCountnk ҳ&JOhM &{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}vk3DVersion6lf((Counlf)Counnk ҳ&NCountlfOCoun%hbinlfP.3g2`.3gp.3gp.3gp.aac.acr .adt.adtp.aifX.aif@.aif.api.arw.asf.asx.au8.avi(.bmp/.cabe.cdxf.con(.cr2(.crwg.css%.csv8U.dds.dib@k.dlll.docm.emf.erfm.exeH.fdfn.fon.gifp.htmXq.htm0r.icos.ini.jfi .jpe .jpep.jpgp.jxrp.kdcw.lnk .logX.m1v@.M2T(.M2T .M2V.m3up.m4a.m4vw.mhtx.mht`.midH.mid0.MOD .mov&.MP2x.mp2).mp3-.mp40.mp43.mpa6.MPEp9.mpe@<.mpg' .mpv#.mrwP.msc.msi?.mtsB.nefE.nrwy.ocxpz.odtH.orfH{.otfK.oxpN.pdfh.pdfh.pdxPQ.pefPT.png.pro|.ps1}.pssX.raf[.raw~.rleP) .rmih/.rpt .rtf^.rw2a.rwl؀.scf.sea@.sec8* .sndj.sr2m.srw.sysd.tifg.tifq.TS؄.ttc.ttfs.TTS.txtv.wav- .waxy.wdp|.wm .wma .wmf.wmv p .wmx.WPLq .wvx.xdp.xfd.xls.xml.xps.xsl.ziph3DDECiiC:\Users\exploitfil1\Desktop\CRURLconfig - Raccourci.lnkiiC:\Users\exploitfil1\Desktop\CRURLconfig - Raccourci.lnkiiC:\Users\exploitfil1\Desktop\CRURLconfig - Raccourci.lnknk ۻ W R@ApplicationAssociationToastsvkHجsZvpebfbsg.Jvaqbjf.PbagebyCnarycnk D)k0CUASnk D)DefaultCompositionWindowvkLeftvkTop@`vkBsFile4svk dvZoomPercentnk [ ?`x( StuckRects2vk(Settings(>(8nk XDDesktopvk DhTaskbarWinXP O(hHjxO@ ((nk Hr)h TabletTipnk 3h1.7lf1.7vk HideTipbandnk s)!8 ShellBrowserhbin 0   S=(zHP p} s vk TReviewStatusted vkX54EePat0ؿ p Extract-Pax-Hotels-2019-06-24.csv2Extract-Pax-Hotels-2019-06-24.lnkt .Extract-Pax-Hotels-2019-06-24.lnk08out_guide_1725062019.txt2out_guide_1725062019.lnkb .out_guide_1725062019.lnk(806ei+vkH53chePrevk2lf8StorProgressf2Progress.lnkJ .Progress.lnk10vk:Revlfx BLBelogsZ2logs.lnkB .logs.lnk28280eJ//x4I H0 vk   40-x @6" P(X @p XXRESULT-2-21114.xmlx2RESULT-2-21114.lnkV .RESULT-2-21114.lnk"nknk b u x828.Recent File List0%G` ՙenkvk 013151vk8 7Qual_2nk OX 02&Reader 20_Acrobat20_Reader_20.13.20074vk   60 HXQual_2020090809.csvz2Qual_2020090809.lnkX .Qual_2020090809.lnk"ePathExtract-Booking-Hotels-2018-08-10.csv2Extract-Booking-Hotels-2018-08-10.lnk| .Extract-Booking-Hotels-2018-08-10.lnk4064Extract-Booking-Hotels-2018-08-10.csv2Extract-Booking-Hotels-2018-08-10.lnk| .Extract-Booking-Hotels-2018-08-10.lnk44F6vkD13_EXvk r StyleSetCacheXPOnk 1R`p  1SHist01031120210312XQual_2020091512.csvz2Qual_2020091512.lnkX .Qual_2020091512.lnk"vkGroupByKey:PIDnt W vk4708C:\Users\exploitfil1\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6d378cc16baafd9243e95515d7916f2d61c326e7_2d5b511a_cab_04b1840avkN TGroupByKey:FMTID WAHExportCli_20190208.csv2ExportCli_20190208.lnk^ .ExportCli_20190208.lnk&"QF.eRepair.3C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnkC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeem32\perfmon.msc/sysmon_wmi/dash_interaction_todor (rected 3)8} QFr (rected 3)vk`0830190209hbinp nk f|eade.wmx58.dnk f| p N&OpenWithProgidsvkWMP11.AssocFile.ASXnk f|0R&OpenWithProgidslfq OpenhUservkWMP11.AssocFile.WPLnk f|Ȇ.wvxnk f|q @f&OpenWithProgidsvkWMP11.AssocFile.WVX{"Condition":{}, "PropertySets":[ {"ConditionArgs":[], "PropertyValueMap":{}} ]}aHwinspool,TS002ches-1 vkte4064s vkT 1{7B0C11A0-2FAF-40D4-9FE5-28FA27C85442} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFvk 8out_guide_1406052019.txt2out_guide_1406052019.lnkb .out_guide_1406052019.lnk(ry\8out_guide_1406052019.txt2out_guide_1406052019.lnkb .out_guide_1406052019.lnk(218vkTT{13201015-4E1D-4E2F-8119-D5FBA861F209} {000214E6-0000-0000-C000-000000000046} 0xFFFF5,PRESULT-1-20951.xml2RESULT-1-20951.xml.lnk^ .RESULT-1-20951.xml.lnk&pwinspool,TS005ected Hvk,*C Microsoft XPS Document Writer (redirected 2)_8Logis_Data_2019052702.csv2Logis_Data_2019052702.lnkd .Logis_Data_2019052702.lnk(vkQ11chePre(vkr TtListOfPatchesvkT{10E59D21-3860-4ED8-BD52-883E116A892E} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFHvkTh{DF46C02A-3568-4765-AAD3-88F5E1D42F92} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFX+vkT{C7F2FB0F-ACC2-4DDF-9D8A-5E6E80D61024} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFHvkT{7C127AC8-EC8D-40F2-91D0-B791CFC2397B} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFvkT0{A38E6420-19EC-490C-B4BF-51673C360213} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFvkT {87AB8051-37BD-4E70-83C0-1E4F9AE1D37D} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFvkT{576C5669-E07F-4A1B-9A7A-8F85D944283B} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFpvkT{652527C4-4A72-4BD3-BFAB-4B06AB172D7C} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF8Logis_Data_2019052702.csv2Logis_Data_2019052702.lnkd .Logis_Data_2019052702.lnk(`HOTEL-1-21129.xmlt2HOTEL-1-21129.lnkT .HOTEL-1-21129.lnk runpovk,4972 8out_guide_1508042019.txt2out_guide_1508042019.lnkb .out_guide_1508042019.lnk( Xy @0!!FHGHX`(xH hH0 F8_djps0w8xxxpH@8X+-@ZPFpX[n0os .xx x Xy y 8z z { { H pz`u  Z `: h` r\Eula.exe vkpS at29