System/Kernel
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> cmd /c ver
Microsoft Windows [Version 10.0.20348.2582]
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> systeminfo ; Get-ComputerInfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
At line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 1/30/2024 5:19:32 PM
WindowsProductId : 00454-20165-01481-AA586
WindowsProductName : Windows Server 2022 Standard
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 2009
OSDisplayVersion : 21H2
OsServerLevel : FullServer
TimeZone : (UTC-08:00) Pacific Time (US & Canada)
PowerPlatformRole : Desktop
DeviceGuardSmartStatus : Off10.0.20348.2582
Windows Server 2022 Standard
Networks
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> ipconfig /all ; arp -a ; print route
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC01
Primary Dns Suffix . . . . . . . : ghost.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ghost.htb
Ethernet adapter vEthernet (internal):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 00-15-5D-44-3C-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.0.0.254(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-50-56-94-E5-0B
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.11.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2
DNS Servers . . . . . . . . . . . : 127.0.0.1
9.9.9.9
NetBIOS over Tcpip. . . . . . . . : Enabled
Interface: 10.0.0.254 --- 0x9
Internet Address Physical Address Type
10.0.0.10 00-15-5d-44-3c-01 dynamic
10.0.0.20 00-15-5d-44-3c-02 dynamic
10.0.0.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
Interface: 10.10.11.24 --- 0x10
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-1b-d3 dynamic
10.10.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
Unable to initialize device PRNHyper-V Virtual Ethernet Adapter: 10.0.0.254
vmxnet3 Ethernet Adapter #2:10.10.11.24
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 724
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 976
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 724
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 724
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 976
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 724
TCP 0.0.0.0:808 0.0.0.0:0 LISTENING 3404
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 6128
TCP 0.0.0.0:1500 0.0.0.0:0 LISTENING 3404
TCP 0.0.0.0:1501 0.0.0.0:0 LISTENING 3404
TCP 0.0.0.0:2179 0.0.0.0:0 LISTENING 1664
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 724
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 724
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 848
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8008 0.0.0.0:0 LISTENING 1452
TCP 0.0.0.0:8443 0.0.0.0:0 LISTENING 1452
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 3396
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49443 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 724
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 576
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1296
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1640
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 2148
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 724
TCP 0.0.0.0:49829 0.0.0.0:0 LISTENING 724
TCP 0.0.0.0:50040 0.0.0.0:0 LISTENING 724
TCP 0.0.0.0:50063 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:50082 0.0.0.0:0 LISTENING 3480
TCP 0.0.0.0:64823 0.0.0.0:0 LISTENING 3432
TCP 10.0.0.254:53 0.0.0.0:0 LISTENING 3480
TCP 10.0.0.254:139 0.0.0.0:0 LISTENING 4
TCP 10.10.11.24:53 0.0.0.0:0 LISTENING 3480
TCP 10.10.11.24:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 3480
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 724
TCP [::]:135 [::]:0 LISTENING 976
TCP [::]:443 [::]:0 LISTENING 4
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 724
TCP [::]:593 [::]:0 LISTENING 976
TCP [::]:808 [::]:0 LISTENING 3404
TCP [::]:1433 [::]:0 LISTENING 6128
TCP [::]:1500 [::]:0 LISTENING 3404
TCP [::]:1501 [::]:0 LISTENING 3404
TCP [::]:2179 [::]:0 LISTENING 1664
TCP [::]:3389 [::]:0 LISTENING 848
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 3396
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49443 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 724
TCP [::]:49665 [::]:0 LISTENING 576
TCP [::]:49666 [::]:0 LISTENING 1296
TCP [::]:49667 [::]:0 LISTENING 1640
TCP [::]:49668 [::]:0 LISTENING 2148
TCP [::]:49669 [::]:0 LISTENING 724
TCP [::]:49829 [::]:0 LISTENING 724
TCP [::]:50040 [::]:0 LISTENING 724
TCP [::]:50063 [::]:0 LISTENING 696
TCP [::]:50082 [::]:0 LISTENING 3480
TCP [::]:64823 [::]:0 LISTENING 3432
TCP [::1]:53 [::]:0 LISTENING 34800.0.0.0:1500
0.0.0.0:1501
Users & Groups
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> net users ; ls C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator arthur.boyd beth.clark
cassandra.shelton charles.gray florence.ramirez
gitea_temp_principal Guest intranet_principal
jason.taylor justin.bradley kathryn.holland
krbtgt robert.steeves
The command completed with one or more errors.
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/2/2024 5:30 PM adfs_gmsa$
d----- 1/30/2024 9:19 AM Administrator
d----- 2/4/2024 1:48 PM justin.bradley
d-r--- 1/30/2024 9:19 AM Publicadfs_gmsa$
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> net localgroup ; net group /DOMAIN
Aliases for \\DC01
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*SQLServer2005SQLBrowserUser$DC01
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*HR
*IT
*Key Admins
*principal
*Protected Users
*Read-only Domain Controllers
*Schema Admins
*sysadmin
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> cmd /c tasklist /svc ; ps
cmd.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
114 8 3308 8096 4216 0 AggregatorHost
141 10 6528 13148 0.02 1048 0 conhost
143 10 6564 13172 0.03 1636 0 conhost
149 10 6624 13488 6056 0 conhost
614 24 2100 5372 452 0 csrss
176 11 1752 5468 556 1 csrss
411 34 16868 23976 3432 0 dfsrs
198 14 2320 8520 3652 0 dfssvc
279 15 3876 13336 4524 0 dllhost
5408 4822 71708 72768 3480 0 dns
636 26 18864 40492 1168 1 dwm
39 6 1488 4276 4312 1 fontdrvhost
39 6 1416 4152 4576 0 fontdrvhost
0 0 60 8 0 0 Idle
160 14 2180 6428 3528 0 ismserv
467 27 12920 42668 5444 1 LogonUI
56 6 1220 3580 716 0 LsaIso
2602 194 75216 88348 724 0 lsass
616 32 35836 36512 3396 0 Microsoft.ActiveDirectory.WebServices
1336 303 450040 355292 3404 0 Microsoft.IdentityServer.ServiceHost
215 14 1916 4772 5824 0 MicrosoftEdgeUpdate
238 14 2784 10476 4896 0 msdtc
690 193 242388 220472 3700 0 MsMpEng
215 39 3548 10332 4596 0 NisSrv
813 40 189348 216372 6048 0 powershell
0 13 1688 52924 108 0 Registry
0 0 172 38932 56 0 Secure System
204 11 2216 9616 6300 0 SecurityHealthService
668 15 5504 13860 696 0 services
192 12 12284 8484 3544 0 setupservice
57 3 1088 1264 316 0 smss
517 32 44384 49020 5504 0 sqlceip
716 77 270600 175044 5232 0 sqlservr
981 64 407008 255352 6128 0 sqlservr
142 11 1644 7832 3556 0 sqlwriter
154 11 1864 7856 3572 0 sqlwriter
275 14 2232 9376 380 0 svchost
233 14 2668 12028 728 0 svchost
301 17 16520 18080 812 0 svchost
606 21 5012 14536 848 0 svchost
272 14 3640 11232 860 0 svchost
108 8 1128 5540 892 0 svchost
796 16 5096 14716 932 0 svchost
804 22 4376 11104 976 0 svchost
255 26 3372 13092 1052 0 svchost
118 8 1280 5612 1064 0 svchost
216 13 1744 7820 1072 0 svchost
132 15 3016 7464 1080 0 svchost
192 11 1784 8260 1096 0 svchost
133 8 1380 6204 1176 0 svchost
223 10 1936 7292 1200 0 svchost
311 16 3456 10392 1276 0 svchost
370 14 13548 18388 1296 0 svchost
419 32 10104 19500 1436 0 svchost
370 19 2924 10640 1452 0 svchost
395 17 4400 12944 1464 0 svchost
279 17 3240 14232 1536 0 svchost
464 18 12736 22840 1568 0 svchost
421 14 2880 10640 1616 0 svchost
368 18 4780 15240 1640 0 svchost
146 9 1372 6816 1708 0 svchost
144 8 1320 6396 1876 0 svchost
175 10 1840 7780 1924 0 svchost
224 12 2124 9396 1964 0 svchost
207 12 2308 11492 2024 0 svchost
439 10 2844 9204 2044 0 svchost
237 16 2216 9676 2148 0 svchost
166 11 1724 7976 2204 0 svchost
149 9 1604 7704 2220 0 svchost
297 12 1896 8840 2324 0 svchost
180 12 1824 8432 2468 0 svchost
141 10 1524 6684 2500 0 svchost
165 11 1800 7636 2756 0 svchost
205 11 2268 8804 3296 0 svchost
112 8 1180 5944 3372 0 svchost
125 8 1252 6076 3388 0 svchost
486 25 14928 30380 3456 0 svchost
154 42 1632 7144 3564 0 svchost
132 9 3468 10220 3592 0 svchost
139 9 1520 6664 3628 0 svchost
128 9 1416 7480 3796 0 svchost
288 35 3776 14388 3816 0 svchost
225 14 2072 8064 3840 0 svchost
248 13 4036 10980 4772 0 svchost
194 16 6120 10772 5180 0 svchost
125 9 1352 7308 5192 0 svchost
268 20 7936 14984 5272 0 svchost
409 26 3556 13696 5572 0 svchost
205 12 2196 10964 6736 0 svchost
252 14 3056 14516 7156 0 svchost
2208 0 40 144 4 0 System
208 16 2440 10068 4132 0 vds
170 11 2848 8564 3724 0 VGAuthService
127 8 1552 6008 3668 0 vm3dservice
134 10 1708 6540 4012 1 vm3dservice
200 11 2744 12720 2820 0 vmcompute
669 26 44124 40852 1664 0 vmms
411 24 11532 22856 3680 0 vmtoolsd
442 23 8612 21048 2708 0 vmwp
442 22 8508 20932 3108 0 vmwp
154 12 1380 6560 576 0 wininit
222 13 2800 15400 624 1 winlogon
418 21 11172 23184 4392 0 WmiPrvSE
317 18 16288 25220 4728 0 WmiPrvSE
1024 33 106288 131168 1.16 5000 0 wsmprovhost
1281 31 81044 104744 0.61 5244 0 wsmprovhostMsMpEng, NisSrv: Defender
vds, vmms, vmwp: Hyper-V
Tasks
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
cmd.exe : Access is denied.
+ CategoryInfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandErrorFirewall & AV
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable No Remote Desktop
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
1433 TCP Enable Inbound mssql
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
Enable No Remote Desktop
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
1433 TCP Enable Inbound mssql
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .1433 TCP Enable Inbound mssql
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatusSession Architecture
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\justin.bradley\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 2804-C13F
Directory of C:\Windows\Microsoft.NET\Framework
05/08/2021 01:34 AM <DIR> .
07/17/2024 08:06 AM <DIR> ..
05/08/2021 01:34 AM <DIR> v1.0.3705
05/08/2021 01:34 AM <DIR> v1.1.4322
05/08/2021 01:20 AM <DIR> v2.0.50727
07/17/2024 08:06 AM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 3,580,370,944 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.8.04161