Malware Analysis Report

2024-09-11 03:41

Sample ID 240614-pkysyszhqf
Target FoxOS Post Install.exe
SHA256 e8a379c21c9617ad4f9124933910db98898a7cc8de1bea93371e0cc96fd28f6d
Tags
persistence upx discovery evasion execution exploit ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8a379c21c9617ad4f9124933910db98898a7cc8de1bea93371e0cc96fd28f6d

Threat Level: Known bad

The file FoxOS Post Install.exe was found to be: Known bad.

Malicious Activity Summary

persistence upx discovery evasion execution exploit ransomware

Modifies firewall policy service

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Possible privilege escalation attempt

Sets file execution options in registry

Registers new Print Monitor

Stops running service(s)

Loads dropped DLL

Executes dropped EXE

Registers COM server for autorun

Modifies file permissions

UPX packed file

Maps connected drives based on registry

Sets desktop wallpaper using registry

Drops file in Windows directory

Launches sc.exe

Command and Scripting Interpreter: PowerShell

Unsigned PE

Runs .reg file with regedit

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Delays execution with timeout.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
System Services
T1569
Service Execution
T1569.002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Service Stop
T1489
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 12:23

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 12:23

Reported

2024-06-14 12:26

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe"

Signatures

Registers new Print Monitor

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports C:\Windows\system32\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4284394495" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4286102015" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3305093496" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4286102015" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = ffe5ceffffd3abfffec691ffffb978ffffab5effff9e44fffe8c21ff88179800 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3305093496" C:\Windows\system32\reg.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3680 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 3680 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4268 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe
PID 4268 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe
PID 4268 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe
PID 3356 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 3356 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 4416 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4416 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4416 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 4416 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 4416 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4416 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4416 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4416 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4416 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4416 wrote to memory of 4684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4416 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4416 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4416 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4416 wrote to memory of 4740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 4416 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 4204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 4228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 4228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4416 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe

"C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\474A.tmp\474B.tmp\474C.bat "C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe""

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe" max

C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe

"C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe" max

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4844.tmp\4845.tmp\4846.bat "C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe" max"

C:\Windows\system32\timeout.exe

timeout 5

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\services\Dhcp" /v "Start" /t REG_DWORD /d "2" /f

C:\Windows\regedit.exe

regedit /s "7ZIP.reg"

C:\Windows\system32\powercfg.exe

powercfg -import "C:\Windows\APIs\Cat10IdleOn.pow" 69420228-6969-6969-6969-694202281337

C:\Windows\system32\powercfg.exe

powercfg -import "C:\Windows\APIs\Cat10IdleOff.pow" 70420228-6969-6969-6969-694202281337

C:\Windows\system32\powercfg.exe

powercfg -setactive 69420228-6969-6969-6969-694202281337

C:\Windows\system32\powercfg.exe

powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e

C:\Windows\system32\powercfg.exe

powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "StartColorMenu" /t REG_DWORD /d "4284394495" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentColorMenu" /t REG_DWORD /d "4286102015" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentPalette" /t REG_BINARY /d "FFE5CEFFFFD3ABFFFEC691FFFFB978FFFFAB5EFFFF9E44FFFE8C21FF88179800" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d "4286102015" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationColor" /t REG_DWORD /d "3305093496" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationAfterglow" /t REG_DWORD /d "3305093496" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "StartColorMenu" /t REG_DWORD /d "4284394495" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentColorMenu" /t REG_DWORD /d "4286102015" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentPalette" /t REG_BINARY /d "FFE5CEFFFFD3ABFFFEC691FFFFB978FFFFAB5EFFFF9E44FFFE8C21FF88179800" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d "4286102015" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\DWM" /v "ColorizationColor" /t REG_DWORD /d "3305093496" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\DWM" /v "ColorizationAfterglow" /t REG_DWORD /d "3305093496" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "24" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc" /v "DependOnService" /t REG_MULTI_SZ /d "NSI\0RpcSs\0TcpIp" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\HotStart" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Sidebar" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Screensavers" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Printers" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Control\Print" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet002\Control\Print" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "33554435" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "EnableCfg" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell set-ProcessMitigation -System -Disable DEP, StrictHandle, SEHOP

C:\Windows\system32\powercfg.exe

powercfg -h off

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection\CameraAlternate\ShowPicturesOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection\StorageOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers\CameraAlternate\ShowPicturesOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers\StorageOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "WinStationsDisabled" /t REG_SZ /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "restrictanonymous" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableLog" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableDpxLog" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableLog" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableDpxLog" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Ole" /v "EnableDCOM" /t REG_SZ /d "N" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Ole" /v "EnableDCOM" /t REG_SZ /d "N" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "EnableHIPM"| FINDSTR /V "EnableHIPM"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "EnableHIPM"

C:\Windows\system32\findstr.exe

FINDSTR /V "EnableHIPM"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f0 0x4b8

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableHIPM" /T REG_DWORD /d 0

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableDIPM" /T REG_DWORD /d 0

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableHDDParking" /T REG_DWORD /d 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "IoLatencyCap"| FINDSTR /V "IoLatencyCap"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "IoLatencyCap"

C:\Windows\system32\findstr.exe

FINDSTR /V "IoLatencyCap"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.111.243.30:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3680-0-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\474A.tmp\474B.tmp\474C.bat

MD5 e65ecbded7ee62eac92c5504794afa5c
SHA1 0658896800ac07dc524233379205d6cd6afe5564
SHA256 d8a02753414704b4443e018aced0b5c8d6071dc35e07cabc4836e3ec7954cdb9
SHA512 bce4f7eaf21fffaa421d21220f5601ce4aad85de55d1ebf6550282955a1651c757819a114a605ad04974d2987573b7be2bc0dc5130e41fa1be70e1fd306c6f0c

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fyv3hm0z.3uj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4948-7-0x000001B53F330000-0x000001B53F352000-memory.dmp

memory/4948-15-0x000001B557820000-0x000001B55783E000-memory.dmp

memory/3356-19-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3680-18-0x0000000000400000-0x0000000000455000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 12:23

Reported

2024-06-14 12:25

Platform

win7-20240508-en

Max time kernel

81s

Max time network

81s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DisableNotifications = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\system32\reg.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Registers new Print Monitor

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Local Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\WSD Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\USB Monitor C:\Windows\system32\reg.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "3" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3" C:\Windows\system32\reg.exe N/A

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\054ABB3E-39C7-45B2-8151-B5F201B5388F\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\07081FAC-DB84-41E3-8A67-13D08AE7AC43\dismhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\Dism.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
N/A N/A C:\Windows\system32\Dism.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\ C:\Windows\system32\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\NextInstance C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\NextInstance C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A
Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Windows\system32\reg.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\System32\\Fox.png" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\dismhost.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\054ABB3E-39C7-45B2-8151-B5F201B5388F\dismhost.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\Dism.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Users\Admin\AppData\Local\Temp\07081FAC-DB84-41E3-8A67-13D08AE7AC43\dismhost.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\System\GameConfigStore\GameDVR_DXGIHonorFSEWindowsCompatible = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\GameConfigStore\GameDVR_Enabled = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\GameConfigStore C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\System\GameConfigStore C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\DWM\AccentColor = "4286102015" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\GameConfigStore C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\GameConfigStore\GameDVR_FSEBehavior = "2" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\GameConfigStore\GameDVR_DXGIHonorFSEWindowsCompatible = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\GameConfigStore\GameDVR_HonorUserFSEBehaviorMode = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\GameConfigStore C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\GameConfigStore\GameDVR_HonorUserFSEBehaviorMode = "1" C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = ffe5ceffffd3abfffec691ffffb978ffffab5effff9e44fffe8c21ff88179800 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\GameConfigStore C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\System\GameConfigStore C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4284394495" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\GameConfigStore C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\System\GameConfigStore\GameDVR_HonorUserFSEBehaviorMode = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\GameConfigStore C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\GameConfigStore C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\DWM\ColorizationAfterglow = "3305093496" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\GameConfigStore\GameDVR_FSEBehaviorMode = "2" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\System\GameConfigStore\GameDVR_HonorUserFSEBehaviorMode = "1" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\System\GameConfigStore\GameDVR_DXGIHonorFSEWindowsCompatible = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-19\System\GameConfigStore C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-20\System\GameConfigStore C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4286102015" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\DWM\ColorizationColor = "3305093496" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\GameConfigStore\GameDVR_DXGIHonorFSEWindowsCompatible = "1" C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\CLSID C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2} C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\ C:\Windows\system32\reg.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 1880 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1880 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1880 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe
PID 2372 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe
PID 2372 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe
PID 2372 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe
PID 2372 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe
PID 2372 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe
PID 2372 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe
PID 2384 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2700 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2700 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2700 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2700 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2700 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2700 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2700 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2700 wrote to memory of 2288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe

"C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1FC0.tmp\1FC1.tmp\1FC2.bat "C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe""

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe" max

C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe

"C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe" max

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\200E.tmp\200F.tmp\2010.bat "C:\Users\Admin\AppData\Local\Temp\FoxOS Post Install.exe" max"

C:\Windows\system32\timeout.exe

timeout 5

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\services\Dhcp" /v "Start" /t REG_DWORD /d "2" /f

C:\Windows\regedit.exe

regedit /s "7ZIP.reg"

C:\Windows\system32\powercfg.exe

powercfg -import "C:\Windows\APIs\Cat10IdleOn.pow" 69420228-6969-6969-6969-694202281337

C:\Windows\system32\powercfg.exe

powercfg -import "C:\Windows\APIs\Cat10IdleOff.pow" 70420228-6969-6969-6969-694202281337

C:\Windows\system32\powercfg.exe

powercfg -setactive 69420228-6969-6969-6969-694202281337

C:\Windows\system32\powercfg.exe

powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e

C:\Windows\system32\powercfg.exe

powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "StartColorMenu" /t REG_DWORD /d "4284394495" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentColorMenu" /t REG_DWORD /d "4286102015" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentPalette" /t REG_BINARY /d "FFE5CEFFFFD3ABFFFEC691FFFFB978FFFFAB5EFFFF9E44FFFE8C21FF88179800" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d "4286102015" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationColor" /t REG_DWORD /d "3305093496" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationAfterglow" /t REG_DWORD /d "3305093496" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "StartColorMenu" /t REG_DWORD /d "4284394495" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentColorMenu" /t REG_DWORD /d "4286102015" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentPalette" /t REG_BINARY /d "FFE5CEFFFFD3ABFFFEC691FFFFB978FFFFAB5EFFFF9E44FFFE8C21FF88179800" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d "4286102015" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\DWM" /v "ColorizationColor" /t REG_DWORD /d "3305093496" /f

C:\Windows\system32\reg.exe

reg add "HKU\.DEFAULT\Software\Microsoft\Windows\DWM" /v "ColorizationAfterglow" /t REG_DWORD /d "3305093496" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "24" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc" /v "DependOnService" /t REG_MULTI_SZ /d "NSI\0RpcSs\0TcpIp" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\HotStart" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Sidebar" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Screensavers" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Printers" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet001\Control\Print" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\SYSTEM\ControlSet002\Control\Print" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "33554435" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "EnableCfg" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell set-ProcessMitigation -System -Disable DEP, StrictHandle, SEHOP

C:\Windows\system32\powercfg.exe

powercfg -h off

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection\CameraAlternate\ShowPicturesOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection\StorageOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers\CameraAlternate\ShowPicturesOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers\StorageOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "WinStationsDisabled" /t REG_SZ /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "restrictanonymous" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableLog" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableDpxLog" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableLog" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableDpxLog" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Ole" /v "EnableDCOM" /t REG_SZ /d "N" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Ole" /v "EnableDCOM" /t REG_SZ /d "N" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "EnableHIPM"| FINDSTR /V "EnableHIPM"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "EnableHIPM"

C:\Windows\system32\findstr.exe

FINDSTR /V "EnableHIPM"

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableHIPM" /T REG_DWORD /d 0

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableDIPM" /T REG_DWORD /d 0

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableHDDParking" /T REG_DWORD /d 0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "IoLatencyCap"| FINDSTR /V "IoLatencyCap"

C:\Windows\system32\reg.exe

REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "IoLatencyCap"

C:\Windows\system32\findstr.exe

FINDSTR /V "IoLatencyCap"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Enum" /S /F "StorPort" | findstr /e "StorPort"

C:\Windows\system32\reg.exe

reg query "HKLM\System\CurrentControlSet\Enum" /S /F "StorPort"

C:\Windows\system32\findstr.exe

findstr /e "StorPort"

C:\Windows\system32\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "3" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Windows\System32\Fox.png" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_networkadapter get GUID

C:\Windows\system32\findstr.exe

findstr "{"

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3451AD88-B19B-4892-93B7-28ACA640EE01}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_networkadapter get GUID

C:\Windows\system32\findstr.exe

findstr "{"

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3451AD88-B19B-4892-93B7-28ACA640EE01}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_networkadapter get GUID

C:\Windows\system32\findstr.exe

findstr "{"

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3451AD88-B19B-4892-93B7-28ACA640EE01}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-NetAdapterBinding -Name * -ComponentID ms_msclient, ms_server -Enabled $false

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "ExtPropDescSemaphore" /t REG_DWORD /d "0" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IoLatencyCap" | findstr "HKEY"

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IoLatencyCap"

C:\Windows\system32\findstr.exe

findstr "HKEY"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrLevel" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrDelay" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrDdiDelay" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrDebugMode" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrLimitTime" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrLimitCount" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "DisableBadDriverCheckForHwProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "MaximumRecordLength" /t REG_QWORD /d "0x00d088c310000000" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "SystemAudioGain" /t REG_QWORD /d "0x1027000000000000" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneGain" /t REG_QWORD /d "0x1027000000000000" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "KGLRevision" /t REG_DWORD /d "1824" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "KGLToGCSUpdatedRevision" /t REG_DWORD /d "1824" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioEncodingBitrate" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "CustomVideoEncodingBitrate" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "CustomVideoEncodingHeight" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "CustomVideoEncodingWidth" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalBufferLength" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalBufferLengthUnit" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalCaptureOnBatteryAllowed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalCaptureOnWirelessDisplayAllowed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VideoEncodingBitrateMode" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VideoEncodingResolutionMode" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VideoEncodingFrameRateMode" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "EchoCancellationEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKToggleGameBar" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKMToggleGameBar" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKSaveHistoricalVideo" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKMSaveHistoricalVideo" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKToggleRecording" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKMToggleRecording" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKTakeScreenshot" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKMTakeScreenshot" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKToggleRecordingIndicator" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKMToggleRecordingIndicator" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKToggleMicrophoneCapture" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKMToggleMicrophoneCapture" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKToggleCameraCapture" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKMToggleCameraCapture" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKToggleBroadcast" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "VKMToggleBroadcast" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\System\GameConfigStore\Children" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\System\GameConfigStore\Parents" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\.DEFAULT\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\.DEFAULT\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\.DEFAULT\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\.DEFAULT\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\.DEFAULT\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_USERS\.DEFAULT\System\GameConfigStore\Children" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_USERS\.DEFAULT\System\GameConfigStore\Parents" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-18\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-18\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-19\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-19\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-20\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_USERS\S-1-5-20\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\DmaGuard\DeviceEnumerationPolicy" /v "value" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\ControlSet001\Services\pci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Services\pci\Parameters" /v "DmaRemappingOnHiberPath" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\ControlSet001\Services\storahci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Services\storahci\Parameters" /v "DmaRemappingOnHiberPath" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\ControlSet001\Services\stornvme\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Services\stornvme\Parameters" /v "DmaRemappingOnHiberPath" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\ControlSet001\Services\USBXHCI\Parameters" /v "DmaRemappingCompatibleSelfhost" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\ControlSet001\Services\USBXHCI\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "Welcome to FoxOS, Custom Windows for Gaming. The ISO Was Made by CatGamerOP" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d "The ISO is free and is NOT for sale. You can download it from the official FoxOS Discord Server https://discord.gg/4Gg8n6WhPN. IF YOU PAID FOR THIS ISO, YOU WERE SCAMMED, DEMAND A REFUND." /f

C:\Windows\system32\bcdedit.exe

bcdedit /set {globalsettings} custom:16000067 true

C:\Windows\system32\bcdedit.exe

bcdedit /set {globalsettings} custom:16000068 true

C:\Windows\system32\bcdedit.exe

bcdedit /set {globalsettings} custom:16000069 true

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} description "FoxOS W11"

C:\Windows\system32\bcdedit.exe

bcdedit /set bootmenupolicy legacy

C:\Windows\system32\bcdedit.exe

bcdedit /set quietboot Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set bootux Disabled

C:\Windows\system32\bcdedit.exe

bcdedit /set bootlog no

C:\Windows\system32\bcdedit.exe

bcdedit /timeout 10

C:\Windows\system32\bcdedit.exe

bcdedit /set disabledynamictick Yes

C:\Windows\system32\bcdedit.exe

bcdedit /event off

C:\Windows\system32\bcdedit.exe

bcdedit /bootdebug off

C:\Windows\system32\bcdedit.exe

bcdedit /set debug No

C:\Windows\system32\bcdedit.exe

bcdedit /set ems No

C:\Windows\system32\bcdedit.exe

bcdedit /set bootems No

C:\Windows\system32\bcdedit.exe

bcdedit /set hypervisorlaunchtype Off

C:\Windows\system32\bcdedit.exe

bcdedit /set vsmlaunchtype Off

C:\Windows\system32\bcdedit.exe

bcdedit /set tpmbootentropy ForceDisable

C:\Windows\system32\bcdedit.exe

bcdedit /set nx alwaysoff

C:\Windows\system32\bcdedit.exe

bcdedit /set integrityservices disable

C:\Windows\system32\bcdedit.exe

bcdedit /set allowedinmemorysettings 0

C:\Windows\system32\bcdedit.exe

bcdedit /set perfmem 0

C:\Windows\system32\bcdedit.exe

bcdedit /set isolatedcontext No

C:\Windows\system32\bcdedit.exe

bcdedit /deletevalue useplatformclock

C:\Windows\system32\bcdedit.exe

bcdedit /deletevalue usefirmwarepcisettings

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers" /v "Adobe Type Manager" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\System\ControlSet001\Control\Terminal Server\Wds\rdpwd" /v "StartupPrograms" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\services\dmwappushservice" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\services\Beep" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\services\npsvctrig" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\services\wanarp" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\services\Wanarpv6" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".tif" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".tiff" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".bmp" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".dib" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".gif" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jfif" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jpe" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jpeg" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jpg" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jxr" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".png" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Classes.tif" /ve /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Classes.tiff" /ve /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Classes.bmp" /ve /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Classes.dib" /ve /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Classes.gif" /ve /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Classes.jfif" /ve /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Classes.jpe" /ve /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Classes.jpeg" /ve /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Classes.jpg" /ve /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Classes.jxr" /ve /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Classes.png" /ve /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f

C:\Windows\system32\sc.exe

sc delete CompositeBus

C:\Windows\system32\sc.exe

sc delete NdisVirtualBus

C:\Windows\system32\sc.exe

sc delete umbus

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Servicing\StartComponentCleanup" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Recovery Environment\VerifyWinRE" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\EDP\StorageCardEncryption Task" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\BitLocker\BitLocker Encrypt All Drives" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\BitLocker\BitLocker MDM policy Refresh" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\ApplicationData\DsSvcCleanup" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\International\Synchronize Language Settings" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\InstallService\ScanForUpdates" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\InstallService\SmartRetry" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\PI\SecureBootEncodeUEFI" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\PI\Secure-Boot-Update" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Registry\RegIdleBackup" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Shell\ThemesSyncedImageDownload" /disable

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask" /disable

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "\Microsoft\Windows\Application Experience\AitAgent" /f

C:\Windows\system32\label.exe

label C:FoxOS W11

C:\Windows\system32\Dism.exe

DISM /Online /Remove-Capability /CapabilityName:Browser.InternetExplorer~~~~0.0.11.0 /norestart /quiet

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismhost.exe {C5C28E21-7CDA-47FE-95E4-29ABDF97D745}

C:\Windows\system32\Dism.exe

DISM /Online /Remove-Capability /CapabilityName:MathRecognizer~~~~0.0.1.0 /norestart /quiet

C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\200BD1A3-0F72-4902-96CB-47A043D40AEB\dismhost.exe {7826729D-A105-448D-B3C7-2C5453000073}

C:\Windows\system32\Dism.exe

DISM /Online /Remove-Capability /CapabilityName:Microsoft.Windows.PowerShell.ISE~~~~0.0.1.0 /norestart /quiet

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\dismhost.exe {87D56D7A-42A4-4526-BD4B-6BA8ADD44621}

C:\Windows\system32\Dism.exe

DISM /Online /Remove-Capability /CapabilityName:OneCoreUAP.OneSync~~~~0.0.1.0 /norestart /quiet

C:\Users\Admin\AppData\Local\Temp\054ABB3E-39C7-45B2-8151-B5F201B5388F\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\054ABB3E-39C7-45B2-8151-B5F201B5388F\dismhost.exe {C7129D68-5606-4344-8F3D-9FD53728FE8D}

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" /ve /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "FontSmoothing" /t REG_SZ /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "AlwaysHibernateThumbnails" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "UserPreferencesMask" /t REG_BINARY /d "9012038010000000" /f

C:\Windows\system32\Dism.exe

DISM /Online /Set-ReservedStorageState /State:Disabled

C:\Users\Admin\AppData\Local\Temp\07081FAC-DB84-41E3-8A67-13D08AE7AC43\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\07081FAC-DB84-41E3-8A67-13D08AE7AC43\dismhost.exe {CE14AE78-CBC7-44CC-AE30-A9024964981A}

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Defrag\ScheduledDefrag" /disable

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\mcupdate_GenuineIntel.dll"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\mcupdate_AuthenticAMD.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\mcupdate_GenuineIntel.dll" /grant "PUMARTNR\Admin":(F) /t

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\mcupdate_AuthenticAMD.dll" /grant "PUMARTNR\Admin":(F) /t

C:\Windows\system32\reg.exe

reg add "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f

C:\Windows\system32\netsh.exe

NetSh Advfirewall set allprofiles state off

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Win32kWPP\Parameters" /v "LogPages" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Win32kWPP\Parameters" /v "LogPages" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Win32knsWPP\Parameters" /v "LogPages" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Win32knsWPP\Parameters" /v "LogPages" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\ControlSet001\Services\USBHUB3\Parameters" /v "LogPages" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\ControlSet001\Services\USBHUB3\Parameters\Wdf" /v "LogPages" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule" /v DisableRpcOverTcp /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymousSAM /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RestrictAnonymous /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v DisableRemoteScmEndpoints /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDisableCdm /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fAllowToGetHelp /t REG_DWORD /d 0 /f

C:\Windows\system32\change.exe

Change Logon /Disable

C:\Windows\system32\chglogon.exe

"C:\Windows\system32\chglogon.exe" /Disable

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_C09E690C3F322367E058F9F0FC90C11A" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /tn \MicrosoftEdgeUpdateBrowserReplacementTask /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn \MicrosoftEdgeUpdateTaskMachineCore /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn \MicrosoftEdgeUpdateTaskMachineUA /F

C:\Windows\system32\sc.exe

sc delete edgeupdate

C:\Windows\system32\sc.exe

sc delete edgeupdatem

C:\Windows\system32\sc.exe

sc delete MicrosoftEdgeElevationService

C:\Windows\system32\reg.exe

reg delete "HKLM\System\ControlSet001\Services\edgeupdate" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\System\ControlSet001\Services\edgeupdatem" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\System\ControlSet001\Services\MicrosoftEdgeElevationService" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Remove-AppxPackage Microsoft.Windows.Ai.Copilot.Provider_1.0.3.0_neutral__8wekyb3d8bbwe -AllUsers

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser -Force

C:\Windows\system32\shutdown.exe

shutdown /r -t 5

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2596-0-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2596-1-0x00000000001D0000-0x0000000000225000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1FC0.tmp\1FC1.tmp\1FC2.bat

MD5 e65ecbded7ee62eac92c5504794afa5c
SHA1 0658896800ac07dc524233379205d6cd6afe5564
SHA256 d8a02753414704b4443e018aced0b5c8d6071dc35e07cabc4836e3ec7954cdb9
SHA512 bce4f7eaf21fffaa421d21220f5601ce4aad85de55d1ebf6550282955a1651c757819a114a605ad04974d2987573b7be2bc0dc5130e41fa1be70e1fd306c6f0c

memory/2596-6-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3056-11-0x000000001B570000-0x000000001B852000-memory.dmp

memory/3056-12-0x0000000001F70000-0x0000000001F78000-memory.dmp

memory/2596-13-0x00000000001D0000-0x0000000000225000-memory.dmp

memory/2384-14-0x0000000000400000-0x0000000000455000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c9b73a3f2c8e37ef25ceb9c73b35f31b
SHA1 2e16be201c52b239bad09df7ebb35df4ca8af594
SHA256 1f16fa61c6abef83654bdbce595a3b2f622f9d773d3ac1afb7e7f80add59a406
SHA512 4f8cc1a9d3e485f23943c7b185044ea60589c941ab54222353461320204d1581991c6c114fee3a7d6a1b61762afef63aff4cc86c22bc2cddbe798dbe6ca82615

memory/2492-20-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2492-21-0x0000000001F40000-0x0000000001F48000-memory.dmp

\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\DismHost.exe

MD5 9a821d8d62f4c60232b856e98cba7e4f
SHA1 4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5
SHA256 a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525
SHA512 1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\DismCorePS.dll

MD5 5488e381238ff19687fdd7ab2f44cfcc
SHA1 b90fa27ef6a7fc6d543ba33d5c934180e17297d3
SHA256 abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0
SHA512 933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\wdscore.dll

MD5 7b38d7916a7cd058c16a0a6ca5077901
SHA1 f79d955a6eac2f0368c79f7ba8061e9c58ba99b2
SHA256 3f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce
SHA512 2d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\dismprov.dll

MD5 8ca117cb9338c0351236939717cb7084
SHA1 baa145810d50fdb204c8482fda5cacaaf58cdad0
SHA256 f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54
SHA512 35b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\OSProvider.dll

MD5 e7caed467f80b29f4e63ba493614dbb1
SHA1 65a159bcdb68c7514e4f5b65413678c673d2d0c9
SHA256 2c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c
SHA512 34952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e

\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\CbsProvider.dll

MD5 efcb002abc3529d71b61e6fb6434566c
SHA1 a25aca0fc9a1139f44329b28dc13c526965d311f
SHA256 b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd
SHA512 10ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687

C:\Windows\Logs\DISM\dism.log

MD5 3e0d968557f8487f2063c5d0eaf40d01
SHA1 bf8f791ac16d357d187d10956c719c7909ea90c1
SHA256 6483c76799e018ed5783d36dc8c6066221af2ae0df9f8214e59ee0ee6c74d2ed
SHA512 8ee169366199f522fa49a8d5998c4a5266cf8ba44bc05d9217b37299e903ad8975a81672f683679e10a73b43ff547ebc32bb67035f46d604dfe5c2aa566adcb8

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\CbsProvider.dll.mui

MD5 724ee7133b1822f7ff80891d773fde51
SHA1 d10dff002b02c78e624bf83ae8a6f25d73761827
SHA256 d13f068f42074b3104987bfed49fbf3a054be6093908ed5dea8901887dddb367
SHA512 1dfd236537d6592a19b07b5e1624310c67adff9e776e6d2566b9e7db732588988f9ae7352df6c3b53c058807d8ed55fafc2004a2d6dc2f3f6c9e16445699f17b

\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\LogProvider.dll

MD5 62de64dc805fd98af3ada9d93209f6a9
SHA1 392ba504973d626aaf5c5b41b184670c58ec65a7
SHA256 83c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc
SHA512 7db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\CompatProvider.dll

MD5 6a4bd682396f29fd7df5ab389509b950
SHA1 46f502bec487bd6112f333d1ada1ec98a416d35f
SHA256 328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb
SHA512 35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\CompatProvider.dll.mui

MD5 9085b83968e705a3be5cd7588545a955
SHA1 f0a477b353ca3e20fa65dd86cb260777ff27e1dd
SHA256 fe0719cf624e08b5d6695ee3887358141d11316489c4ea97d2f61a4d2b9060cd
SHA512 b7f12f7ac1e6942f24f4bf35444f623cc93f8a047ebc754b9599d5df16cab4d3745729d11b4a3abfdc06a671e55ac52cac937badd808825906f52885f16f2c1c

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\DismCore.dll

MD5 f2b0771a7cd27f20689e0ab787b7eb7c
SHA1 eb56e313cd23cb77524ef0db1309aebb0b36f7ef
SHA256 7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f
SHA512 5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\dismprov.dll.mui

MD5 9bc5d6eb3e2d31bbdbffe127a1b3cdbf
SHA1 b253025c442aefe338b4c7ebea2f7d808abc9618
SHA256 55e9ae098def76e7388d7d069746dbd136ae243357ece23b77f2365f0b2ff76f
SHA512 f9968554737d181d4b7d0366f40f0c9a2039b59796986964413fa08f031f5529411b2741eb8ea3d8c312112b2038e6a58d891d090a42672c3d1c782b859f2e08

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\DmiProvider.dll

MD5 fc2db5842190c6e78a40cd7da483b27c
SHA1 e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0
SHA256 e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82
SHA512 d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\DismCore.dll.mui

MD5 f18044dec5b59c82c7f71ecffe2e89ab
SHA1 731d44676a8f5b3b7ad1d402dfdbb7f08bdc40c6
SHA256 a650578a4630e1a49280dc273d1d0bbdca81664a2199e5ab44ec7c5c54c0a35e
SHA512 53c23acddab099508b1e01dcc0d5dc9d4da67bc1765087f4a46b9ac842de065a55bac4c6682da07f5a1d29a3d0c1d92a4310e6b0f838740d919f8285911fa714

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\DmiProvider.dll.mui

MD5 ee8c06cd11b34a37579d118ac5d6fa1d
SHA1 c62f7fb0c6f42321b33ea675c0dfd304b2eb4a15
SHA256 6991fb4bfd6800385a32ac759dd21016421cb13dca81f04ddcaf6bf12a928ccc
SHA512 091cfa7d9b80e92df13ba829372dfb211214f4221e52fbf3f558ebb7f18736ad9ad867ea0d0ddf8938def1b4db64a12d0df37c2eaf41727b997f4905dd41fed1

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\FolderProvider.dll

MD5 c9d74156913061be6c51d8fc3acf8e93
SHA1 4a4c6473a478256e4c78b423e918191118e01093
SHA256 af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37
SHA512 c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\FolderProvider.dll.mui

MD5 cab37f952682118bac4a3f824c80b6ac
SHA1 6e35b4289927e26e3c50c16cbf87eb3ac6f3b793
SHA256 14bec7c4bb6cf1ee9049ef8820ec88bf78f2af75615f7a3fb265ef4b45c30e4d
SHA512 de9089adaa85f37201526b8619f697be98a7d05353b21b6d835f4d56803732380316359ba8b3c8ca7c14a9bf7cf31a7eff3c866a8f303ef737eb63573e01aa19

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\IntlProvider.dll

MD5 bbb9e4fa2561f6a6e5ccf25da069ac1b
SHA1 2d353ec70c7a13ac5749d2205ac732213505082a
SHA256 b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1
SHA512 01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\IntlProvider.dll.mui

MD5 0bffb5e4345198dbf18aa0bc8f0d6da1
SHA1 e2789081b7cf150b63bad62bac03b252283e9fe5
SHA256 b7bcc0e99719f24c30e12269e33a8bf09978c55593900d51d5f8588e51730739
SHA512 590e8016075871846efff8b539e4779a1a628de318c161292c7231ca964a310e0722e44816041786c8620bff5c29ff34c5f35733ee4eac74f3abfae6d3af854a

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\LogProvider.dll.mui

MD5 f909216cf932aeb4f2f9f02e8c56a815
SHA1 c5cafe5f8dad60d3a1d7c75aa2cf575e35a634f2
SHA256 f5c89ba078697cdb705383684af49e07cdd094db962f0649cad23008ae9d6ce2
SHA512 5dca19d54f738486085f11b5a2522073894a97d67e67be0eadbe9dc8944e632ae39b24499d7ff16e88d18166031697a238ead877f12cbb7447acca49c32a184a

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\MsiProvider.dll

MD5 45ff4fa5ca5432bfccded4433fe2a85b
SHA1 858c42499dd9d2198a6489dd310dc5cbff1e8d6e
SHA256 8a85869b2d61bad50d816daf08df080f8039dbeb1208009a73daa7be83d032bd
SHA512 abbe0f673d18cc9a922cfd677e5b88714a3049ad8937f836b5a8b9bddac5ddbad4dc143360efc018dcd3a3440aa3e516b1a97f7cd2fa9a55cb73739dedef1589

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\MsiProvider.dll.mui

MD5 17fac8ab2dfbaba2b049ec43204c1c2f
SHA1 d484ea7c6f749debf92b132765d2fd56f228db73
SHA256 f4d277aaa8d0bed0afcd1b703ee4c28c86313075e291b6addbdfd6202eb3777e
SHA512 ff7969adbc53fd2f5dccd3842b46a2517904d524020e69bb21271cd8ddc0cfddfd3f791741589b17b740d5d013cf14ed28b5af50d37d960c955adfd6b99e50cc

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\OSProvider.dll.mui

MD5 f0588e200554aed003667c04819cce32
SHA1 dacbdc53bd297cd818ea954f5a47de6e84212108
SHA256 40fe7b6631d11b5519f051ff0a0ade1cb0de524fb4904114067e71b729c38eba
SHA512 99d9372a452a1b908f55d204a2b85addaa11fe49bb0b9c0d36a131c1cad254e9fb8a3b952572111d68a78fdbf41782dbe78d8cb20165676aada496113e4899eb

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\SmiProvider.dll

MD5 fe447d1cd38cecac2331fa932078d9a0
SHA1 ebd99d5eb3403f547821ce51c193afc86ecf4bcf
SHA256 05fe0897be3f79773c06b7ba4c152eec810fd895bf566d837829ec04c4f4338d
SHA512 801e47c6c62a2d17ed7dd430a489507faf6074471f191f66862fd732924ad9a4bd1efe603354ed06d16c4d5c31a044126c4cc2dbbd8ffece2ed7632358ee7779

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\SmiProvider.dll.mui

MD5 f842303ef440381939fc34df425f8392
SHA1 92debf4ae2d86a123002a104d0e9ad4981ab6d59
SHA256 b06daf95235bd8b87af3dd06cc0566d7b893fbeaa1d5b39b66566b567c24c51f
SHA512 d72ccd42da7506cbfbe5db1af03f6d95f8a9c43e11e9f7f24abadd5e98907ad1f976c626a53ed96ad4b5aa24534f019a1ac7ec8ace9a785035dabc72ffc6e18b

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\TransmogProvider.dll

MD5 739968678548ba15f6b9372e8760c012
SHA1 691b09af08b64b01c3db7ffe2aa625c9be375686
SHA256 4ce7afb5c5a44c4c9d0119d7306134e3412467bddcbf5b7da2786e5d64528d11
SHA512 8075d3ce9e462777b143fad03f25ddb6cc8b5e2512aa475850eba39a5ef3be3364e7704620b8c444449bbe143b6ffa307428b93bc5e7e0b5738cf36aaf0c969b

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\TransmogProvider.dll.mui

MD5 99b5c7999e839ffd6c8ca930ceffee53
SHA1 fd9bafc43010a3c58fa0d09da98842e314de0b28
SHA256 b3e31abbb5626a81598e7adae0f3c9ad34057f96f88ee85b4e8829698385adba
SHA512 a53a4eb2a4c55ce50d7b0a855f9ff82784462f96556457cea72c25afefd4e4ca6725ef279c9cbba85c6d620c70a3f1f511cab495982415fe24dbf07a46651855

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\UnattendProvider.dll

MD5 8d3855b133e21143e8b4bfadb9fb14a3
SHA1 25d729e8455a1f19d0dc59c0962908a146a62935
SHA256 3b3118cb4a65cb27a182d044c7b9cfc17581d3fabab094d174b5e54df4ddf5e4
SHA512 4e67bcc6f6bd396350d550f5564dd9b1d939d8b6a48706280ee5c1b7205579355dfeb5425f99656455d958f6b61ceee3986488d27de824ed5b9ce14e43aea5f5

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\WimProvider.dll

MD5 fc00a05639494779002682a9b965ef9c
SHA1 521c93491aab9ab8523a2792c3add7cc49a2a09d
SHA256 1a63e46f970c815b8612eeac07f79e909b6d8180d34549a338766b4623461bd3
SHA512 cc6b8aeb20e1c71ca616dac7d989d0d41d3441f19851768bb9398bc930460378418fbec509dfe1b0e4c58943b260baf80a65e3964f8c9c5ccf9dce61f2d2d58e

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\UnattendProvider.dll.mui

MD5 2ee061d35f60f177c63a1f6710c7b5a4
SHA1 5205fcef37d9c3d1aff279aa66ed41b6376110f7
SHA256 e53de2552a86c8f2aae033963b51bd2ff938dc176d1be3156db35ad89eac1e82
SHA512 904ff78eed06688afe5c71d40ed832142879aee6a509b1de50274216de60549ecc40a4b89b70533904db2bb70156e79d9ab8c20cc851a559b1a59c35036f0592

C:\Users\Admin\AppData\Local\Temp\D4838580-D6A2-4444-BF23-5D05C96EE1D5\en-US\WimProvider.dll.mui

MD5 d1f01a0d5d8761924a03e8ee3d3c068c
SHA1 997f202bc2b91f97a998e8c9b2579c459f7cae58
SHA256 547c11f2859fdc63afbdbfd80d9b9748730161ff6db2618ccd33b0ba543c63a6
SHA512 1ba92eb28047917309989b17947c000333d820adc87100ce52e3ec8f6b9020d4953107fb527c5cddcbec864646e1abf830bf9826ce57ccbf85a381cf7f4cde65

C:\Windows\Logs\DISM\dism.log

MD5 798177c8f5a59cc60a94f9a4de00c28b
SHA1 0d7d08113fa3350b44c11b77d5ddde388c3bae24
SHA256 bc0af76541fa66ec0d6e9d7a72ee70104a1ae5cf9a4adb8516fe98d2baf0b24c
SHA512 866fa43fc6928ea3932d9d291a99e3dcf88b6bbb3f23a6ec3fcf727bee92e4fc05844e769d3eca236e16a4a0992a0fa71dea218a38965178877a8646eef38a9b

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\CbsProvider.dll.mui

MD5 a8593f3953dc361798428ae419378736
SHA1 965a26cc48b5271194ea57e00318762582412ab0
SHA256 10ce031aec1b7a3922ffe887df030af5ae2c5f42ab7b59fe28ae3a49f52376d5
SHA512 7a442d5471705888f583d82e1fcb9f182b378a6ade20f74e1223ab57ba428dc0a2570c3d8e72eee409cfc965870943896db6f83e6d7fdfceb1205abd56dadd4b

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\CompatProvider.dll.mui

MD5 e2ed75cb662a533b1b0a27d278baaabe
SHA1 864a0dd92d778016692957b9f7a365b7f1e74901
SHA256 6f6e3730e21e1389e25a24e881a9b9ff9d6ec939637f30a16fa44431ae88190e
SHA512 c8633db278a005dd7d1e4f475485b60f0d763fcb423fe76e1a22ee474393b6b4c42808e7fb4f0a4beeaa67fe6664c6d92419d414587c63dfb89d14f6c6f10b13

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\SmiProvider.dll.mui

MD5 028f429173b3e0b6c357f9c81d87ec5f
SHA1 e552f9382e239d2c24f01b701148c1b0a26959a3
SHA256 17d9ad16ec23b87a482f98da2d804548a4e69e6068879569735c1dbf87f261c3
SHA512 56a6c34ed2bed5f75c5ff01b1e528fb9df89f4e8abf325aa7de90fadec50402d4167d92809c6b749245314f3bc6574c80b3f6b75f33c8c560e5ea6d2e27025c1

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\OSProvider.dll.mui

MD5 1f7db98a6867933bc88e6c1ff7ebd918
SHA1 c7f6d6dcaffe4c04a125cf153bcfd735a170afdb
SHA256 561e69cdfce76efb4c08bf9172e4cbe314f53a316f365e0574095c4488fdd89f
SHA512 b1e51e7e468a59685a77fd1177f2ca8b00707b388097d7e7940d4c246fbec5551a10910274390d3b4b6d6c8b8aecaef92f59f503364cad0915979da85ab9f175

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\WimProvider.dll.mui

MD5 7aac51aae672de7bc590e59a220b051e
SHA1 3a9957290599aebb616d9c89109d343f433653cb
SHA256 eb8a8be757de42fad17dd81c10355afa15686a1d6948d74062f04fd643c536ae
SHA512 7950d93bf22bc949044c34bb364a4932bdcda7444c083a2353aa21070542a7f101984d2818adfef8fa2557018616c590ef1611b0801042ff79d4debfb6649e59

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\MsiProvider.dll.mui

MD5 3e73342f014bc24473e4162df00774ea
SHA1 d54e25755e1daa17208656b4dc5193ca76674d4e
SHA256 fd585028e1330b784919478df7655c8f1a7d5ae59482b55ecb8b5581e8220fda
SHA512 5a169c64292d79059fbfe233ec44f01e99c3280eb2405257b8dc6eedcc96cf97f5d709fd8a6e11860738c814eae273a730f0a35c8c554a2118ea7ef3e1524b2f

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\LogProvider.dll.mui

MD5 d760fcc2b268adc3d27de7aace7be81a
SHA1 eb777abef0fd5ba410d58ce04203f30e06d9a49f
SHA256 1281ab3bf652adbb4ac708cbf625da1e7ef14ffbe9f20cbbbdc75482f1bd622f
SHA512 385f069b7ece8cd6a20df3de705f73acbeb46296051cf13c17ee1a751c9e9e56ac58d514a6089e2131d018c0f0b4a5bc17c72cb450fcd6bee1978742852defcf

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\CbsProvider.dll.mui

MD5 c7d9d358e06a37383950334487bf6480
SHA1 5c166c45da530e325c95f8e45cc86bcaa853e4dc
SHA256 e0fe36ea767fd95ab4c2ab362b6d3ea844b1c971329edec486b8d7b557c9c3cc
SHA512 0565032026c25c1f691404f98f6d5dfffdcb3828e6980e6c105d1ea5ba306a8a2760ec545ce9e0326282de9b0884994a7c6ec276dd0cd724f054bbabdac96a94

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\MsiProvider.dll.mui

MD5 a3f88eaccfc8e83332a1f58c965751c1
SHA1 11b8f07948adda70c40750c858e0f3758438cb65
SHA256 cbc087261fba65e12348cb268cbafebb7dd80690c33d7f903f8fc233b3bb0bac
SHA512 a9cdc961a81b96fa561a1dbe0e7a7ad9bfb9b64bf0cd3feb7b45f139d8022b75c48ed0e47d5aca617d3b4d197939b268a5a1e9934c9f84bf9a8f9d51fa9d564c

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\WimProvider.dll.mui

MD5 6b6d992f9362903415949972fa52fda8
SHA1 689b4580ce311c146cba6ea0443993b1d799391a
SHA256 f8424746ce96d036d428772e7781396691f26ac8cc9f2273ecb227a00dd9ad45
SHA512 1b791481f874d8bf50ce332121f0134367e947d17678b89cf9f6f72a92a0dca5d07ccaba2370b14db10a2525eff1d830e895295306f76a06d167901b7c94f23e

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\UnattendProvider.dll.mui

MD5 2138513fe81c0d7c606b277f19e8c6b5
SHA1 1c135d100bb4b82f5dac3039d346f494eb67f3c0
SHA256 c24ede15c308a59d4617296d6cad7d6945f0fdd75ef6e1a9d1dc7a10d94f1440
SHA512 e5f20b0734ece267a94ed047ccb42a73ab996ee74bfb23d16c42b25eed6278c76d8c27190f8221a30d21f0ae5a8ca008ed75bf8fa1f792e84b3a147939ea1c7e

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\TransmogProvider.dll.mui

MD5 ab8855ec06c43167446776cca9ca3f0d
SHA1 a7d711799b9d389d35281dc8b09db935f0519c4f
SHA256 90fd5998db7452c9c015e24a38c5da5b52a853eb84d387f3685104fcc3febcc8
SHA512 c0bcf7984bc5093148de120abf7223329548fa4602ccc8dfcf38bd65f97d30bc2c07ec4b46baabb431e0187f0833bcf1697fbd8f23b54f3e4cf6fae0a3e69705

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\SmiProvider.dll.mui

MD5 bff6a5d020041ba523e21a4471dc8eda
SHA1 638d9a349b98f330dda2443c5a02b1323d856b90
SHA256 768eeed7cbac7f3900e1ca39bf56dcfb643967e19603aa653fbf4a09b977ca3a
SHA512 5a0668009e858d095fa7618e723f6e34ed3ae337608af075dcf22e1797242cfc153a67ccb7096f10b2f8e6979bd96269176ccf9a905130b70410c4dfeca9691d

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\OSProvider.dll.mui

MD5 fdf0faa0d70ff2fcde33722785ce4897
SHA1 1a465b55cc752f4558e74d0eed6c5aabfd9c7161
SHA256 8b9e2d9c2814ea43cf283a1eb827646868eba8ccf8b6764a207ef9fb71dacf00
SHA512 acc8647db3bbda7940f7b59015826f194d8d4ec10b4bb04064d257b116e6ba76ad3c633f9a9ea5f53cc95659e8af08fb409eb2393b756bbfcc1c5f078f556818

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\MsiProvider.dll.mui

MD5 06141bbd52dfa0dac64bf1d20e6f7b11
SHA1 d621071eb4424590a68fe671627a916035b99b68
SHA256 3464127b3fa7bdd831057ceeeb06b8530748771a86fa1536607154dddde22b1d
SHA512 6347221a83894b43dfddc43fdb741e09533501de3aa15f58316f4003ac6551c2f21c1c3b0df236296eb42324c572e5271dbd56fcd0d75d6167c0b48df3e77d0a

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\LogProvider.dll.mui

MD5 56b6cbb1aa40dfa923105f975d60ab17
SHA1 1458cf9d3788a76ca526f223e50517a1bb2cfaca
SHA256 81d1a1d45025ca6ac47ee63ece590c6d964c2b5a3b17b709f127d8570f56ad33
SHA512 4d833334abfa76e382283637a524eca4dcc64e9bfed85232c7915d75ec90de4711832749c14413945d3b632aa3aeea3bbcfd31829dba603d03569b309a1d061a

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\IntlProvider.dll.mui

MD5 339c10b4165e72f50c36fb945bc7696b
SHA1 50a480339e15558f8adcaf99d402db7d560ab4c1
SHA256 87922de31fbfa9477b06c459bb37ce082f0bdd0a6a7ecedfaad6f9b9f0238026
SHA512 9e65d2192d68380645135e9461628002b170a176acde964e6e145f3f48f99d32a8369d93ebff481b2e38b3e90fe28735f54996998f381fe09b778ebfbe4f6d1c

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\FolderProvider.dll.mui

MD5 87267a6260941229500cf48baf4f59fb
SHA1 0fbaa2bd71cd88ae058ddde5ee27759bf2187e04
SHA256 5682e828b3c371eb97a80c2361e44b8efe6e776b3b91afd610abc028a96f3a8c
SHA512 ae2882b908766b80adff1c0edc84d7fb3a3bc9f47dd2b9b453351550da01e48252eda4ae38a5ac8f079d1f9713d9ed5f3a1930de4f24b755a5e75069a36f6ad4

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\DmiProvider.dll.mui

MD5 8e2bed729784eb0e3ac47b6227e8e15e
SHA1 812200501ecf49535fe131d429b02c6429418d37
SHA256 f684b2973758e27b0037da6546520e72f07e3222c6606d50e2afb2ec11fb6861
SHA512 7a7ac1b034390809fdb05bb8d3f32f1af06b2b58c7688e127daf921633a6fcfb8e4fd0dba2e33e3b776179609b4155710077a2dc7d35af149fbb024b4bda12c3

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\DismProv.dll.mui

MD5 4519ab964952d540867aa739ed633678
SHA1 048145bcf9cbf299498c30ff7cd869d77abf7253
SHA256 5e426c22ca4366a0872e8a1dab4084fde657cc97f06e9af2112bf54ef2ff5d5c
SHA512 d857305e379b7d3489cb423b9ca7c572ea62013e85c7b1f88265e4d116c1ed3e8cda5fa817d30fa40aa7a1b718e4a53d3ac9768174ae573726d6dc0a5585ae78

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\DismCore.dll.mui

MD5 44b4b5924ff125d77cf18afd41bc4b6d
SHA1 fe13e911b24a281c29e872e5e90bcc4864536d0e
SHA256 2e049b2af444d725482525a234eb5e95fd03faa81b45b4e06436fb1e8b65efa3
SHA512 b2042df52fd499a2130482e853bb414ec4b1bfe7da04de5aee1d6747b14d4bf8fd682ab7c5648e13da1810adee8d5a6802552db5e0973a9f42f80b9456810f02

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\CompatProvider.dll.mui

MD5 e32051966f93873e14949bbe783ba00f
SHA1 23967095ce1b56d3988697f8a0af5007706df816
SHA256 4c1c4fb00ed369ba5b9ff7af6a1dca42f6d02544e24978c29e078e779ca3e25c
SHA512 9f7362614ee0914d2f4716572b09c40e33a54949cb1e5d6cf54e1e63d1a5fa31d39202d8c40cc46aceca691012a86cb22ad187be5497d2bc1e6d7c55223b1448

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\ja-JP\CbsProvider.dll.mui

MD5 d2fa1cacec5c85b0d331a3871802c1f1
SHA1 74e4ae152142f9d2b593c7929173216b9d308bc5
SHA256 59f0f929905a47ea267f6d2f7b29c3d052dc4d311cf39d67926ecf49f55cce1c
SHA512 cdcaddab1a2035ed16850bfe7595e684e9ea25058e4e0075b5d9a9c8eee9e987cf576cfd9f05d5046f1f88cde49939878d7a99463e194f67f430cfe64679532b

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\WimProvider.dll.mui

MD5 c87ec456b727c78a0701d1e9ec9725c4
SHA1 adcf77ddd1055c95ca74107244d9ecb9d31f60ef
SHA256 bc5fee7a3acd827d5879a6980446e9a9e17e803181b87b9821689415ff82b1c3
SHA512 7d4040332fa637d8f7a4a44933ea66503cc444374e6e65321ec1f832ca56963121f73675ece9ceb0f457d7ecd1683460f853304ec3947096141c09b36c2df9e1

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\UnattendProvider.dll.mui

MD5 4764d3d02b3b379652793b4e7199b1f4
SHA1 39cd731d460d9f7ae6d9b4844111886038f20cdb
SHA256 b7ea5c14fba9db1dbaf28770262641ab588bb18c5349279d725e924b48fe9f86
SHA512 cde2303faf19a9229082fe542125b60f83910dbe0fb675eb9cea5d4da1f2a41ed96444be974dd12e4fbda51437731d82e887dc01a12327ed4d1d666b525b58cb

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\TransmogProvider.dll.mui

MD5 427b7bd1d65a111c2c7abc064ed742fc
SHA1 6d869a81e21102c73c36248b500ab5001f96d57a
SHA256 f8cc90aa8265c48dbd345fc6362a90a64c39fd4655efe52f0f1909fe2973c423
SHA512 8c6980b65d2a9f3c8da5bfccc4e2047845609b97d9ad35f69fa93f4cab4f3a5faf816eb8fab4d855819fe33c7c24d40dbc10aeae1564b4b748bf2624654ad812

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\SmiProvider.dll.mui

MD5 10d603187dc14fda7711b4f46f146930
SHA1 98259f732f69d931f8acc4103b231947418c1527
SHA256 1eebfc8bcfde8d41d484e49ba3ed2d247cfdc339cd8d04dce304cba2f3d4e427
SHA512 1795a6aa9fccc0dd99e104d4f5275052b679571eae8181eee15175dd37b253f36665656c99565042081c5fdd2136fafb100f67ce5ff5a7c508006d8e4051af25

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\OSProvider.dll.mui

MD5 9493a8f48a72a01dc0784eb7e14ea98a
SHA1 3b1f3ee2a36c789dfc77faba06fb8d26257e0181
SHA256 0ee6cd54b411fa59321e5b4f8af36b5a4cc9e8dc09b57082fa5dc96f99e63f91
SHA512 c2d510e794e4be9225a6bc7230d8eb4029cff5c414d4a003c9940b94f30c5dc8a36359b15620e3f43f113ce5aa983c6290dbec753d90e908eab1134aa610ccce

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\LogProvider.dll.mui

MD5 752a17162120c5235e9d751079d8c87e
SHA1 f6d7734f5930f4ebcc35f8e9769798577345d98b
SHA256 a4ed4294971449b28a00baa9172eafb6ef5208fa4247979236daec050e330a01
SHA512 9b09381000d47188d43770b67b38e4f33840c2db63e0311f3c6e9a48f5894f58edaf1b3c6e5e6e5c7ef21595bb77be667ff03fe362561688f266eb43608e2b2d

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\IntlProvider.dll.mui

MD5 e27352fbc38cb2befff8da1bb6f1ef28
SHA1 de6df956bdf033178b58896ed1fefa06c4de3864
SHA256 74424b8d53f786e4ce676ef32ad52bd7a89de39c2b6e33b0647072dbe606353d
SHA512 1c7a56824c18cf3098afa289d012599803403ba8a511bb80b72f781b223d07ff299032d32c039b02321f50738ec6271f73a8ff5217609ab6ffb3423adaa98189

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\FolderProvider.dll.mui

MD5 aec0ad2dfd83cb33488e919a1a7cdb90
SHA1 b87a1de5e8393451da93525c25b8024c8772472d
SHA256 f315f52c2b8164ec5a9e16fd69ac2a16e2065594e2a5a186c748ff51187b57bb
SHA512 9518430d0a7da74a81fceb97dfacc580bd997c8216d2312386dd6a58fc73146e7873a4fadf31f0a1635993cca2eaf5def7fd335e3186feea896048b8ac05dbdf

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\DmiProvider.dll.mui

MD5 f1bc478634d2bfd8c95705c36193566c
SHA1 3ce7a7ca8402e0395ee739b4e9cfbe213c8fa05e
SHA256 1bd7f07a49b4daa467917b75ab132231424b5fe3e298c05f0fa6261750d8b34a
SHA512 3ea9e9746a1c63be163cdc82651b5d99c594d05e63aab9dc360a8df18591d071ee93ef91dd14053c3d83b0ec4f0195ce3e3fbf98a9fadac447594bc8c87afc3e

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\DismProv.dll.mui

MD5 f53a2bd4c501391996c0ea7e2bcefbba
SHA1 8403863a84d85a277320ed32819c87a5c69c5055
SHA256 54c1b9ec7b6703bfad9ce326a8a9cb59d07394c625be79b8f3e2bba2790033a7
SHA512 7edab3a070149ef45874893f91875a3a0e2db5df9d175e6643afad7a0308bcb6ad9821abb9194f4c43718e108b62e020a381bd0cbaf9899aee5cb64c6c8401fe

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\DismCore.dll.mui

MD5 5eb61a07479acb75e0cf377e26bc3ed1
SHA1 37492f0de4f3d5bca366aef6a8617da913d9de28
SHA256 a44ef89886da91d494753c182fc9720989cf807343e5fd3b624d9c50184f43fd
SHA512 6f204e433f7592c24c47b5f17858ed0e5e8ab5c99d07df4ed4dadac79a9d374f69db10d51428b5d82c03bdd8053d0896a53a8220b8086547d290b076b8751400

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\CompatProvider.dll.mui

MD5 c05117393db140c3c092bf58480158d3
SHA1 efaa725ee15741342bd316ae8129fe51a0224aab
SHA256 e18b7b8d1814bd432f22e800a809613cc665843a4d839166758d51dd12544448
SHA512 0f671c7d974258495e5b9a08eb66cffa8308f9ff0be5c84966a4ebe02e10198a417ec0ee75fe06fb56544b998638a7a2e802db935637bebe53d369640c98ebe2

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\it-IT\CbsProvider.dll.mui

MD5 479a5d72bcd4151b264c3328227eff79
SHA1 c81fd11c8429ad092430d4ef94581e7bad7ceadc
SHA256 19644ee8a97bd4df04e5045513e4dfcfe815ab31bcf7922fbf4ee0fa1e66e996
SHA512 5ffd8f328ea70553181b3a7b4b17420cc3409c8ac08b066914b7041f7277d55967ac7acb1edb26192cb2611ea99c10ad36f35a817c6c14765fb3a7271194e872

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\WimProvider.dll.mui

MD5 4085ae2fc752c6bad62f63ec066ab7fa
SHA1 a32a0bd6392193c65f104b46b74004bb8456caba
SHA256 cf234ae60e54a34fef4a1cb0bfda8a56fb765cd7491c7ec923d845e7a0514510
SHA512 dae262246c44c0363ba0ff062069b63b7efc3a32d3f6b59350289b7a0d33ec74e4d770de9cb99157cbe8830d44ab4c4aea1df0ebb436f78f97a36e500331cd76

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\UnattendProvider.dll.mui

MD5 41f38e4205e69e65b8d4d05842162b04
SHA1 8049a39c21723907b8ceee915d0e178f005a795b
SHA256 36de13257d10a41a230b3763db43dd087c8e639e03cd13f31d3faf6c04fdb619
SHA512 a4cf4807f2559a43428830d7a1d04f12c26e53e90dda44625a991e77f492d692171837aa7e441cb13b43a4fd4a33f159d40bad019f8486294bc7a99a00996696

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\TransmogProvider.dll.mui

MD5 e554f184a5105eba4e93b1365bc94510
SHA1 b781112d6adac4124c9865b16ba406285ba1acbf
SHA256 b43fd94a2e3e14b2d7e1abb09fbe9e67959ec6a015534c4c85f6515ddf054a51
SHA512 1b3ff0bc8354848b72089a235e92564d8e7a2bbeb6f9d617e3999d8315078bee0088f53ad03e040493134b0045315fab223163b46f806a9c2091a731c57e8a3f

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\SmiProvider.dll.mui

MD5 dc4bd0a2d860ee6e65545b576b5adbbe
SHA1 cfa6ec7158c571449678ffbba571bb71262d1812
SHA256 a76f94da8f7c2f92d01a81e22e40f79a718a4c7d1e1f78e1a1fa56c9faffbb33
SHA512 1e78042218d0902911fcd3c8430288210574e91995b4d92f818f8c9d55f95396ec0265e7d753681cf0512fbf557a2949e3cff14852678c439bfe9050a4b1419f

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\OSProvider.dll.mui

MD5 773987c811561bc3d8c9e77482e91176
SHA1 7f80d0aa65d5f58e726e6583d50d44e1462a5161
SHA256 e9c7eb8775580db7007d759a9276faae2812ead47fd94e498d1040e0296ce9c1
SHA512 f1e0fcc412be10dc80d736fda64cba3b376f156768ebe881965b932ced0da03a8d2415b824845f232d1ce4458047e478c11d4c56a26adccb887261fee62c8fda

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\IntlProvider.dll.mui

MD5 6acea3da64a29336d9320ec8c8ca2c28
SHA1 374a7022980cc8a295f77ecef9df9767f5dbf039
SHA256 5b9521c456d083150187422c8978b0be0700d1cc4ca9481174574983c050c73d
SHA512 98367a0db5939ec3463c6b8166bb52a3f70c6946003d999ae797f067d0f1eb3e59bceda84b9e3d698e89fecb18887107844ae99c3177c4c68d716ff1c335d86c

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\MsiProvider.dll.mui

MD5 d1b830da7644159087b20b2f761a0f22
SHA1 89a863f7cacaed794bc83fadad38919365bfa1be
SHA256 fea03948154154a4a65b6e3615498b824d7e399745f4200b6ae8f7f8d53ee8a0
SHA512 6b61ef20c4f08c973d0f4401d666caf7285550ed2a18b6585d0e2176b5d357607e56fa735040a2ff460f46e67c18c2fef3764944b2a0207e6ecd5114de3bfdd9

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\LogProvider.dll.mui

MD5 35dd9127a2d7cb7cc3b18257c7003708
SHA1 dc3164595d594ac08bea1cad0904643408e07f25
SHA256 d2dc5101855b209aeeda600e61d1cf5977b84d211a480825e7c9d4f972a41260
SHA512 78d3c6c80a6d50892d3db464874477e680edffb74603a6fbb3f419a829ec0bfcfd2579d80bfb5ce8149a1d3535321f5df2cf9f606e2749bda9e1df4cb547e3df

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\FolderProvider.dll.mui

MD5 868067be818b400b73b12a2b440046dc
SHA1 5010a6f6804b10388f9510cfcae3e0b1805c3e49
SHA256 8d25458835b17edeae4b54366217b013326ff552b31fc00b09d4c22045139c44
SHA512 307365fcdc7fbb6ad87e6902e00fbd406f58389c1ba39bfa16eb36a0d307f9af4bfcc8de209ee790a4ba4ab7c47873f4befea06ee3b8c612b5ee3d11eaa9c8c5

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\DmiProvider.dll.mui

MD5 a046c1accc091c23cea8837dc0acf9e8
SHA1 22efa3bf72c9c8ff5f4c7a38193075f684319666
SHA256 a84370c3c5d0fc905783716c2cf975e003b697370fc03a142c2e3b083562e504
SHA512 50f80af0f1813c75e567b910a083ae709cb397fae74ddbd8971207379b08ed961d1643c4fb59d950393d541c858ae236cf91ba048435ca3c3beeea52b547fa54

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\DismProv.dll.mui

MD5 b2c55a132143e2fb7fb73d1afab61b0b
SHA1 ca5f669ae3aa621c909d1fddae2acce52261b4f5
SHA256 74fca9bdc62f899a5abe70a9655fdca1a604a98203bb41f7930fc58cbfd8b229
SHA512 87bb8e33318973adf830f71515dd2bfb8a397f9d69c4c24244cb360f083ea799d66ef74c457ef73e00fb47c44eee9d5452e137f59ccc3f1cc245b4a641833185

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\DismCore.dll.mui

MD5 51e9ede9abf1a783c9574aceafc14985
SHA1 808d70a7a298126c395560200c71cd680f19284d
SHA256 811aa655faf79ddc002ffc4bae375c360855d20e550bf6b6efc7841ee02c55a1
SHA512 185e7b1b5a152b611fea1ccd9810a254a99a58be67525dff136f3772db5d2cd465c71c4f0e6e7ab2b61955b62bd0d625d782f5b0b8fa586bab94ba98e057ccf5

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\fr-FR\CompatProvider.dll.mui

MD5 4b121e90a279945157e2201f5a458ec5
SHA1 34616d004f64551647c1ba6706a686dcce5021ae
SHA256 1c85604871565626fef312a193d1f1a441e53edb542c511feec95beaddfa395b
SHA512 cef7a433e1790c2b362a178b8ea8f3714a9b22c797a55c04ec7b43cd4b85f62943cc8f43e9314216ab5a1e763d94e972b557d87867b65ffcb670053cb8d42f55

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\WimProvider.dll.mui

MD5 fe8955f6f53a01f1aed902874a5ea49b
SHA1 f146e3f347809e6d290431ee08886baced0fa945
SHA256 b6523a6315c3644bc1919ebcee86f46735152c114e696ec12d9f0a673894d846
SHA512 f29e4c84b2652058f62b0689d76688efba41a9b5a1de4b79f704f36b3e152fa91fc7ed55f33d7764203b134e0f4099bcb0ac448f7d09024852239f51b737523c

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\UnattendProvider.dll.mui

MD5 b9ff3962b5cf7ea1d8478d70104e2db4
SHA1 0dba0516aafa51b0ed682c34bdf7076b4bbff2f8
SHA256 455e27478923bbd5ffb9939a3ee4613f84d1392019df323ab50fe98815d1c1d4
SHA512 bbaf2048dc82e723ca1a7c7f6d3343ebcbc017ff5d38be3a1937bedb41dbc88bc5c2002b62efa8c633b7322985518cfd937cbc1df2692b5021eaf84eda0744de

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\TransmogProvider.dll.mui

MD5 cb887d7f827051a99a9d3be948c9245e
SHA1 764d0ad4a5b95f7a52e53ce7e34131f9b316f68f
SHA256 ec5493668bd61d216794f3a4431e3486ee1aec527c25a78572e8c33043dc6cac
SHA512 ca0ab4191b6431656af365929b3f921770135aee09846ae6e47d2eb25357aaf979a5770e584af42e9448b38e2df1da7764182659f6d409948a90ae42fa4b2581

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\SmiProvider.dll.mui

MD5 23779e3edfc940ca12a9355c6a60f17b
SHA1 ca2a8e861fca97102e523be939c5ab9fecee3c14
SHA256 c86017da045e1d34a201af195498c36e1ac46a6f971a81309d00211cb335c99f
SHA512 ac0bca5329384ace6370fd96692129ad9ab3868bf08fcf44fe61585a2434622ef22fafc63b1468066a919b07c71fc2d439b585f7c38839bb6f284fca2f84a8db

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\OSProvider.dll.mui

MD5 0b2c75ab61104aaa539a4b71c130749c
SHA1 0741150eed0b1fb86be338f30dab8142df280a61
SHA256 55f00f8eceb0dc2b9bee257bcc9f5b3d616480cf1de1a3817f8ad7a811e3aaf7
SHA512 1659332aba01757243ec47321184b10c5a824accbaed5be50213d095d4a89ba23f374cdb19b0d94a2628fbc066a3a5a223614c1f5adffc8a8b76a3c904687e59

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\IntlProvider.dll.mui

MD5 411ca3cc33840ffa316abed6457ea6ff
SHA1 36eae3de75f73826040e108fb0f9ca17465d4e29
SHA256 c61a2385c4394e003590bdca59179945e41d03323cf63a28e42f7079b5300c39
SHA512 83402869d4f5db5446c6fa45e27c2923b2e033477b44e3431ea55911e3442aed7afe143fc343430072e0904cbd751ba012db7327098c4f7e20693645a2f1d094

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\FolderProvider.dll.mui

MD5 8d19655681ad7451b2ca8ea8457d48ae
SHA1 ae626a1f119d0619160290e5090fe08729ea520e
SHA256 97b9498e4a6dcc46fd7ee8077a143bcad4d7b09c4f4b06252250b143d840ec41
SHA512 c4cd1859f6b161aaec3a92f615185c9a10cc2a9109c0174165cec313ebcce7a4412308f8507f19d5f3cfeff3ca1eb4be584f7c1a8591a8970477bdbae323da3e

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\DmiProvider.dll.mui

MD5 f67ebceeedd15d755d18d8bc4e353105
SHA1 eceebc64f715b01b07fd667117fa0a2aa7f1ffaf
SHA256 760c54d7dfbf9d6a5fdb6b3fd7cc25920c72530c6bb3f58450b8c5d1316d7a0d
SHA512 e7087fc8d264b8c5a19a768352500668c57147ec321138ccc158cea17d743b2a790cd0d9285ba2498811920bf466e145788efa9a965dae911ce88b42c0457d6d

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\DismProv.dll.mui

MD5 48f2230b51fcd8ef48b84f741c3ff83a
SHA1 41b3b22e77a5d7e02a7fa0c08c96b4dd2ebc4b5c
SHA256 ed2835088a831fb4d78b9f2c51e98c65cca3d1986fbc5cfc3844c70075202d6c
SHA512 b687a3c44a7fea03b4feaaae3cdf02d1be4ffaf5156a316be87b1232f9cfc82945a6a890097edef5f1dbc0ee0f89496a5cb0c932a13010e9dd6e00d845fee929

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\DismCore.dll.mui

MD5 8b16cbfc9283bc2b09182066152499b1
SHA1 8257f17c80bc79f01d1e3ff1746ba4f2d2930e6f
SHA256 03c33b7efc53976201dbbea12c6e6c25716389e6324a9f262d8f9b88d18d7c86
SHA512 526a7e1fb988ab843765ca553495ec1f247f60c4f51c4a8e36938301d42e14135a20cfefb6fbd6053746bd2dc4fd721edfae161bfcc66351595ebd82a217ea06

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\CompatProvider.dll.mui

MD5 021296761de2de5e4a76ea769a6c88a3
SHA1 b79f715f9dc8bb505103af564840e571fc1b2d31
SHA256 98f3f2e3888ffef2e3498878e741a42dcf0f088a6a884827f49b1c912f380a8f
SHA512 a9777911311a999459e8a3759292ae090ddd990d5cd7f4b5f3ee9a34de637bd4cf5208cd819f602f3685766e755ec252ca282c48cd7294134cd027211418cb48

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\es-ES\CbsProvider.dll.mui

MD5 8337a42ef698bf2a715da6df3a3c2d8c
SHA1 01e41d1fe69f114eea5f08748b3ea36306a482ba
SHA256 93d462da652edb381eac2b2d8738d00be61fc7ea92110b57ad8a36120f17639e
SHA512 a486343f34465b5752dcd9e1b84d86b5ab1498994ec4f99cd3f2fd98745eecae9efae8058e588214648d1dbe31bdfcfb59bebe9eea52c3a0cb953bc272bcab1e

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\UnattendProvider.dll.mui

MD5 a1f2db6136e0320f376185f31424d275
SHA1 648fa8d29a642bb0d85657ebe6ef6727375b8074
SHA256 bfce60c34bd4080f33b88120af9c13f0834261cb5b5468d4c26d92118f25452a
SHA512 9798446eaaf524b9144523b09d5610bdad5a78a6d78fcec2bdd6cc429b260b6996c054012653986ad6d0e53d281838fa3fecae6bae0d0cc7a9d772101557f26d

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\TransmogProvider.dll.mui

MD5 e612a0d21bedc9ab50f05e986fcadc43
SHA1 1c56d63da02876a97bf1aebf34fc26cf451347a6
SHA256 69799dc07bb60de206ac88eaeb9237fe379a8f050dc2e66b7f4873342bddde43
SHA512 96004d0bc3d5792b7c26920683c692dcc5116399a421e48ada57db85b80b6d2548e7866e0042cb2a52692fcbc9da9246935efaaac1110df0208943ead4ad0dcf

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\MsiProvider.dll.mui

MD5 7a8b4bbbc57ac653fddf78e3c5521fbe
SHA1 e2569d8b2b4c702d6e25b595dfc58cd30c7e1052
SHA256 f4744f0a259c8cba081b6a9664f800d770f1cb003287c3aa8c18f104723ac33f
SHA512 82bd9a0ce35bad80481fdb6f0b0bbf31b56a0690c17ae6881447838c28e4c80dd3c2391ddee488799255c4494a4c4def0a8db714eecbd85e2c741394ba5556d1

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\LogProvider.dll.mui

MD5 cdf3eb13e366b7fd677177099c1002a3
SHA1 5881d7c676fc47600b783065d81564faa3f7dde1
SHA256 111005814102baf8de24c0ed4af509abb3467e9d56234559ae647bb4aeac5de5
SHA512 fa988ade063c19e78392dff2eb2a3136480cc92d8cfa621dc59b6dc2d161479afc3565a5f0a9738b7b7462937347ad6dd06793f3c865ff2eb0af8cc830ff678f

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\IntlProvider.dll.mui

MD5 245c87268fb3c5a1f31c6eb387fcc831
SHA1 e333f20d7249a7ec1246237de2fb13f41319e2f3
SHA256 49ba52fdac892af8e4adb38bb4bb7bf4f0e72f1fdb06b1c0cf19e6333a68b6ac
SHA512 5cad478ad3ee77a1cf461c1c32a567cb2b97ae1cee603dba2ed41b24ee6998eceb5c87cfbd1b0163cfab8a062ac46c4d94b24770fc518c01adf3530379ee22c8

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\FolderProvider.dll.mui

MD5 32edc2798d5cb8c3b7ee54e0101499ae
SHA1 06b151358c58c27db89068639bcb13407e71748e
SHA256 8c004078347482498b3a2521a1e9a2b29dec469b7c228172eb0009d2d18defa5
SHA512 8ba0685a24514630ca833bf3da9bdb66a40cdc72742cb7cba1c0e1745594c683d8b29f97a6ba4adfd8913068768bfd6c1d824b76f7da36b6cc2099720c6a8b77

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\DmiProvider.dll.mui

MD5 aa950da44aa0bdd18fe27a91cff1ba30
SHA1 461b8d3e702de807355f00d9db0188b64de50892
SHA256 e1c201b93b88c319f95ff5ce1abd25c936a7673644c34948f4a67a4fe7854d7c
SHA512 ea1414efb080f2fd74fb2fdbed11528e422b6d0a6fc577376bd5fdd2c4528e2bfccc085db683c84bf3d13edf213df6248a45ef3e9313c148258ed950be61778a

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\DismProv.dll.mui

MD5 4fc088056e162c4c907fb1d861b362cc
SHA1 b1e76fd470e0cdc33ccd9c433417ff8a5a49a625
SHA256 0e1ba2d09772b1c488bc73552d6361dffb42fc5e726ed651bd2f59d631871da8
SHA512 40fa7c4cf3f3b55d8408db03a44b239a52ef160d4cb644ee3f4924fdda0b493ca805eb4b20c58e2a807ff6dbb404a4e501d66eb6b9d88358eb7da2f76da873ac

C:\Users\Admin\AppData\Local\Temp\04D1CA3D-51D4-495B-BE43-CC61CA0F1559\de-DE\DismCore.dll.mui

MD5 7a71a95c54e5b8f888c959798e09d8e3
SHA1 9f2f7a2386624bf29f22c709e17a1aeeee9f1061
SHA256 1d6e9933ce0a7e0c08bf2c9e2e3134a3348f806ddaba9f193d7d473ccd13ec7f
SHA512 9288f6c5f46914d9d94fdc298f2c26ad8b5492fff6a19ed705711ac5ee8ceb7cba75986b04d22b26d279e0bda8a160a0ad6be65f992d0b70bfba536585e492f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YJCSL7TAHMBV7D1204VJ.temp

MD5 d0e4bdfafdf6766deacea00d4df126c3
SHA1 a8c0728b390851e035f8e4c4365a573351df6c72
SHA256 f44347171e65a14dd694490f7ab3dcdcbb15eb4a3fe3b8686cb3497dac103a5b
SHA512 54022c37e7fbe5ee9ef2001ccd9567506faf7001a2d3bbd1c7bbcf47a94aefde33f6c26f295457f395bcab33029f77aa1f051049ef46005ff2c8327637c804e3

memory/2384-1370-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2596-1372-0x0000000000400000-0x0000000000455000-memory.dmp