Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TMX.exe

Overview

General Information

Sample name:TMX.exe
Analysis ID:1503269
MD5:c3ac80cb293b407a4f4065c9fa978b97
SHA1:9ebb9bc726023abe689bfdf5d7e7be5193896771
SHA256:a4b87f426a36ea97a0f437eea63774f7949fc1f24d293ab9bd79b77fb8355e5b
Tags:exe
Infos:

Detection

Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:47
Range:0 - 100

Signatures

Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
AI detected suspicious sample
PE file has nameless sections
Queries Google from non browser process on port 80
Query firmware table information (likely to detect VMs)
Tries to evade debugger and weak emulator (self modifying code)
Tries to resolve many domain names, but no domain seems valid
Yara detected QueryWinSAT ClassID
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Creates files inside the system directory
Drops PE files
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TMX.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\TMX.exe" MD5: C3AC80CB293B407A4F4065C9FA978B97)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3611897583.0000000001439000.00000040.00000001.01000000.00000003.sdmpWindows_Trojan_RedLineStealer_a7da40b7unknownunknown
  • 0xb5fa:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
00000000.00000002.3611897583.0000000001439000.00000040.00000001.01000000.00000003.sdmpWindows_Trojan_RedLineStealer_d4b38e13unknownunknown
  • 0x875d:$a: 5B 5D C2 04 00 8B C2 5F 5E 5B 5D C2 04 00 55 8B EC 57 8B 45 08 0F
00000000.00000003.2007533311.000000000882E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QueryWinSATClassIDYara detected QueryWinSAT ClassIDJoe Security
    00000000.00000002.3616445614.0000000003660000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_a7da40b7unknownunknown
    • 0xb67ee:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
    00000000.00000003.1922586734.0000000008826000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_QueryWinSATClassIDYara detected QueryWinSAT ClassIDJoe Security
      Click to see the 5 entries

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      Timestamp:2024-09-03T09:30:54.698994+0200
      SID:2803274
      Severity:2
      Source Port:49739
      Destination Port:80
      Protocol:TCP
      Classtype:Potentially Bad Traffic

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 84.6% probability

      Compliance

      barindex
      Uses 32bit PE files
      Source: TMX.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      PE / OLE file has a valid certificate
      Source: TMX.exeStatic PE information: certificate valid
      Contains modern PE file flags such as dynamic base (ASLR) or NX
      Source: TMX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Binary contains paths to debug symbols
      Source: Binary string: adwsmigrate.pdbGCTL source: adwsmigrate.dll0.0.dr
      Source: Binary string: SetupError.pdb source: setuperror.exe.0.dr
      Source: Binary string: adwsmigrate.pdb source: adwsmigrate.dll0.0.dr
      Source: Binary string: spwizeng.pdbGCTL source: spwizeng.dll.0.dr
      Source: Binary string: SetupError.pdbGCTL source: setuperror.exe.0.dr
      Source: Binary string: spwizeng.pdb source: spwizeng.dll.0.dr
      Source: C:\Users\user\Desktop\TMX.exeDirectory queried: number of queries: 1001

      Networking

      barindex
      Queries Google from non browser process on port 80
      Source: C:\Users\user\Desktop\TMX.exeHTTP traffic: GET / HTTP/1.1 User-Agent: test Host: www.google.com
      Tries to resolve many domain names, but no domain seems valid
      Source: unknownDNS traffic detected: query: 108.211.229.192.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 157.123.68.40.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 240.221.184.93.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 172.214.232.199.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 95.221.229.192.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 2.36.159.162.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 233.38.18.104.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 23.149.64.172.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 68.32.126.40.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 3.61.159.162.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 146.78.124.51.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 103.169.127.40.in-addr.arpa replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: 26.35.223.20.in-addr.arpa replaycode: Name error (3)
      Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 172.217.23.100:80
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: testHost: www.google.com
      Source: global trafficDNS traffic detected: DNS query: 51.162.222.173.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 23.149.64.172.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 233.38.18.104.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 26.35.223.20.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 240.221.184.93.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 3.61.159.162.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 32.162.222.173.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 108.211.229.192.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: www.google.com
      Source: global trafficDNS traffic detected: DNS query: 100.23.217.172.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 172.214.232.199.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 146.78.124.51.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 157.123.68.40.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 68.32.126.40.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 95.221.229.192.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 2.36.159.162.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 103.169.127.40.in-addr.arpa
      Source: global trafficDNS traffic detected: DNS query: 168.100.16.2.in-addr.arpa
      Source: TMX.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: TMX.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: TMX.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: TMX.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
      Source: TMX.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
      Source: TMX.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
      Source: TMX.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: TMX.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: TMX.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: TMX.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
      Source: TMX.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://madExcept.comU
      Source: TMX.exeString found in binary or memory: http://ocsp.comodoca.com0
      Source: TMX.exeString found in binary or memory: http://ocsp.digicert.com0A
      Source: TMX.exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: TMX.exeString found in binary or memory: http://ocsp.digicert.com0X
      Source: TMX.exeString found in binary or memory: http://ocsp.sectigo.com0
      Source: TMX.exe, 00000000.00000003.1923928414.0000000004CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
      Source: TMX.exe, 00000000.00000003.1756858545.00000000069CA000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: TMX.exe, 00000000.00000003.1765271807.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1764821428.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765198220.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1764735488.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765007498.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765313259.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765093780.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765386243.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765157921.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765425389.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1764770433.00000000069ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: TMX.exe, 00000000.00000003.1765606331.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765652198.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765531183.00000000069ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm=
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: TMX.exe, 00000000.00000003.1864715936.00000000087CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
      Source: TMX.exe, 00000000.00000003.1864715936.00000000086DB000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1923928414.0000000004D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/
      Source: TMX.exe, 00000000.00000003.1923928414.0000000004D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/-
      Source: TMX.exe, 00000000.00000003.1923928414.0000000004D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/A
      Source: TMX.exe, 00000000.00000003.1923928414.0000000004D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/E
      Source: TMX.exe, 00000000.00000003.1863921116.000000000880E000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3654782238.0000000008812000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1922586734.000000000880F000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1967410646.000000000880E000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.2007533311.000000000881A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/l
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.google.com/search?newwindow=1&q=%sopenU
      Source: TMX.exe, 00000000.00000003.1863921116.000000000880E000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3654782238.0000000008812000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1922586734.000000000880F000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1967410646.000000000880E000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.2007533311.000000000881A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/z
      Source: TMX.exe, 00000000.00000003.1864715936.00000000087CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.google.com9~2
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.google.comU
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.mitec.cz/exe.htmlopenU
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
      Source: TMX.exe, 00000000.00000003.1753479626.00000000069E5000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1753400342.00000000069E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.net
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
      Source: TMX.exe, 00000000.00000003.1753479626.00000000069E5000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1753400342.00000000069E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.neti
      Source: TMX.exe, 00000000.00000003.1753479626.00000000069E5000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1753400342.00000000069E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netl
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: TMX.exe, 00000000.00000003.1886157496.000000000876F000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1923928414.0000000004CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
      Source: TMX.exeString found in binary or memory: https://sectigo.com/CPS0
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mitec.cz
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmp, TMX.exe, 00000000.00000002.3618921590.0000000003766000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mitec.cz/tmx.html#Pricing
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmp, TMX.exe, 00000000.00000002.3618921590.0000000003766000.00000004.00001000.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3607807663.00000000012D3000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mitec.cz/webupdate.html
      Source: TMX.exeString found in binary or memory: https://www.mitec.cz0
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.mitec.czopenS
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.virustotal.com/vtapi/v2/domain/report?domain=%s&apikey=%s
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.virustotal.com/vtapi/v2/file/report
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.virustotal.com/vtapi/v2/file/rescanU
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.virustotal.com/vtapi/v2/file/scan
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.virustotal.com/vtapi/v2/ip-address/report?ip=%s&apikey=%s
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.virustotal.com/vtapi/v2/url/report
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.virustotal.com/vtapi/v2/url/scan
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\appraiserdatasha1.catJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\efi\microsoft\boot\winsipolicy.p7bJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\db_msftproductionwindowssigningca.cerJump to dropped file

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000002.3611897583.0000000001439000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
      Source: 00000000.00000002.3611897583.0000000001439000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_d4b38e13 Author: unknown
      Source: 00000000.00000002.3616445614.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
      PE file has nameless sections
      Source: TMX.exeStatic PE information: section name:
      Source: TMX.exeStatic PE information: section name:
      Source: TMX.exeStatic PE information: section name:
      Source: TMX.exeStatic PE information: section name:
      Source: TMX.exeStatic PE information: section name:
      Source: TMX.exeStatic PE information: section name:
      Source: C:\Users\user\Desktop\TMX.exeFile created: C:\Windows\INF\c_processor.PNFJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile created: C:\Windows\INF\c_monitor.PNFJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile created: C:\Windows\INF\c_volume.PNFJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess token adjusted: SecurityJump to behavior
      Source: TMX.exeStatic PE information: Resource name: RT_GROUP_CURSOR type: COM executable for DOS
      Source: netsetupengine.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: mapsmigplugin.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: acres.dll.mui.0.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
      Source: acres.dll.mui.0.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
      Source: acres.dll.mui.0.drStatic PE information: Resource name: RT_STRING type: PDP-11 overlaid pure executable not stripped
      Source: acres.dll.mui.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: wdsclient.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: wdsimage.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: wdstptc.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
      Source: setupugcetw.dll.0.drStatic PE information: No import functions for PE file found
      Source: sxsmigplugin.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: w32uires.dll.0.drStatic PE information: No import functions for PE file found
      Source: memtest.exe.0.drStatic PE information: No import functions for PE file found
      Source: winsetupetw.dll.0.drStatic PE information: No import functions for PE file found
      Source: dismapi.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: imagingprovider.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: compres.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: setupcompat.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: acres.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: actionqueue.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: compatctrl.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: w32uires.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: setuperror.exe.mui.0.drStatic PE information: No import functions for PE file found
      Source: uxlibres.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: windlp.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: folderprovider.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: setupetw.dll.0.drStatic PE information: No import functions for PE file found
      Source: nlsbres.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: dism.exe.mui.0.drStatic PE information: No import functions for PE file found
      Source: actionqueueetw.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: reagent.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: cmisetup.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: actionqueueetw.dll.0.drStatic PE information: No import functions for PE file found
      Source: logprovider.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: auditetw.dll0.0.drStatic PE information: No import functions for PE file found
      Source: mediasetupuimgr.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: arunres.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: bootsect.exe.mui.0.drStatic PE information: No import functions for PE file found
      Source: smiengine.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: bootres.dll.0.drStatic PE information: No import functions for PE file found
      Source: wimprovider.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: actionqueueetw.dll0.0.drStatic PE information: No import functions for PE file found
      Source: wdsclient.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: shmig.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: appraiserwc.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: input.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: dismprov.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: auditetw.dll.0.drStatic PE information: No import functions for PE file found
      Source: cscmig.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: migres.dll.0.drStatic PE information: No import functions for PE file found
      Source: dismcore.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: sysprepetw.dll.0.drStatic PE information: No import functions for PE file found
      Source: pnpibs.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: appraiser.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: winsetup.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: rollback.exe.mui.0.drStatic PE information: No import functions for PE file found
      Source: cmisetupetw.dll0.0.drStatic PE information: No import functions for PE file found
      Source: setup.exe.mui.0.drStatic PE information: No import functions for PE file found
      Source: compatresources.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: oobeldretw.dll.0.drStatic PE information: No import functions for PE file found
      Source: upgloader.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: migres.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: vhdprovider.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: bootres.dll0.0.drStatic PE information: No import functions for PE file found
      Source: windeployetw.dll.0.drStatic PE information: No import functions for PE file found
      Source: setupplatform.exe.mui.0.drStatic PE information: No import functions for PE file found
      Source: nlsbres.dll.0.drStatic PE information: No import functions for PE file found
      Source: setupcore.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: w32uiimg.dll.0.drStatic PE information: No import functions for PE file found
      Source: spwizres.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: setupprep.exe.mui.0.drStatic PE information: No import functions for PE file found
      Source: cmisetupetw.dll.0.drStatic PE information: No import functions for PE file found
      Source: setupcletw.dll.0.drStatic PE information: No import functions for PE file found
      Source: wdsimage.dll.mui.0.drStatic PE information: No import functions for PE file found
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs TMX.exe
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: \OriginalFileName vs TMX.exe
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003766000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCredentialEnrollmentManager.exe.muij% vs TMX.exe
      Source: TMX.exe, 00000000.00000002.3618921590.00000000039C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedllhost.exej% vs TMX.exe
      Source: TMX.exe, 00000000.00000002.3632435424.000000000550E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs TMX.exe
      Source: TMX.exe, 00000000.00000002.3618921590.000000000392D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exe.muij% vs TMX.exe
      Source: TMX.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      Source: 00000000.00000002.3611897583.0000000001439000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
      Source: 00000000.00000002.3611897583.0000000001439000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_d4b38e13 reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = c91f97a7e609d8138f8c5c7dd66cf675b1b3762f26baa5bf983ee212011b99cb, id = d4b38e13-1439-4549-ba90-0b4a8ed57fb3, last_modified = 2022-04-12
      Source: 00000000.00000002.3616445614.0000000003660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
      Source: TMX.exeStatic PE information: Section: ZLIB complexity 0.9994050854933175
      Source: TMX.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
      Source: classification engineClassification label: mal42.troj.evad.winEXE@1/908@19/1
      Source: C:\Users\user\Desktop\TMX.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\BXSHN514.htmJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{C7BF0490-CBE5-4D24-A39C-62AB53AC34CD}
      Source: C:\Users\user\Desktop\TMX.exeFile created: C:\Users\user\AppData\Local\Temp\TMX.madExceptJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile read: C:\Users\user\Desktop\TMX.exeJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: faultrep.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dbgcore.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: slwga.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: netapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: schedcli.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: logoncli.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: pdh.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: tbs.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wevtapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: olepro32.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: activeds.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dxva2.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wpnapps.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dataexchange.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: d3d11.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dcomp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: devobj.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: mrmcorer.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: perfos.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: perfdisk.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wmiclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: perfproc.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: msscntrs.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: rasctrs.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: tapiperf.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: usbperf.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: thumbcache.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: mmcshext.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: hhsetup.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dlnashext.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wpdshext.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wlanapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wuapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wups.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wnaspi32.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: wnaspi32.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: winsatapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: usoapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: cscapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: winmmbase.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: mmdevapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: ksuser.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: avrt.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: audioses.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: msacm32.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: midimap.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: resourcepolicyclient.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: windows.ui.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: windowmanagementapi.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeSection loaded: inputhost.dllJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeWindow found: window name: TComboBoxJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: TMX.exeStatic PE information: certificate valid
      Source: TMX.exeStatic file information: File size 4610952 > 1048576
      Source: TMX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
      Source: Binary string: adwsmigrate.pdbGCTL source: adwsmigrate.dll0.0.dr
      Source: Binary string: SetupError.pdb source: setuperror.exe.0.dr
      Source: Binary string: adwsmigrate.pdb source: adwsmigrate.dll0.0.dr
      Source: Binary string: spwizeng.pdbGCTL source: spwizeng.dll.0.dr
      Source: Binary string: SetupError.pdbGCTL source: setuperror.exe.0.dr
      Source: Binary string: spwizeng.pdb source: spwizeng.dll.0.dr

      Data Obfuscation

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\TMX.exeUnpacked PE file: 0.2.TMX.exe.9f0000.0.unpack Unknown_Section0:R;Unknown_Section1:W;Unknown_Section2:R;Unknown_Section3:W;.rsrc:R;Unknown_Section5:W;Unknown_Section6:EW; vs Unknown_Section0:R;Unknown_Section1:W;Unknown_Section2:R;Unknown_Section3:W;.rsrc:R;Unknown_Section5:W;Unknown_Section6:EW;#QWI:R;
      Source: setup.exe.0.drStatic PE information: 0x8213988A [Sat Feb 26 08:38:34 2039 UTC]
      Source: TMX.exeStatic PE information: section name:
      Source: TMX.exeStatic PE information: section name:
      Source: TMX.exeStatic PE information: section name:
      Source: TMX.exeStatic PE information: section name:
      Source: TMX.exeStatic PE information: section name:
      Source: TMX.exeStatic PE information: section name:
      Source: icfupgd.dll.0.drStatic PE information: section name: .didat
      Source: netsetupengine.dll.0.drStatic PE information: section name: .didat
      Source: wmimigrationplugin.dll.0.drStatic PE information: section name: .didat
      Source: networkbindingenginemigplugin.dll.0.drStatic PE information: section name: .didat
      Source: dafmigplugin.dll.0.drStatic PE information: section name: .didat
      Source: audmigplugin.dll.0.drStatic PE information: section name: .didat
      Source: rasmigplugin.dll.0.drStatic PE information: section name: .didat
      Source: tilestoremigrationplugin.dll.0.drStatic PE information: section name: .didat
      Source: wininetplugin.dll.0.drStatic PE information: section name: .wpp_sf
      Source: clipmigplugin.dll.0.drStatic PE information: section name: .didat
      Source: hwvidmigplugin.dll.0.drStatic PE information: section name: .didat
      Source: vhdprovider.dll.0.drStatic PE information: section name: .didat
      Source: wdsutil.dll.0.drStatic PE information: section name: .didat
      Source: wimprovider.dll.0.drStatic PE information: section name: .didat
      Source: win32ui.dll.0.drStatic PE information: section name: .didat
      Source: winsetup.dll.0.drStatic PE information: section name: .didat
      Source: winsetupboot.sys.0.drStatic PE information: section name: GFIDS
      Source: memtest.exe.0.drStatic PE information: section name: PAGER32C
      Source: wpcmigration.uplevel.dll.0.drStatic PE information: section name: .didat
      Source: apmonportmig.dll.0.drStatic PE information: section name: .didat
      Source: icfupgd.dll0.0.drStatic PE information: section name: .didat
      Source: input.dll.0.drStatic PE information: section name: .didat
      Source: netiomig.dll.0.drStatic PE information: section name: .didat
      Source: shmig.dll.0.drStatic PE information: section name: .didat
      Source: rasmigplugin.dll0.0.drStatic PE information: section name: .didat
      Source: pbkmigr.dll.0.drStatic PE information: section name: .didat
      Source: migisol.dll.0.drStatic PE information: section name: .didat
      Source: TMX.exeStatic PE information: section name: entropy: 7.996625635372898
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\imagingprovider.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\winsetup.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\msctfmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\itgtupg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\appraiser.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\support\logging\sysprepetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\dism.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\cmi2migxml.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-iis-rm\iismig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\uxlibres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\reportgen.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\arunres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\rollback.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\support\logging\setupcletw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\csiagent.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\diager.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\diagnostic.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\rdsupgcheck.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\ntdsupg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-tapisetup\tapimigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-rasapi-mig\pbkmigr.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\setupcompat.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\support\logging\auditetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-terminalservices-licenseserver\tlsrepplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dismcore.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\efi\microsoft\boot\cdboot_noprompt.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\iasmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\autorun.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\pnpibs.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\cmisetup.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-unimodem-config\modemmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\reagent.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\appraiserres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-iasserver-migplugin\iasmigreader.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-rasserver-migplugin\rasmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\mitigation.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\setupplatform.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-networkloadbalancing-core\nlbmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\wpc\wpcmigration.uplevel.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\spwizres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\offlineprofileutils.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\setupcore.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-audio-mmecore-other\audmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\dismcore.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\spflvrnt.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dismprov.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\sppmig\sppmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\windlp.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\wdsclient.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\nlsbres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\etwproviders\setupugcetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\wdsclientapi.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\wdsimage.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\smiengine.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-sxs\en-gb\sxsmigplugin.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\printing-localprinting-replacement\apmonportmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\networking-mpssvc-svc\icfupgd.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\rollback.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-virtualization-vmswitch\vmswitchmigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\diagtrack.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-security-ngc-localaccountmigplugin\ngclocalaccountmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-directoryservices-adam-client\adammigrate.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\vhdprovider.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-tcpip\netiomig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\migres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\uxlib.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\support\logging\winsetupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\windowssearchengine\wsearchmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\spwizres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\setupplatform.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\etwproviders\setupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-appx-deployment-server\appxupgrademigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\boot\en-gb\bootsect.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\msctfmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\support\logging\oobeldretw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\imagingprovider.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\actionqueue.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\adfscomp.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\pnpibs.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\compres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\aeinv.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-activedirectory-webservices\adwsmigrate.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\setup.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-terminalservices-appserver-licensing\tsmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\logprovider.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-dhcpservermigplugin-dl\dhcpsrvmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\efi\microsoft\boot\memtest.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-offlinefiles-core\en-gb\cscmig.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-msmq-messagingcoreservice\mqmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\migtestplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\setupdiag.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\xp\webservices.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\appcompatservicing.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-winsock-core-infrastructure-upgrade\wsupgrade.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\cmisetup.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\logprovider.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\appraiser.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\acres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\support\logging\setupugcetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\setupmgr.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\setupcore.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\wpx.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\migstore.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\support\logging\en-gb\actionqueueetw.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-bth-user\bthmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\migcore.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\support\logging\windeployetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-com-dtc-setup-dl\msdtcstp.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dism.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\compatctrl.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\hwvid-migration-2\hwvidmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\spprgrss.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\efi\microsoft\boot\resources\bootres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\uddicomp.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\uxlibres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-activedirectory-webservices-dl\adwsmigrate.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\etwproviders\oobeldretw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\setuperror.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\facilitator.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\imjpmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\winsetup.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-bluetooth-config\bthmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\setuphost.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\etwproviders\windeployetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\arunres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\wdsupgcompl.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\actionqueue.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\mediasetupuimgr.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-onecore-tiledatarepository\tilestoremigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\mighost.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\setup.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\reservemanager.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\w32uiimg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\iiscomp.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\migisol.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-mup\mupmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\reagent.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\setupcompat.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\wdsutil.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\etwproviders\actionqueueetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\upgloader.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\setupprep.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-edge-migration-plugin\edgemigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\etwproviders\sysprepetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\boot\resources\bootres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\printing-localprinting-replacement\usbportmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\etwproviders\auditetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\acmigration.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\nlsbres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-rasserver-migplugin\rasmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\du.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-com-complus-setup\commig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\nxquery.sysJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\sqmapi.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\etwproviders\setupcletw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\etwproviders\en-gb\actionqueueetw.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\imkrmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\unbcl.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\sdbapiu.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\wdsimage.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-network-setup\netsetupapi.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\boot\bootsect.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\compatresources.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\mxeagent.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\dismprov.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\efi\microsoft\boot\cdboot.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\arunimg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-appmanagement-migration\appmanmigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\wdsclient.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\win32ui.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\support\logging\actionqueueetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-shmig\shmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\chxmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\spwizeng.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\folderprovider.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-deviceassociationframeworkmigration\dafmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\compres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\chxmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\networkbridge\bridgemigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\tabletextservicemig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\migsys.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\input.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\setupprep.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\hwcompat.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\windlp.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\mediasetupuimgr.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\acres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\input.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-offlinefiles-core\cscmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\compatctrl.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dismapi.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\admtv3check.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dismcoreps.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\wimprovider.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-ie-clientnetworkprotocolimplementation-migration\wininetplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\support\logging\cmisetupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\devinv.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\etwproviders\cmisetupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\wdscore.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\smiengine.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-mapscontrol-migration\mapsmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\clustercompliance.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-wmi-core\wmimigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\vhdprovider.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\setuperror.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\tabletextservicemig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-com-complus-setup-dl\commig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\dismapi.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\support\logging\setupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\boot\memtest.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\wdstptc.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\etwproviders\winsetupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-directoryservices-adam-dl\adammigrate.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\spwizimg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\imkrmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\bootmgr.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\setupplatform.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-iasserver-migplugin\iasmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\rmsupg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\w32uires.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\wimprovider.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-pnpmigration\pnpmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\migres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\hypervcomplcheck.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\compatresources.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\upgradeagent.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-network-setup\networkbindingenginemigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\diagtrackrunner.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-terminalservices-licenseserver\tlsmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\vista\webservices.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\updateagent.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-internet-naming-service-runtime\winsplgn.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-rasconnectionmanager\cmmigr.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\gatherosstate.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\dlmanifests\microsoft-windows-networkbridge\bridgemigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\upgloader.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\pnppropmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\appraiserwc.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-shmig\en-gb\shmig.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\wdscsl.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\generaltel.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\w32uires.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\appraiserwc.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\en-gb\folderprovider.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\efi\boot\bootx64.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\winsetupboot.sysJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\wpc\wpcmigration.downlevel.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-network-setup\netsetupengine.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-client-license-platform-service-migration\clipmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\imjpmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\unattend.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\networking-mpssvc-svc\icfupgd.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-sxs\sxsmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\cryptosetup.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\setup.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\sources\ntfrsupg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\bootmgr.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\efi\microsoft\boot\cdboot.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\efi\microsoft\boot\cdboot_noprompt.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\efi\microsoft\boot\memtest.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeFile created: \Device\CdRom0\efi\boot\bootx64.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Query firmware table information (likely to detect VMs)
      Source: C:\Users\user\Desktop\TMX.exeSystem information queried: FirmwareTableInformationJump to behavior
      Tries to evade debugger and weak emulator (self modifying code)
      Source: C:\Users\user\Desktop\TMX.exeSpecial instruction interceptor: First address: 144E996 instructions caused by: Self-modifying code
      Source: C:\Users\user\Desktop\TMX.exeFile opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\TMX.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
      Source: C:\Users\user\Desktop\TMX.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeWindow / User API: threadDelayed 511Jump to behavior
      Source: C:\Users\user\Desktop\TMX.exeWindow / User API: threadDelayed 1765Jump to behavior
      Source: C:\Users\user\Desktop\TMX.exeWindow / User API: threadDelayed 1015Jump to behavior
      Source: C:\Users\user\Desktop\TMX.exeWindow / User API: threadDelayed 1626Jump to behavior
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\imagingprovider.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\winsetup.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\msctfmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\itgtupg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\appraiser.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\support\logging\sysprepetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\dism.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\cmi2migxml.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-iis-rm\iismig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\uxlibres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\reportgen.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\arunres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\rollback.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\support\logging\setupcletw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\csiagent.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\diager.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\diagnostic.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\rdsupgcheck.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\ntdsupg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-rasapi-mig\pbkmigr.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-tapisetup\tapimigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\setupcompat.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\support\logging\auditetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-terminalservices-licenseserver\tlsrepplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dismcore.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\efi\microsoft\boot\cdboot_noprompt.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\iasmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\autorun.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\pnpibs.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\cmisetup.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-unimodem-config\modemmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\reagent.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\appraiserres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-rasserver-migplugin\rasmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-iasserver-migplugin\iasmigreader.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\mitigation.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\setupplatform.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\wpc\wpcmigration.uplevel.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-networkloadbalancing-core\nlbmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\spwizres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\offlineprofileutils.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\setupcore.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-audio-mmecore-other\audmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\dismcore.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\spflvrnt.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dismprov.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\sppmig\sppmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\windlp.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\wdsclient.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\nlsbres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\etwproviders\setupugcetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\wdsclientapi.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\wdsimage.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\smiengine.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-sxs\en-gb\sxsmigplugin.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\printing-localprinting-replacement\apmonportmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\networking-mpssvc-svc\icfupgd.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\rollback.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\diagtrack.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-virtualization-vmswitch\vmswitchmigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-security-ngc-localaccountmigplugin\ngclocalaccountmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-directoryservices-adam-client\adammigrate.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\vhdprovider.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-tcpip\netiomig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\migres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\uxlib.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\support\logging\winsetupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\spwizres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\setupplatform.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\etwproviders\setupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-appx-deployment-server\appxupgrademigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\boot\en-gb\bootsect.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\msctfmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\support\logging\oobeldretw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\imagingprovider.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\actionqueue.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\adfscomp.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\pnpibs.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\aeinv.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\compres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\setup.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-activedirectory-webservices\adwsmigrate.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-terminalservices-appserver-licensing\tsmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-dhcpservermigplugin-dl\dhcpsrvmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\logprovider.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\efi\microsoft\boot\memtest.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-offlinefiles-core\en-gb\cscmig.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-msmq-messagingcoreservice\mqmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\setupdiag.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\migtestplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\xp\webservices.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\appcompatservicing.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-winsock-core-infrastructure-upgrade\wsupgrade.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\cmisetup.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\logprovider.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\appraiser.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\setupmgr.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\support\logging\setupugcetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\acres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\setupcore.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\wpx.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\migstore.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\support\logging\en-gb\actionqueueetw.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\migcore.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-bth-user\bthmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\support\logging\windeployetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-com-dtc-setup-dl\msdtcstp.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dism.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\compatctrl.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\spprgrss.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\hwvid-migration-2\hwvidmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\efi\microsoft\boot\resources\bootres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\uddicomp.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\uxlibres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-activedirectory-webservices-dl\adwsmigrate.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\etwproviders\oobeldretw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\setuperror.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\facilitator.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\imjpmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\winsetup.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-bluetooth-config\bthmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\setuphost.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\etwproviders\windeployetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\arunres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\wdsupgcompl.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\actionqueue.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\mediasetupuimgr.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-onecore-tiledatarepository\tilestoremigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\mighost.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\setup.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\reservemanager.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\w32uiimg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\iiscomp.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\migisol.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-mup\mupmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\setupcompat.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\reagent.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\wdsutil.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\etwproviders\actionqueueetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\upgloader.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\setupprep.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-edge-migration-plugin\edgemigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\etwproviders\sysprepetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\printing-localprinting-replacement\usbportmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\boot\resources\bootres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\etwproviders\auditetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\acmigration.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\nlsbres.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-rasserver-migplugin\rasmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\du.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-com-complus-setup\commig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\nxquery.sysJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\sqmapi.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\etwproviders\setupcletw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\etwproviders\en-gb\actionqueueetw.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\unbcl.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\imkrmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\sdbapiu.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\wdsimage.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\boot\bootsect.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\compatresources.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\mxeagent.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\dismprov.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\efi\microsoft\boot\cdboot.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\arunimg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-appmanagement-migration\appmanmigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\wdsclient.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\win32ui.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\support\logging\actionqueueetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-shmig\shmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\chxmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\folderprovider.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\spwizeng.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-deviceassociationframeworkmigration\dafmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\compres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\chxmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\networkbridge\bridgemigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\tabletextservicemig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\migsys.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\input.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\hwcompat.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\setupprep.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\windlp.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\mediasetupuimgr.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\acres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\input.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-offlinefiles-core\cscmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\compatctrl.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dismapi.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\admtv3check.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dismcoreps.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\wimprovider.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-ie-clientnetworkprotocolimplementation-migration\wininetplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\devinv.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\support\logging\cmisetupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\etwproviders\cmisetupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\smiengine.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\wdscore.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-mapscontrol-migration\mapsmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\clustercompliance.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\vhdprovider.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-wmi-core\wmimigrationplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\setuperror.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\tabletextservicemig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\dismapi.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-com-complus-setup-dl\commig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\support\logging\setupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\boot\memtest.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\wdstptc.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\etwproviders\winsetupetw.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-directoryservices-adam-dl\adammigrate.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\spwizimg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\imkrmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\bootmgr.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\setupplatform.exe.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-iasserver-migplugin\iasmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\rmsupg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\w32uires.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\wimprovider.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-pnpmigration\pnpmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\migres.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\hypervcomplcheck.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\compatresources.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\upgradeagent.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-network-setup\networkbindingenginemigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\diagtrackrunner.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-terminalservices-licenseserver\tlsmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\vista\webservices.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\updateagent.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-rasconnectionmanager\cmmigr.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-internet-naming-service-runtime\winsplgn.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\gatherosstate.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\dlmanifests\microsoft-windows-networkbridge\bridgemigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\upgloader.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\appraiserwc.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\pnppropmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-shmig\en-gb\shmig.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\wdscsl.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\generaltel.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\w32uires.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\appraiserwc.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\en-gb\folderprovider.dll.muiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\efi\boot\bootx64.efiJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\winsetupboot.sysJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\wpc\wpcmigration.downlevel.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-network-setup\netsetupengine.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-client-license-platform-service-migration\clipmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\imjpmig.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\unattend.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\networking-mpssvc-svc\icfupgd.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\replacementmanifests\microsoft-windows-sxs\sxsmigplugin.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\cryptosetup.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\setup.exeJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exeDropped PE file which has not been started: \Device\CdRom0\sources\ntfrsupg.dllJump to dropped file
      Source: C:\Users\user\Desktop\TMX.exe TID: 7768Thread sleep time: -51100s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\TMX.exe TID: 7760Thread sleep time: -176500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\TMX.exe TID: 7764Thread sleep time: -101500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\TMX.exe TID: 7760Thread sleep time: -162600s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile Volume queried: \Device\CdRom0\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile Volume queried: \Device\CdRom0\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile Volume queried: \Device\CdRom0\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile Volume queried: \Device\CdRom0\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
      Source: TMX.exe, 00000000.00000003.1779618192.0000000004D3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Bytes from cache9584BITS: Bytes from server9586WININET: Bytes from cache9588WININET: Bytes from server9590WINHTTP: Bytes from cache9592WINHTTP: Bytes from server9594OTHER: Bytes from cache9596OTHER: Bytes from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes
      Source: TMX.exe, 00000000.00000003.1855226365.0000000008835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnosed\CLMEMh4
      Source: adwsmigrate.dll0.0.drBinary or memory string: .?AVCRegistryVirtualMachine@ATL@@H
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001B78000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.2610549024.0000000004CDB000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3613256857.0000000001AE8000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3629857792.0000000004CE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
      Source: TMX.exe, 00000000.00000003.1786611084.000000000869C000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1738648465.0000000001B37000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1748004907.0000000001B3D000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1739931560.0000000001B3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hyp
      Source: TMX.exe, 00000000.00000003.1778245372.0000000004D73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Bytes transmitted via SMB Direct/sec5452Write Bytes transmitted via SMB Direct/sec5454Read Requests transmitted via SMB Direct/sec5456Write Requests transmitted via SMB Direct/sec5458Turbo I/O Reads/sec5460Turbo I/O Writes/sec5462Compressed Requests/sec5464Compressed Responses/sec5466Compressed Bytes Sent/sec9546AppV Client Streamed Data Percentage9548Primary Feature % Streamed5484Network QoS Policy5486Packets transmitted5488Packets transmitted/sec5490Bytes transmitted5492Bytes transmitted/sec5494Packets dropped5496Packets dropped/sec4006Event Log4008Enabled Channels4010WEVT RPC calls/sec4012Events/sec4014ELF RPC calls/sec4016Active subscriptions4018Event filter operations/sec9568BranchCache9570Retrieval: Bytes from server9572Retrieval: Bytes from cache9574Retrieval: Bytes served9576Discovery: Weighted average discovery time9578SMB: Bytes from cache9580SMB: Bytes from server9582BITS: Bytes from cache9584BITS: Bytes from server9586WININET: Bytes from cache9588WININET: Bytes from server9590WINHTTP: Bytes from cache9592WINHTTP: Bytes from server9594OTHER: Bytes from cache9596OTHER: Bytes from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003A2A000.00000004.00001000.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3618921590.00000000037FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: )4806=Hyper-V Hypervisor Logical Processor
      Source: TMX.exe, 00000000.00000003.1855188332.0000000001BB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Operational
      Source: TMX.exe, 00000000.00000003.1855102726.000000000884A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AnalyticLMEMP
      Source: TMX.exe, 00000000.00000003.2610549024.0000000004CDB000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3629857792.0000000004CE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual ProcessorA
      Source: TMX.exe, 00000000.00000003.1748749817.0000000001B34000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SecureVirtualMachine
      Source: TMX.exe, 00000000.00000002.3618921590.00000000037FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: &4906=Hyper-V Hypervisor Root PartitionT
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003A2A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: &4906=Hyper-V Hypervisor Root Partition
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003863000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .4972=Hyper-V Hypervisor Root Virtual Processort
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001B78000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3629222437.0000000004CB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Partition
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003A0C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: |Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.s)
      Source: TMX.exe, 00000000.00000003.3240236950.0000000004D4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Pr
      Source: TMX.exe, 00000000.00000003.1779851001.0000000004D42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Sched
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001AD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Service
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Root Virtual Processors
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition=
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: fkSecureVirtualMachine
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003863000.00000004.00001000.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3618921590.00000000037FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: &3094=Hyper-V Virtual Machine Bus Pipes
      Source: TMX.exe, 00000000.00000003.1786670219.0000000004DAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: er Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046La
      Source: TMX.exe, 00000000.00000003.1748280377.0000000004D62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Numbe
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001AD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Servicel rX
      Source: TMX.exe, 00000000.00000002.3618921590.00000000037FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 1914=Hyper-V VM Vid Partition\
      Source: TMX.exe, 00000000.00000003.1855226365.0000000008835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/OperationalLMEMh0
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003863000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 4788=Hyper-V HypervisorHH
      Source: TMX.exe, 00000000.00000003.1786750133.00000000086E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ts/sec5410Avg. Bytes/Read5414Avg. Bytes/Write5418Avg. sec/Read5422Avg. sec/Write5426Data Bytes/sec5428Data Requests/sec5430Avg. Data Bytes/Request5434Avg. sec/Data Request5438Current Data Queue Length5440Avg. Read Queue Length5442Avg. Write Queue Length5444Avg. Data Queue Length5446Metadata Requests/sec5448Credit Stalls/sec5450Read Bytes transmitted via SMB Direct/sec5452Write Bytes transmitted via SMB Direct/sec5454Read Requests transmitted via SMB Direct/sec5456Write Requests transmitted via SMB Direct/sec5458Turbo I/O Reads/sec5460Turbo I/O Writes/sec5462Compressed Requests/sec5464Compressed Responses/sec5466Compressed Bytes Sent/sec9546AppV Client Streamed Data Percentage9548Primary Feature % Streamed5484Network QoS Policy5486Packets transmitted5488Packets transmitted/sec5490Bytes transmitted5492Bytes transmitted/sec5494Packets dropped5496Packets dropped/sec4006Event Log4008Enabled Channels4010WEVT RPC calls/sec4012Events/sec4014ELF RPC calls/sec4016Active subscriptions4018Event filter operations/sec9568BranchCache9570Retrieval: Bytes from server9572Retrieval: Bytes from cache9574Retrieval: Bytes served9576Discovery: Weighted average discovery time9578SMB: Bytes from cache9580SMB: Bytes from server9582BITS: Bytes from cache9584BITS: Bytes from server9586WININET: Bytes from cache9588WININET: Bytes from server9590WINHTTP: Bytes from cache9592WINHTTP: Bytes from server9594OTHER: Bytes from cache9596OTHER: Bytes from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes
      Source: TMX.exe, 00000000.00000003.1854956110.0000000008862000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Analytic
      Source: TMX.exe, 00000000.00000002.3629222437.0000000004CB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2Hyper-V VM Vid Partition
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Enterprise without Hyper-V Full
      Source: TMX.exe, 00000000.00000003.1855102726.000000000884A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/DiagnosticLMEMX
      Source: TMX.exe, 00000000.00000002.3632435424.000000000547B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 2Microsoft Hyper-V Virtual Machine Bus Child Driverrmat|
      Source: TMX.exe, 00000000.00000003.1749070006.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1748854438.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1749358522.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1749661494.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1749515484.0000000004D1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Inter
      Source: TMX.exe, 00000000.00000003.1777727307.0000000001B86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001B57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor7
      Source: TMX.exe, 00000000.00000002.3632435424.000000000547B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware Virtual USB Mouse
      Source: TMX.exe, 00000000.00000003.1741013843.0000000001B4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: er destage read latency (100 ns)3130Slow tier destage write latency (100 ns)3134Fast tier destage read latency (100 ns)3138Fast tier destage write latency (100 ns)3142Slow Tier Destaged Container Fill Ratio (%)3146Fast Tier Destaged Container Fill Ratio (%)3150Tree update latency (100 ns)3154Checkpoint latency (100 ns)3158Tree updates/sec3160Checkpoints/sec3162Log writes/sec3164Current Slow Tier Metadata Fill Percentage3166Current Fast Tier Metadata Fill Percentage3168Log fill percentage3170Trim latency (100 ns)3174Data Compactions/sec3176Compaction read latency (100 ns)3180Compaction write latency (100 ns)3184Compacted Container Fill Ratio (%)3188Compactions failed due to ineligible container3190Compactions failed due to max fragmentation3192Container Move Retry Count3194Container moves failed due to ineligible container3196Compaction Failure Count3198Container Move Failure Count3200Dirty metadata pages3202Dirty table list entries3204Delete Queue entries9698Storage Management WSP Spaces Runtime9700Runtime Count 4ms9702Runtime Count 16ms9704Runtime Count 64ms9706Runtime Count 256ms9708Runtime Count 1s9710Runtime Count 4s9712Runtime Count 16s9714Runtime Count 1min9716Runtime Count Infinite3094Hyper-V Virtual Machine Bus Pipes3096Reads/sec3098Writes/sec3100Bytes Read/sec3102Bytes Written/sec9616SMB Direct Connection9618Stalls (Send Credit)/sec9620Stalls (Send Queue)/sec9622Stalls (RDMA Registrations)/sec9624Sends/sec9626Remote Invalidations/sec9628Memory Regions9630Bytes Received/sec9632Bytes Sent/sec9634Bytes RDMA Read/sec9636Bytes RDMA Written/sec9638Stalls (RDMA Read)/sec9640Receives/sec9642RDMA Registrations/sec9644SCQ Notification Events/sec9646RCQ Notification Events/sec9648Spurious RCQ Notification Events9650Spurious SCQ Notification Events9504Offline Files9506Bytes Received9508Bytes Transmitted9510Bytes Transmitted/sec9514Bytes Received/sec9518Client Side Caching9520SMB BranchCache Bytes Requested9522SMB BranchCache Bytes Received9524SMB BranchCache Bytes Published9526SMB BranchCache Bytes Requested From Server9528SMB BranchCache Hashes Requested9530SMB BranchCache Hashes Received9532SMB BranchCache Hash Bytes Received9534Prefetch Operations Queued9536Prefetch Bytes Read From Cache9538Prefetch Bytes Read From Server9540Application Bytes Read From Cache9542Application Bytes Read From Server9544Application Bytes Read From Server (Not Cached)3260Teredo Relay3262In - Teredo Relay Total Packets: Success + Error3264In - Teredo Relay Success Packets: Total3266In - Teredo Relay Success Packets: Bubbles3268In - Teredo Relay Success Packets: Data Packets3270In - Teredo Relay Error Packets: Total3272In - Teredo Relay Error Packets: Header Error3274In - Teredo Relay Error Packets: Source Error3276In - Teredo Relay Error Packets: Destination Error3278Out - Teredo Relay Total Packets: Success + Error3280Out - Teredo Relay Success Packets3282Out - Teredo Relay Success Packets: Bubbles3284Out - Teredo Relay Success Packets: Data Packets3286Out - Teredo Rel
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Standard without Hyper-V Full
      Source: TMX.exe, 00000000.00000002.3632435424.000000000562E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
      Source: TMX.exe, 00000000.00000003.1855188332.0000000001BB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Admin
      Source: TMX.exe, 00000000.00000002.3629222437.0000000004CB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Hypervisor Root Partition
      Source: TMX.exe, 00000000.00000002.3632435424.00000000053EB000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Servicee
      Source: TMX.exe, 00000000.00000003.1864715936.000000000876E000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1886157496.000000000877B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driverp
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001AD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisor
      Source: TMX.exe, 00000000.00000003.1748868931.0000000004CFD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accu
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: stQEMU
      Source: TMX.exe, 00000000.00000003.1855102726.000000000884A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AdminLMEM`@
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003A0C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: .4972=Hyper-V Hypervisor Root Virtual Processor
      Source: TMX.exe, 00000000.00000003.1743436789.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1746532317.0000000001B67000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1748587684.0000000001B67000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1748788440.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1746851773.0000000001B67000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1745059371.0000000001B67000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1747530451.0000000001B67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 6without Hyper-V for Windows Essential Server Solutions
      Source: TMX.exe, 00000000.00000002.3629222437.0000000004CB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipeslqt
      Source: TMX.exe, 00000000.00000003.3486346656.0000000004D4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtu
      Source: TMX.exe, 00000000.00000003.1854956110.0000000008862000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-Adminp
      Source: adwsmigrate.dll0.0.drBinary or memory string: .?AVCRegistryVirtualMachine@ATL@@
      Source: TMX.exe, 00000000.00000003.1781216094.0000000001B93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence N
      Source: TMX.exe, 00000000.00000002.3629222437.0000000004CB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DHyper-V Virtual Machine Bus Pipesqn
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003863000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: /6468=Hyper-V Dynamic Memory Integration Serviced
      Source: TMX.exe, 00000000.00000003.1855188332.0000000001BB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Debug6
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Standard without Hyper-V Core
      Source: TMX.exe, 00000000.00000003.2610549024.0000000004CDB000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3629857792.0000000004CDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processor
      Source: TMX.exe, 00000000.00000003.1741013843.0000000001B57000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1740605204.0000000001B57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequenc
      Source: TMX.exe, 00000000.00000002.3629857792.0000000004D18000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.2895454752.0000000004D18000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3613256857.0000000001B78000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.2723314590.0000000004D18000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.3127321940.0000000004D18000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.2610549024.0000000004D18000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1923928414.0000000004D18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
      Source: TMX.exe, 00000000.00000003.1786906242.0000000008703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes1958HandlersRegistered1960HandlersIOPort1962HandlersException1964HandlersCPUID1966MemoryBlocks1968KmMemoryBlockPages1970KmifGpaLockAcquirePageCount1972KmifGpaLockAcquireRequestCount1974KmifGpaLockAcquireRequestCountDeferred1976KmifGpaLockAcquireRequestCountFailed1978KmifGpaLockAcquireRequestTime1980KmifGpaLockReleasePageCount1982KmifGpaLockReleaseRequestCount1984KmifGpaLockReleaseRequestTime1986KsrMbClaimCount1988KsrMbClaimRunCount1990KsrMbClaimTimeInUs1992KsrMbPersistCount1994KsrMbPersistRunCount1996KsrMbPersistTimeInUs1998MmAllocCacheRequestTimeInUs2000MmAllocCacheRequestCountTotal2002MmAllocCacheRequestPageYield2004MmAllocMdlPagesAllocated2006MmAllocRequestCountFailed2008MmAllocRequestCountPartial2010MmAllocRequestCountTotal2012MmAllocRequestTimeInUs2014MmAllocRequestTimeToSortInUs2016MbBackedGpaPageRanges2018MbBackedGpaPages2020MbBackedGpaRomPages2022MmioGpaPageRanges2024MmioGpaPages2026ParentPartitionMappings2028ParentPartitionMappingsDirect2030ClientNotifyMbps2032ReadMbpCount2034WriteMbpCount2036MbpReadNotifications2038MbpWriteNotifications2040VtlPageModifications2042VtlPageModificationFailed2044VtlProtectedPageCount2046OverheadBytes2048Preferred NUMA Node Mask2050PageQosHugeLocal2052PageQosHuge2054PageQosLargeLocal2056PageQosLarge2058PageQosLocal2060PageQosOther2062DmPagesBallooned2064DmPagesHotAdded2066DmPagesReserved2068DmOperationsBalloon2070DmOperationsHotAdd2072DmOperationsHotAddUndo2074DmOperationsUnballoon2076DmSlpMbpOpsDemandBack2078DmSlpMbpOpsPageIn2080DmSlpMbpOpsPageInSynced2082DmSlpMbpOpsPageOut2084DmSlpMbpOpsPageOutSyncedSkip2086DmSlpPagesSynced2088DmSlpPagesUnbacked2090DmSlpPagesUnbackedDeferred2092DmSlpPagesWorkingSet2094DmSlpPioReads2096DmSlpPioWrites2098DmSlpPioPagesRead2100DmSlpPioPagesWritten2102DmSlpFaultsForReads2104DmSlpFault
      Source: TMX.exe, 00000000.00000003.1855102726.000000000884A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AdminLMEMX,
      Source: TMX.exe, 00000000.00000003.1749237183.0000000001B35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
      Source: TMX.exe, 00000000.00000002.3632435424.000000000547B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Servicee
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Hyper-V
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001AE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V xknljequttpwldw Bus Pipes
      Source: TMX.exe, 00000000.00000003.1872658361.0000000008859000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DosDevices\D:\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Datacenter without Hyper-V Core
      Source: TMX.exe, 00000000.00000003.2610549024.0000000004CDB000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3629857792.0000000004CE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processorj
      Source: TMX.exe, 00000000.00000003.1748587684.0000000001B77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
      Source: TMX.exe, 00000000.00000003.1855188332.0000000001BB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: QEMUU
      Source: TMX.exe, 00000000.00000003.2297741324.0000000004D31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003A0C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: /6468=Hyper-V Dynamic Memory Integration Service
      Source: TMX.exe, 00000000.00000003.1863921116.0000000008826000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1855297137.0000000008830000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.2007533311.0000000008826000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1864715936.000000000876E000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1922586734.0000000008826000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1967410646.0000000008826000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3654782238.0000000008826000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: TMX.exe, 00000000.00000003.1787064559.00000000086CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWARE
      Source: TMX.exe, 00000000.00000003.1855102726.000000000884A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-AnalyticLMEM`(
      Source: TMX.exe, 00000000.00000003.1855188332.0000000001BB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/OperationalL
      Source: TMX.exe, 00000000.00000003.1855102726.000000000884A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/DebugLMEM`8
      Source: TMX.exe, 00000000.00000003.1855226365.0000000008835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/AnalyticequLMEMh<
      Source: TMX.exe, 00000000.00000003.1786692706.0000000001B9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: er Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
      Source: TMX.exe, 00000000.00000003.1748749817.0000000001B3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hyp
      Source: TMX.exe, 00000000.00000002.3627550520.00000000047B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000'
      Source: TMX.exe, 00000000.00000003.1749381360.0000000001B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rkflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor
      Source: TMX.exe, 00000000.00000002.3632435424.00000000055A5000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: DVD NECVMWarVMware SATA CD00
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001AE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V xknljequttpwldw Bus
      Source: TMX.exe, 00000000.00000002.3632435424.00000000053AF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 6Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: fsSecureVirtualMachine
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor Logical Processori
      Source: TMX.exe, 00000000.00000003.1787664573.0000000004DAB000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1787129388.0000000004DAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Tim
      Source: TMX.exe, 00000000.00000003.1855188332.0000000001BB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
      Source: TMX.exe, 00000000.00000003.1779851001.0000000004D3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Bytes from cache9584BITS: Bytes from server9586WININET: Bytes from cache9588WININET: Bytes from server9590WINHTTP: Bytes from cache9592WINHTTP: Bytes from server9594OTHER: Bytes from cache9596OTHER: Bytes from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes}
      Source: TMX.exe, 00000000.00000003.1780759613.0000000004D5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumula
      Source: TMX.exe, 00000000.00000003.1780243234.0000000004D3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Bytes from cache9584BITS: Bytes from server9586WININET: Bytes from cache9588WININET: Bytes from server9590WINHTTP: Bytes from cache9592WINHTTP: Bytes from server9594OTHER: Bytes from cache9596OTHER: Bytes from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytesz
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003766000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmicvss
      Source: TMX.exe, 00000000.00000003.1740588458.0000000001B66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sec3112Allocation of Metadata Clusters on Slow Tier/sec3114Allocation of Data Clusters on Fast Tier/sec3116Allocation of Data Clusters on Slow Tier/sec3118Container Destages From Slow Tier/sec3120Container Destages From Fast Tier/sec3122Current Slow Tier Data Fill Percentage3124Current Fast Tier Data Fill Percentage3126Slow tier destage read latency (100 ns)3130Slow tier destage write latency (100 ns)3134Fast tier destage read latency (100 ns)3138Fast tier destage write latency (100 ns)3142Slow Tier Destaged Container Fill Ratio (%)3146Fast Tier Destaged Container Fill Ratio (%)3150Tree update latency (100 ns)3154Checkpoint latency (100 ns)3158Tree updates/sec3160Checkpoints/sec3162Log writes/sec3164Current Slow Tier Metadata Fill Percentage3166Current Fast Tier Metadata Fill Percentage3168Log fill percentage3170Trim latency (100 ns)3174Data Compactions/sec3176Compaction read latency (100 ns)3180Compaction write latency (100 ns)3184Compacted Container Fill Ratio (%)3188Compactions failed due to ineligible container3190Compactions failed due to max fragmentation3192Container Move Retry Count3194Container moves failed due to ineligible container3196Compaction Failure Count3198Container Move Failure Count3200Dirty metadata pages3202Dirty table list entries3204Delete Queue entries9698Storage Management WSP Spaces Runtime9700Runtime Count 4ms9702Runtime Count 16ms9704Runtime Count 64ms9706Runtime Count 256ms9708Runtime Count 1s9710Runtime Count 4s9712Runtime Count 16s9714Runtime Count 1min9716Runtime Count Infinite3094Hyper-V Virtual Machine Bus Pipes3096Reads/sec3098Writes/sec3100Bytes Read/sec3102Bytes Written/sec9616SMB Direct Connection9618Stalls (Send Credit)/sec9620Stalls (Send Queue)/sec9622Stalls (RDMA Registrations)/sec9624Sends/sec9626Remote Invalidations/sec9628Memory Regions9630Bytes Received/sec9632Bytes Sent/sec9634Bytes RDMA Read/sec9636Bytes RDMA Written/sec9638Stalls (RDMA Read)/sec9640Receives/sec9642RDMA Registrations/sec9644SCQ Notification Events/sec9646RCQ Notification Events/sec9648Spurious RCQ Notification Events9650Spurious SCQ Notification Events9504Offline Files9506Bytes Received9508Bytes Transmitted9510Bytes Transmitted/sec9514Bytes Received/sec9518Client Side Caching9520SMB BranchCache Bytes Requested9522SMB BranchCache Bytes Received9524SMB BranchCache Bytes Published9526SMB BranchCache Bytes Requested From Server9528SMB BranchCache Hashes Requested9530SMB BranchCache Hashes Received9532SMB BranchCache Hash Bytes Received9534Prefetch Operations Queued9536Prefetch Bytes Read From Cache9538Prefetch Bytes Read From Server9540Application Bytes Read From Cache9542Application Bytes Read From Server9544Application Bytes Read From Server (Not Cached)3260Teredo Relay3262In - Teredo Relay Total Packets: Success + Error
      Source: TMX.exe, 00000000.00000002.3632435424.0000000005360000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: $Microsoft Hyper-V VHDPMEM BTT Filter
      Source: TMX.exe, 00000000.00000003.1787594146.00000000086CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Datacenter without Hyper-V Full
      Source: TMX.exe, 00000000.00000003.1886157496.0000000008784000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000ee-8c18-806e6f6e6963}
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Microsoft Hyper-V Server
      Source: TMX.exe, 00000000.00000003.1936072536.000000000877B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000ee-8c18-8066
      Source: TMX.exe, 00000000.00000002.3632435424.000000000550E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMW=VMware Inc.,
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001AE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JHyper-V Hypervisor Logical Processors
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001AE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partition
      Source: TMX.exe, 00000000.00000003.1786906242.00000000086E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001AE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Enterprise without Hyper-V Core
      Source: TMX.exe, 00000000.00000003.1781141897.0000000004D64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Co
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001AE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sWDHyper-V Hypervisor Root Partition
      Source: TMX.exe, 00000000.00000003.1739460937.0000000001B57000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1739872618.0000000001B57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequenc
      Source: TMX.exe, 00000000.00000003.1748143847.0000000004D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HW
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: stVMWare
      Source: TMX.exe, 00000000.00000003.1780472483.0000000001BB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: : Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes1958HandlersRegistered1960HandlersIOPort1962HandlersException1964HandlersCPUID1966MemoryBlocks1968KmMemoryBlockPages1970KmifGpaLockAcquirePageCount1972KmifGpaLockAcquireRequestCount1974KmifGpaLockAcquireRequestCountDeferred1976KmifGpaLockAcquireRequestCountFailed1978KmifGpaLockAcquireRequestTime1980KmifGpaLockReleasePageCount1982KmifGpaLockReleaseRequestCount1984KmifGpaLockReleaseRequestTime1986KsrMbClaimCount1988KsrMbClaimRunCount1990KsrMbClaimTimeInUs1992KsrMbPersistCount1994KsrMbPersistRunCount1996KsrMbPersistTimeInUs1998MmAllocCacheRequestTimeInUs2000MmAllocCacheRequestCountTotal2002MmAllocCacheRequestPageYield2004MmAllocMdlPagesAllocated2006MmAllocRequestCountFailed2008MmAllocRequestCountPartial2010MmAllocRequestCountTotal2012MmAllocRequestTimeInUs2014MmAllocRequestTimeToSortInUs2016MbBackedGpaPageRanges2018MbBackedGpaPages2020MbBackedGpaRomPages2022MmioGpaPageRanges2024MmioGpaPages2026ParentPartitionMappings2028ParentPartitionMappingsDirect2030ClientNotifyMbps2032ReadMbpCount2034WriteMbpCount2036MbpReadNotifications2038MbpWriteNotifications2040VtlPageModifications2042VtlPageModificationFailed2044VtlProtectedPageCount2046OverheadBytes2048Preferred NUMA Node Mask2050PageQosHugeLocal2052PageQosHuge2054PageQosLargeLocal2056PageQosLarge2058PageQosLocal2060PageQosOther2062DmPagesBallooned2064DmPagesHotAdded2066DmPagesReserved2068DmOperationsBalloon2070DmOperationsHotAdd2072DmOperationsHotAddUndo2074DmOperationsUnballoon2076DmSlpMbpOpsDemandBack2078DmSlpMbpOpsPageIn2080DmSlpMbpOpsPageInSynced2082DmSlpMbpOpsPageOut2084DmSlpMbpOpsPageOutSyncedSkip2086DmSlpPagesSynced2088DmSlpPagesUnbacked2090DmSlpPagesUnbackedDeferred2092DmSlpPagesWorkingSet2094DmSlpPioReads2096DmSlpPioWrites2098DmSlpPioPagesRead2100DmSlpPioPagesWritten2102DmSlpFaultsForReads2104DmSlpFaultsForWrites2106GmatZeroedRangeCountFound2108GmatZeroedRangeCountSkipped2110GmatZeroedPageCountFound2112GmatZeroedPageCountSkipped
      Source: TMX.exe, 00000000.00000003.1786750133.00000000086C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec487
      Source: TMX.exe, 00000000.00000003.1855188332.0000000001BB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose
      Source: TMX.exe, 00000000.00000002.3618921590.0000000003863000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 1914=Hyper-V VM Vid Partition,
      Source: TMX.exe, 00000000.00000003.1855188332.0000000001BB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-Analytic{
      Source: TMX.exe, 00000000.00000002.3632435424.000000000547B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 3Microsoft-Windows-Hyper-V-Guest-Drivers/Operational.
      Source: TMX.exe, 00000000.00000003.1786906242.00000000086E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: olations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes~>
      Source: TMX.exe, 00000000.00000002.3618921590.00000000037FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: 4788=Hyper-V Hypervisor
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001AE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AlDHyper-V Virtual Machine Bus Pipes
      Source: TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWare
      Source: TMX.exe, 00000000.00000003.1855188332.0000000001BB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-NETVSC/Diagnosticw
      Source: TMX.exe, 00000000.00000003.1855226365.0000000008835000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor-OperationalmanLMEMh$
      Source: TMX.exe, 00000000.00000003.2610549024.0000000004CDB000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3629857792.0000000004CE1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Hyper-V Hypervisors
      Source: TMX.exe, 00000000.00000003.1747956439.0000000001B7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes written/sec1852LE ACL bytes written/sec1854SCO bytes written/sec1856Classic ACL bytes read/sec1858LE ACL bytes read/sec1860SCO bytes read/sec1862Classic ACL Connections1864LE ACL Connections1866SCO Connections1868Sideband SCO Connections1870ACL flush events/sec1872LE ACL write credits1874Classic ACL write credits1876LE Scan Duty Cycle (%) - Uncoded 1M Phy1878LE Scan Window - Uncoded 1M Phy1880LE Scan Interval - Uncoded 1M Phy1882Page Scan Duty Cycle (%)1884Page Scan Window1886Page Scan Interval1888Inquiry Scan Duty Cycle (%)1890Inquiry Scan Window1892Inquiry Scan Interval1894LE Scan Duty Cycle (%) - Coded Phy1896LE Scan Window - Coded Phy1898LE Scan Interval - Coded Phy1900Bluetooth Device1902Classic ACL bytes written/sec1904LE ACL bytes written/sec1906SCO bytes written/sec1908Classic ACL bytes read/sec1910LE ACL bytes read/sec1912SCO bytes read/sec3814ServiceModelService 4.0.0.03816Callsm
      Source: TMX.exe, 00000000.00000003.1855102726.000000000884A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-VID-AdminLMEMH
      Source: TMX.exe, 00000000.00000003.1967215710.0000000008851000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
      Source: C:\Users\user\Desktop\TMX.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Users\user\Desktop\TMX.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TMX.exeQueries volume information: \Device\CdRom0\ VolumeInformationJump to behavior
      Source: TMX.exe, 00000000.00000002.3613256857.0000000001B57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe
      Source: TMX.exe, 00000000.00000003.2723647797.00000000086D7000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1967410646.0000000008826000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: TMX.exe, 00000000.00000003.1967410646.00000000087CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ramFiles%\Windows Defender\MsMpeng.exe
      Source: TMX.exe, 00000000.00000002.3632435424.000000000547B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

      Stealing of Sensitive Information

      barindex
      Yara detected QueryWinSAT ClassID
      Source: Yara matchFile source: 00000000.00000003.2007533311.000000000882E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1922586734.0000000008826000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1967410646.0000000008826000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3654782238.0000000008826000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1928800347.000000000882D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.2039876701.000000000882E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TMX.exe PID: 7604, type: MEMORYSTR
      Source: C:\Users\user\Desktop\TMX.exeDirectory queried: number of queries: 1001

      Remote Access Functionality

      barindex
      Yara detected QueryWinSAT ClassID
      Source: Yara matchFile source: 00000000.00000003.2007533311.000000000882E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1922586734.0000000008826000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1967410646.0000000008826000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3654782238.0000000008826000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1928800347.000000000882D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.2039876701.000000000882E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TMX.exe PID: 7604, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading      		1
      DLL Side-Loading      		21
      Masquerading      		OS Credential Dumping231
      Security Software Discovery      		Remote ServicesData from Local System1
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts13
      Virtualization/Sandbox Evasion      		LSASS Memory13
      Virtualization/Sandbox Evasion      		Remote Desktop ProtocolData from Removable Media2
      Non-Application Layer Protocol      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
      Obfuscated Files or Information      		Security Account Manager1
      Process Discovery      		SMB/Windows Admin SharesData from Network Shared Drive2
      Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
      Software Packing      		NTDS1
      Application Window Discovery      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Timestomp      		LSA Secrets11
      File and Directory Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain Credentials122
      System Information Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      TMX.exe1%VirustotalBrowse
      TMX.exe0%ReversingLabs

      Dropped Files

      SourceDetectionScannerLabelLink
      \Device\CdRom0\boot\bootsect.exe0%ReversingLabs
      \Device\CdRom0\boot\en-gb\bootsect.exe.mui0%ReversingLabs
      \Device\CdRom0\boot\memtest.exe0%ReversingLabs
      \Device\CdRom0\boot\resources\bootres.dll0%ReversingLabs
      \Device\CdRom0\bootmgr0%ReversingLabs
      \Device\CdRom0\bootmgr.efi0%ReversingLabs
      \Device\CdRom0\efi\boot\bootx64.efi0%ReversingLabs
      \Device\CdRom0\efi\microsoft\boot\cdboot.efi0%ReversingLabs
      \Device\CdRom0\efi\microsoft\boot\cdboot_noprompt.efi0%ReversingLabs
      \Device\CdRom0\efi\microsoft\boot\memtest.efi0%ReversingLabs
      \Device\CdRom0\efi\microsoft\boot\resources\bootres.dll0%ReversingLabs
      \Device\CdRom0\setup.exe0%ReversingLabs
      \Device\CdRom0\sources\acmigration.dll0%ReversingLabs
      \Device\CdRom0\sources\acres.dll0%ReversingLabs
      \Device\CdRom0\sources\actionqueue.dll0%ReversingLabs
      \Device\CdRom0\sources\adfscomp.dll0%ReversingLabs
      \Device\CdRom0\sources\admtv3check.dll0%ReversingLabs
      \Device\CdRom0\sources\aeinv.dll0%ReversingLabs
      \Device\CdRom0\sources\appcompatservicing.dll0%ReversingLabs
      \Device\CdRom0\sources\appraiser.dll0%ReversingLabs
      \Device\CdRom0\sources\appraiserres.dll0%ReversingLabs
      \Device\CdRom0\sources\appraiserwc.dll0%ReversingLabs
      \Device\CdRom0\sources\arunimg.dll0%ReversingLabs
      \Device\CdRom0\sources\arunres.dll0%ReversingLabs
      \Device\CdRom0\sources\autorun.dll0%ReversingLabs
      \Device\CdRom0\sources\clustercompliance.dll0%ReversingLabs
      \Device\CdRom0\sources\cmi2migxml.dll0%ReversingLabs
      \Device\CdRom0\sources\cmisetup.dll0%ReversingLabs
      \Device\CdRom0\sources\compatctrl.dll0%ReversingLabs
      \Device\CdRom0\sources\compatresources.dll0%ReversingLabs
      \Device\CdRom0\sources\compres.dll0%ReversingLabs
      \Device\CdRom0\sources\cryptosetup.dll0%ReversingLabs
      \Device\CdRom0\sources\csiagent.dll0%ReversingLabs
      \Device\CdRom0\sources\devinv.dll0%ReversingLabs
      \Device\CdRom0\sources\diager.dll0%ReversingLabs
      \Device\CdRom0\sources\diagnostic.dll0%ReversingLabs
      \Device\CdRom0\sources\diagtrack.dll0%ReversingLabs
      \Device\CdRom0\sources\diagtrackrunner.exe0%ReversingLabs
      \Device\CdRom0\sources\dism.exe0%ReversingLabs
      \Device\CdRom0\sources\dismapi.dll0%ReversingLabs
      \Device\CdRom0\sources\dismcore.dll0%ReversingLabs
      \Device\CdRom0\sources\dismcoreps.dll0%ReversingLabs
      \Device\CdRom0\sources\dismprov.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-activedirectory-webservices-dl\adwsmigrate.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-bluetooth-config\bthmigplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-com-complus-setup-dl\commig.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-com-dtc-setup-dl\msdtcstp.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-dhcpservermigplugin-dl\dhcpsrvmigplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-directoryservices-adam-dl\adammigrate.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-iasserver-migplugin\iasmigplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-iasserver-migplugin\iasmigreader.exe0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-ie-clientnetworkprotocolimplementation-migration\wininetplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-internet-naming-service-runtime\winsplgn.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-msmq-messagingcoreservice\mqmigplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-networkbridge\bridgemigplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-networkloadbalancing-core\nlbmigplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-rasconnectionmanager\cmmigr.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-rasserver-migplugin\rasmigplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-tapisetup\tapimigplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-terminalservices-licenseserver\tlsmigplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\chxmig.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\imjpmig.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\imkrmig.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\msctfmig.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\tabletextservicemig.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-unimodem-config\modemmigplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-winsock-core-infrastructure-upgrade\wsupgrade.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\microsoft-windows-wmi-core\wmimigrationplugin.dll0%ReversingLabs
      \Device\CdRom0\sources\dlmanifests\networking-mpssvc-svc\icfupgd.dll0%ReversingLabs
      \Device\CdRom0\sources\du.dll0%ReversingLabs
      \Device\CdRom0\sources\en-gb\acres.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\actionqueue.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\appraiser.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\appraiserwc.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\arunres.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\cmisetup.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\compatctrl.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\compatresources.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\compres.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\dism.exe.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\dismapi.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\dismcore.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\dismprov.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\folderprovider.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\imagingprovider.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\input.dll.mui0%ReversingLabs
      \Device\CdRom0\sources\en-gb\logprovider.dll.mui0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      bg.microsoft.map.fastly.net0%VirustotalBrowse
      www.google.com0%VirustotalBrowse
      fp2e7a.wpc.phicdn.net0%VirustotalBrowse
      240.221.184.93.in-addr.arpa1%VirustotalBrowse
      103.169.127.40.in-addr.arpa1%VirustotalBrowse
      157.123.68.40.in-addr.arpa1%VirustotalBrowse
      26.35.223.20.in-addr.arpa1%VirustotalBrowse
      198.187.3.20.in-addr.arpa1%VirustotalBrowse
      95.221.229.192.in-addr.arpa1%VirustotalBrowse
      2.36.159.162.in-addr.arpa0%VirustotalBrowse
      146.78.124.51.in-addr.arpa0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.fontbureau.com/designersG0%URL Reputationsafe
      http://www.fontbureau.com/designers/?0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
      http://ocsp.sectigo.com00%URL Reputationsafe
      http://www.fontbureau.com/designers?0%URL Reputationsafe
      http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.fontbureau.com/designers0%URL Reputationsafe
      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://schema.org/WebPage0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.fonts.com0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.fontbureau.com0%URL Reputationsafe
      https://sectigo.com/CPS00%URL Reputationsafe
      http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
      http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.fontbureau.com/designers80%URL Reputationsafe
      https://www.virustotal.com/vtapi/v2/ip-address/report?ip=%s&apikey=%s0%Avira URL Cloudsafe
      https://www.mitec.cz0%Avira URL Cloudsafe
      https://www.virustotal.com/vtapi/v2/ip-address/report?ip=%s&apikey=%s0%VirustotalBrowse
      https://www.mitec.cz0%VirustotalBrowse
      http://www.galapagosdesign.com/staff/dennis.htm=0%VirustotalBrowse
      http://www.galapagosdesign.com/staff/dennis.htm=0%Avira URL Cloudsafe
      http://www.google.com9~20%Avira URL Cloudsafe
      https://www.virustotal.com/vtapi/v2/url/scan0%Avira URL Cloudsafe
      https://csp.withgoogle.com/csp/gws/other-hp0%Avira URL Cloudsafe
      https://csp.withgoogle.com/csp/gws/other-hp0%VirustotalBrowse
      https://www.virustotal.com/vtapi/v2/url/scan0%VirustotalBrowse
      http://madExcept.comU0%Avira URL Cloudsafe
      http://www.google.com/E0%Avira URL Cloudsafe
      https://www.mitec.cz00%Avira URL Cloudsafe
      http://www.google.com/A0%Avira URL Cloudsafe
      https://www.mitec.czopenS0%Avira URL Cloudsafe
      http://www.google.comU0%Avira URL Cloudsafe
      http://www.typography.net0%Avira URL Cloudsafe
      http://www.google.com/l0%Avira URL Cloudsafe
      http://www.google.com0%Avira URL Cloudsafe
      http://www.google.com/A0%VirustotalBrowse
      http://www.google.com/E0%VirustotalBrowse
      http://www.ascendercorp.com/typedesigners.html0%Avira URL Cloudsafe
      https://www.virustotal.com/vtapi/v2/file/report0%Avira URL Cloudsafe
      https://www.virustotal.com/vtapi/v2/file/scan0%Avira URL Cloudsafe
      http://www.google.com0%VirustotalBrowse
      http://www.google.com/l0%VirustotalBrowse
      http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
      https://www.virustotal.com/vtapi/v2/domain/report?domain=%s&apikey=%s0%Avira URL Cloudsafe
      http://www.ascendercorp.com/typedesigners.html0%VirustotalBrowse
      https://www.virustotal.com/vtapi/v2/file/rescanU0%Avira URL Cloudsafe
      http://www.typography.net0%VirustotalBrowse
      http://www.google.com/z0%Avira URL Cloudsafe
      https://www.mitec.cz/tmx.html#Pricing0%Avira URL Cloudsafe
      https://www.virustotal.com/vtapi/v2/file/report0%VirustotalBrowse
      http://www.google.com/search?newwindow=1&q=%sopenU0%Avira URL Cloudsafe
      https://www.virustotal.com/vtapi/v2/file/scan0%VirustotalBrowse
      http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
      http://www.google.com/-0%Avira URL Cloudsafe
      https://www.mitec.cz/webupdate.html0%Avira URL Cloudsafe
      http://www.mitec.cz/exe.htmlopenU0%Avira URL Cloudsafe
      https://www.virustotal.com/vtapi/v2/url/report0%Avira URL Cloudsafe
      http://www.typography.netl0%Avira URL Cloudsafe
      http://www.google.com/0%Avira URL Cloudsafe
      http://www.typography.neti0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      bg.microsoft.map.fastly.net
      		199.232.214.172
      		truefalseunknown
      www.google.com
      		172.217.23.100
      		truefalseunknown
      fp2e7a.wpc.phicdn.net
      		192.229.221.95
      		truefalseunknown
      23.149.64.172.in-addr.arpa
      		unknown
      		unknowntrue
        		unknown
        233.38.18.104.in-addr.arpa
        		unknown
        		unknowntrue
          		unknown
          103.169.127.40.in-addr.arpa
          		unknown
          		unknowntrueunknown
          240.221.184.93.in-addr.arpa
          		unknown
          		unknowntrueunknown
          157.123.68.40.in-addr.arpa
          		unknown
          		unknowntrueunknown
          198.187.3.20.in-addr.arpa
          		unknown
          		unknowntrueunknown
          168.100.16.2.in-addr.arpa
          		unknown
          		unknowntrue
            		unknown
            26.35.223.20.in-addr.arpa
            		unknown
            		unknowntrueunknown
            108.211.229.192.in-addr.arpa
            		unknown
            		unknowntrue
              		unknown
              68.32.126.40.in-addr.arpa
              		unknown
              		unknowntrue
                		unknown
                95.221.229.192.in-addr.arpa
                		unknown
                		unknowntrueunknown
                172.214.232.199.in-addr.arpa
                		unknown
                		unknowntrue
                  		unknown
                  32.162.222.173.in-addr.arpa
                  		unknown
                  		unknowntrue
                    		unknown
                    3.61.159.162.in-addr.arpa
                    		unknown
                    		unknowntrue
                      		unknown
                      2.36.159.162.in-addr.arpa
                      		unknown
                      		unknowntrueunknown
                      100.23.217.172.in-addr.arpa
                      		unknown
                      		unknowntrue
                        		unknown
                        146.78.124.51.in-addr.arpa
                        		unknown
                        		unknowntrueunknown
                        51.162.222.173.in-addr.arpa
                        		unknown
                        		unknowntrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.fontbureau.com/designersGTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.virustotal.com/vtapi/v2/ip-address/report?ip=%s&apikey=%sTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.mitec.czTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/?TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htm=TMX.exe, 00000000.00000003.1765606331.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765652198.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765531183.00000000069ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cn/bTheTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.google.com9~2TMX.exe, 00000000.00000003.1864715936.00000000087CE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0TMX.exefalse
                          • URL Reputation: safe
                          		unknown
                          http://ocsp.sectigo.com0TMX.exefalse
                          • URL Reputation: safe
                          		unknown
                          https://www.virustotal.com/vtapi/v2/url/scanTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://csp.withgoogle.com/csp/gws/other-hpTMX.exe, 00000000.00000003.1886157496.000000000876F000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1923928414.0000000004CF7000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://madExcept.comUTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/envelope/TMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#TMX.exefalse
                          • URL Reputation: safe
                          		unknown
                          https://www.mitec.cz0TMX.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.goodfont.co.krTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.google.com/ETMX.exe, 00000000.00000003.1923928414.0000000004D78000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.google.com/ATMX.exe, 00000000.00000003.1923928414.0000000004D78000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schema.org/WebPageTMX.exe, 00000000.00000003.1923928414.0000000004CF7000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.mitec.czopenSTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cn/cTheTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.google.comUTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.typography.netTMX.exe, 00000000.00000003.1753479626.00000000069E5000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1753400342.00000000069E5000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.google.com/lTMX.exe, 00000000.00000003.1863921116.000000000880E000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3654782238.0000000008812000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1922586734.000000000880F000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1967410646.000000000880E000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.2007533311.000000000881A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.google.comTMX.exe, 00000000.00000003.1864715936.00000000087CE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.ascendercorp.com/typedesigners.htmlTMX.exe, 00000000.00000003.1765271807.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1764821428.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765198220.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1764735488.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765007498.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765313259.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765093780.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765386243.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765157921.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1765425389.00000000069ED000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1764770433.00000000069ED000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fonts.comTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sandoll.co.krTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.virustotal.com/vtapi/v2/file/reportTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.virustotal.com/vtapi/v2/file/scanTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0TMX.exe, 00000000.00000003.1756858545.00000000069CA000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.comTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://sectigo.com/CPS0TMX.exefalse
                          • URL Reputation: safe
                          		unknown
                          https://www.virustotal.com/vtapi/v2/domain/report?domain=%s&apikey=%sTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#TMX.exefalse
                          • URL Reputation: safe
                          		unknown
                          https://www.virustotal.com/vtapi/v2/file/rescanUTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.google.com/zTMX.exe, 00000000.00000003.1863921116.000000000880E000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3654782238.0000000008812000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1922586734.000000000880F000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1967410646.000000000880E000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.2007533311.000000000881A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.carterandcone.comlTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.mitec.cz/tmx.html#PricingTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmp, TMX.exe, 00000000.00000002.3618921590.0000000003766000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.google.com/search?newwindow=1&q=%sopenUTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.founder.com.cn/cnTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-user.htmlTMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yTMX.exefalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.google.com/-TMX.exe, 00000000.00000003.1923928414.0000000004D78000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.mitec.cz/webupdate.htmlTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmp, TMX.exe, 00000000.00000002.3618921590.0000000003766000.00000004.00001000.00020000.00000000.sdmp, TMX.exe, 00000000.00000002.3607807663.00000000012D3000.00000002.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers8TMX.exe, 00000000.00000002.3646075844.0000000007BA2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.mitec.cz/exe.htmlopenUTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.virustotal.com/vtapi/v2/url/reportTMX.exe, 00000000.00000002.3579848936.0000000000A48000.00000040.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.typography.netlTMX.exe, 00000000.00000003.1753479626.00000000069E5000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1753400342.00000000069E5000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.google.com/TMX.exe, 00000000.00000003.1864715936.00000000086DB000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1923928414.0000000004D78000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.typography.netiTMX.exe, 00000000.00000003.1753479626.00000000069E5000.00000004.00000020.00020000.00000000.sdmp, TMX.exe, 00000000.00000003.1753400342.00000000069E5000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          172.217.23.100
                          		www.google.comUnited States
                          		15169GOOGLEUSfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1503269
                          Start date and time:2024-09-03 09:29:44 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 57s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Run name:Run with higher sleep bypass
                          Number of analysed new started processes analysed:10
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:TMX.exe
                          Detection:MAL
                          Classification:mal42.troj.evad.winEXE@1/908@19/1
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe, UsoClient.exe
                          • Excluded IPs from analysis (whitelisted): 40.68.123.157, 51.124.78.146, 40.126.32.68, 40.126.32.140, 40.126.32.74, 20.190.160.14, 40.126.32.134, 20.190.160.22, 20.190.160.20, 40.126.32.76, 20.242.39.171, 20.3.187.198, 40.127.169.103, 2.16.100.168, 88.221.110.91
                          • Excluded domains from analysis (whitelisted): settings-prod-weu-1.westeurope.cloudapp.azure.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, 1.2.168.192.in-addr.arpa, settings-win.data.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, atm-settingsfe-prod-geo2.trafficmanager.net, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateFile calls found.
                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                          • Report size getting too big, too many NtEnumerateKey calls found.
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryDirectoryFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Skipping hybrid code analysis for target 0 due to data oversize (total size is 5971 MB, which is larger than the maximum total file size of 4000 MB (see MAXSCAEOVERALLMEMDUMPSIZEINMB)
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          03:31:38API Interceptor6048x Sleep call for process: TMX.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          fp2e7a.wpc.phicdn.nethttp://infokingz.com/wp-content/uploads/2024/09/Remittance-copy11.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 192.229.221.95
                          9fyoN350re.dllGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          661Ea5wCaX.dllGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          https://www.therecoveryvillage.com/drug-addiction/signs-drug-addiction/Get hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          SecuriteInfo.com.Trojan.Inject5.8130.1270.16417.exeGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          https://piclut.com/n//?c3Y9bzM2NV8xX29uZSZyYW5kPWRHcFdjMk09JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=Get hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          IrisQuentin530Victor.exeGet hashmaliciousRedLineBrowse
                          • 192.229.221.95
                          http://ipscanadvsf.comGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          Book_0256103.vbeGet hashmaliciousAgentTeslaBrowse
                          • 192.229.221.95
                          https://altanks.com.au/Get hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          bg.microsoft.map.fastly.netIrisQuentin530Victor.exeGet hashmaliciousRedLineBrowse
                          • 199.232.214.172
                          tmp963289974.exeGet hashmaliciousUnknownBrowse
                          • 199.232.214.172
                          http://ipscanadvsf.comGet hashmaliciousUnknownBrowse
                          • 199.232.210.172
                          https://feji.us/y8jp4pGet hashmaliciousUnknownBrowse
                          • 199.232.214.172
                          https://ggu-lop.vercel.app/Get hashmaliciousUnknownBrowse
                          • 199.232.214.172
                          http://pub-0047294bc4284f259967ae2863532e97.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                          • 199.232.214.172
                          https://sso--coinbasepro---login--auth.webflow.io/Get hashmaliciousUnknownBrowse
                          • 199.232.210.172
                          https://secure---page--coinbase-walet--sso.webflow.io/Get hashmaliciousUnknownBrowse
                          • 199.232.214.172
                          https://responsibility0.glitch.me/public/.style.htmlGet hashmaliciousHTMLPhisherBrowse
                          • 199.232.214.172
                          https://www.amazomx.com/Get hashmaliciousUnknownBrowse
                          • 199.232.214.172

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          \Device\CdRom0\bootmgr.efi5CG2133F5Y_2024-04-05_12_15_35.569.zipGet hashmaliciousUnknownBrowse
                            \Device\CdRom0\bootmgr5CG2133F5Y_2024-04-05_12_15_35.569.zipGet hashmaliciousUnknownBrowse

                              Created / dropped Files

                              C:\Windows\INF\c_monitor.PNF

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1318 "Signature", at 0x68 WinDirPath, LanguageID 809, at 0x80 language en-GB
                              Category:dropped
                              Size (bytes):6884
                              Entropy (8bit):3.3520280239601608
                              Encrypted:false
                              SSDEEP:96:262X44AX7cyfWOMeVbT30EMGUbrGTyeglE16O8t746Efv3VfANNWuyfJ:9bfnLbT3/xU2+Xur6WqNWus
                              MD5:77D343425FC0193684A5085B19A597B6
                              SHA1:96218E71424827AEE4425BB75E889833414695D3
                              SHA-256:E932F7D66E9FB3159C4992E67EA1D6A9A82258CF1A917B6BDA0C08447757E2C9
                              SHA-512:B5926BB814CD54DDB7D9C76301AC0F644AE13428F35B732E91A3A72EB0CB11D563B974C973EBB673639F8DB727F696F1FBC6DB3CD6F27C01F8A83C594CC8039C
                              Malicious:false
                              Reputation:low
                              Preview:.........................F......L..................................p...4.......h.......................C.:.\.W.i.n.d.o.w.s.....e.n.-.G.B.......d...................l.......4.......................................................................\...........................................................................4...........`...............................................................................................................................................................................,...............................................................................................................................$...............................................................................t...........................................................................................................................................................................................................................................................................................

                              C:\Windows\INF\c_processor.PNF

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0xfa0 "Signature", at 0x68 WinDirPath, LanguageID 809, at 0x80 language en-GB
                              Category:dropped
                              Size (bytes):5356
                              Entropy (8bit):3.04431223312435
                              Encrypted:false
                              SSDEEP:96:3ERG+gmDfWAoeS1HOwthgmyDc8Vze8SWtpJO1:UXDfJozJg7Dc8ReBWlc
                              MD5:470FC8E53675EC437E61CE3B8B90FC52
                              SHA1:63581E4B2037BDEC559B68E329C41A2FB89A4076
                              SHA-256:2DD0ACCCEB361838DC4AD78AB086E6918389E1EAECD1EBAF239B30A509185E66
                              SHA-512:1184026596506FD49F19B1E20D94E8AC0448CC6D78C51EECB7776897BD40DC8C6D476DA2F36B1E747EBACFA06813372B6DAA1E031F35D2067954431DD2140158
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:.........................F......L..........................0.......8...T.......h.......................C.:.\.W.i.n.d.o.w.s.....e.n.-.G.B.......t...................|.......D.......................................................................h...............................................................................................................................................................................................................................................................|.......8...............................D...................................T.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Windows\INF\c_volume.PNF

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0xd98 "Signature", at 0x68 WinDirPath, LanguageID 809, at 0x80 language en-US
                              Category:dropped
                              Size (bytes):4548
                              Entropy (8bit):2.842802677695323
                              Encrypted:false
                              SSDEEP:48:+jACyGz7ElZd/WyVL5KlMR7+YEEQ3IDbCRbfIKVMRGGLp7tVCCHr6mv7C:YARGzY/Wyv+YKuCNADLpxV3r6mvG
                              MD5:F15286F15CEC2B99FDC7A1C98196DE73
                              SHA1:04F2486B2B2ED7961B0A94CF8033B1D38DE02305
                              SHA-256:872006779466086DF16AD18D9078BE826D8E74205B703C4DC7A8A47523CEF98C
                              SHA-512:EF69955A3D52D03951504416C72E2128D2B51A8B10C70C542F59CF3522EC3536B33060ADC0882755522396BA75BB476424ED7381220B536F00F814199DD8E64F
                              Malicious:false
                              Reputation:low
                              Preview:........................u;.....l.......................d.......................h.......................C.:.\.W.i.n.d.o.w.s.....e.n.-.U.S.......x...........................H.......................................................................p...............................................................|.......................................................................................................................................................................................................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\autorun.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Microsoft Windows Autorun file
                              Category:dropped
                              Size (bytes):128
                              Entropy (8bit):4.486290630664857
                              Encrypted:false
                              SSDEEP:3:0vk/X2VL4yVL4sJcRydFVykMGHsWVykMM:96L4GL4DOVAGHhVAM
                              MD5:1EE3BD713BAF8DA75ECD537F7E086EB8
                              SHA1:F8B831B38942FBBA9440B3E5E76E77C8F4C8D8CA
                              SHA-256:3378723CB5910E5F3AFE1EE2200B8F0D08BAB8C5D77F7CE9FCB5725AFF525852
                              SHA-512:6530B1EA9E793A14C4B4122D965F8FFFE983B6B14CA61B7CEAB17CF782DC60ED48AD14AC06F03C9D5E72860BE173919B2B61283464E91DEB3CE0908836FA9CBE
                              Malicious:false
                              Reputation:low
                              Preview:[AutoRun.Amd64]..open=setup.exe..icon=setup.exe,0....[AutoRun]..open=sources\SetupError.exe x64..icon=sources\SetupError.exe,0..

                              \Device\CdRom0\boot\bcd

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):16384
                              Entropy (8bit):3.0983182388267143
                              Encrypted:false
                              SSDEEP:384:UiM+evQr/FWmjxdpLCuktEFnK83zP4eyZq9HNeUEKPMS6SrLdYKL7CKXFq5ndC:Uer/FWmjxdpLCuktEFnK83zP4eyZq9Hw
                              MD5:2E606663AD052407E303E6B07330C23F
                              SHA1:11813ADA097698CF3DBCA4B2CB71C915A1C86BE5
                              SHA-256:163271449A0E8E108B9E78B04D732191D9BB6D556BF2BC0CE8A4CD56B84FCC3C
                              SHA-512:2A82EE1902C344C67DF6AE5B8352BE0756A1AA9A8ECFF90D6E431407868738FFC0D4C843477E57AF3375FCBCD9EEB3FC3F42774576CCD597F6B0F06AEC7E12A0
                              Malicious:false
                              Reputation:low
                              Preview:regf?...?......\D................... ....0......h.i.v.e.s.\.b.i.n.\.m.e.d.i.a.\.c.l.i.e.n.t.\.p.c.a.t.\.B.C.D.....{.4.6.3.6.8.5.6.e.-.5.4.0.f.-.4.1.7.0.-.a.1.3.0.-.a.8.4.7.7.6.OfRg....5.4.}...............vk......... ......25Type{9de....vk................27Elementd....nk ..O.........x...........................x...............................Description.........nk ..O.........x...........P&..............x...............................Elements....nk ..O.........h!......................`"..x............oo.b.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\boot\boot.sdi

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:System Deployment Image, PageAlignment 2, checksum 0x39, type PART (0x7) at 0x2000 3161088 bytes DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", Media descriptor 0xf8, sectors/track 2, heads 16, hidden sectors 2, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 2, sectors 6173, $MFT start cluster 2058, $MFTMirror start cluster 5162, clusters/RecordSegment 2, clusters/index block 8, serial number 050d60a27d60a0dc2; contains bootstrap NTLDR, type WIM at 0x306000
                              Category:dropped
                              Size (bytes):3170304
                              Entropy (8bit):1.5312684875066314
                              Encrypted:false
                              SSDEEP:3072:S/pcj53vs/InbrTIHvPnHmC5irUuMo/+ncoZZihnh:acRn7y/EouH/cpi
                              MD5:22D9945B4AAE36DD59620A918F2E65F4
                              SHA1:BB025CEDCA07887916C4B7E5FA7A641ED3E30C14
                              SHA-256:CD2C00CE027687CE4A8BDC967F26A8AB82F651C9BECD703658BA282EC49702BD
                              SHA-512:DD2D0EA7D5CF98064838CE0B74711F77534E1A2A14C7F74D44ED4B83ACDB6F413D74671D2C6A8574AEE88AFB456B53A6B8452419A3BDDDF2F7E9095C9D1D272E
                              Malicious:false
                              Preview:$SDI0001................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................9...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\boot\bootfix.bin

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1024
                              Entropy (8bit):3.0300489670599307
                              Encrypted:false
                              SSDEEP:6:+oNrEVvEKUNJfIU9BDuiXNe408lwxc796B4u4jWWASzmx7aDX8cJO1Dai:LgTUNJBB5qorjWizm44cJsD7
                              MD5:EB145D5F87DDF43C8BD6F27E97DB8BF2
                              SHA1:2021C98F81B177D17543EBD34004891183FA3DD4
                              SHA-256:A7A0EDAF85F70E833FAC02D0A416AE56AE2A3593E787F39C25DBB12830CA737C
                              SHA-512:B85FF5A038173898B7F96890CB3998034BBCC50301CB31DB112EEB04C3A1ED3C6B6D7905E48FC8CFE1FBB058B32E61349653B345BFE25FBFAA2CCFFFFDA031AB
                              Malicious:false
                              Preview:.........0................s.........0........&.~..|.u..........U...It.&.~..t.]...]..O...w.V.O....^.......t.........3.... .&...z.&.G..|.&....&.O....>w..t.....uC....$.u;.>.....V.x..}.^.......>~..u.....,...3.... ..z.&...|.&.G...........t............0..3...3...|........|........>~..t.........~....6|...6z..PS.>w..t..<.t..........[X...Press any key to boot from CD or DVD.........I.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\boot\bootsect.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):110392
                              Entropy (8bit):5.417707472930945
                              Encrypted:false
                              SSDEEP:1536:uTB5egI78tKKc7XHui2IH5vgY83J+PWKJ:uVU/7CwiPIZvpagrJ
                              MD5:381ADF2102B335F9C5979C295B5E2684
                              SHA1:64068391B62805BFD31180011A87B2BF7F493E96
                              SHA-256:55A47316AAB6E275758ED63C0238E61EDF4283F4AFE7ADD099B128CE56092A02
                              SHA-512:9A1C09349BA6A0FC4B81C769B89105E1BC738B08E7E070E67F590F4C89EE29C865B09369A8D2ECE4705A0F4DFCFB4AEF7700F8442A363B65E6FE86FE9B6887C5
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@N.../../../..D../..D../..D../..D../.././..D../..D.../..D../.Rich./.........PE..d................"......t...........}.........@....................................t.....`.......... ......................................|...d....... >......,.......8!..........P...T...........................P...............h................................text...ps.......t.................. ..`.rdata..:k.......l...x..............@..@.data...`r.......\..................@....pdata..,............@..............@..@.rsrc... >.......@...F..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\boot\en-gb\bootsect.exe.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):16384
                              Entropy (8bit):3.433910308350334
                              Encrypted:false
                              SSDEEP:192:pou0SUbZZIdZC+V/DXbJwmX3kZFoYADRbpOko4nJ7fGW3dWq:pooUbZZId8U/rVnkZFtsRboE7fGW3dWq
                              MD5:2F1598053756CB491815ED83E11FBC96
                              SHA1:3BE72A4542066D75FD987442F22B5AC0715BD3DB
                              SHA-256:4EBC08B13BC6233C807DC016449E1A6296C30FD78C6459AA19600E5B99C978E1
                              SHA-512:E3B92C03BAC9F2C3A32204411BFF27B4D4C2C2293B384AA6A1ED1FE472CD6AEE5486E378B5A8DE3669B073A27EF96BCDD0677E15990A7D70E434448C9CFC4787
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........>...............................................`......v.....@.......................................... ...;..............................8............................................................................rdata..............................@..@.rsrc....@... ...<..................@..@.....v.........T...8...8........v.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .. :...rsrc$02.... ...V..r..BC....=..K.*...Q..EO.v.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\boot\etfsboot.com

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):4.049931330854999
                              Encrypted:false
                              SSDEEP:48:LW9r0eIvMCkR4EgY7T2RZ6HxVouNjn3pigTBQt:6gFv2X7H2RZUxtNzpvBQt
                              MD5:D4BEFEBF3CEF129AC087422B9E912788
                              SHA1:62313EC73F381C052F2513CA6279CFB5107E98C0
                              SHA-256:F425E135AAC26B55E2BAC655E62E2CE0B16255226C583D9AB43B2E93E8A6D932
                              SHA-512:3814E4682CAD2EF40061D3D5E8142C964CC73A6C6DFC72BA59CBAB0922DD0C7E279703450E3A1F4FCFDE3498565BF6EF28A30E7DE53A0EDA75B3FEA76D03929B
                              Malicious:false
                              Preview:.3....|....R....$.<.t..........^..!.t....|..}...=.......E.....=..u........4....ry....5......=U.uiZ.....F.h..j.h. ...r.`.......... ..ah..j.h. ...s.h..j.h. ...r2....3.h. P.V......1.....V......2.....j......j.......^.....t..............$...3.... .&......&.G.....&.7&..t.&.O........u...3.... .....&......&.G....... .....3........T.. ....................s........|..........t..................CDBOOT: Cannot boot from CD - Code: 3...CDBOOT: Couldn't find BOOTMGR...CDBOOT: Memory overflow error..............3.3.6..&.....t5...!...Q3.....Yth;.s4+.>...t......Q....Y..........A...............&.>...u.........SQ....Y.....[...+.t.J...+...y....Q3.&.O .>...t.&.G..u.*.t....u.....t.Y.l.&.G..t.:.u.Y..U..SVRP.......G...G...G....G....G....F.....F.....F.....F.....F.....>....u..>.. ........................... .....G.....G.....G.....G.....B.......>...u(.... ...........s.j.....b..... ........XZ^[..].U..QSP....................t.......PS.v..6...6........X[Y..].P&.G....&.G....&.G....&.G....X.

                              \Device\CdRom0\boot\fonts\chs_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 15 names, Macintosh, Copyright \375 2006 Microsoft Corporation. All rights reserved.chs_bootRegularVersion 1.01
                              Category:dropped
                              Size (bytes):3694080
                              Entropy (8bit):6.624448833616754
                              Encrypted:false
                              SSDEEP:49152:JRLb7Lb7Lrrb7brb7Ewmgi4uYCgrGgCYuU1B3zCOGHrSGjwe18wGHLuRapXtb:5z1GHrHwe1auRa1V
                              MD5:CEC569AA88293C3711AB8CE68523227E
                              SHA1:03AD7AADA17A724FA9B7B2926D99026F7B673008
                              SHA-256:13E470AB455716E87E0C7A89A8605A33D8DADC245F445141B3D9869DA87FEB20
                              SHA-512:01C83C69169CCC560154851219891A4EC9E2A877251FF7AC8373D3627C74AE3FDABA0D15894352D3A81E29926BAAE1C084D7E4F8EB5246F97F44BE49AD1B97D9
                              Malicious:false
                              Preview:...........PDSIG.....8B....dEBDT.K4Q.....-..EBLCa.u.... ...xOS/2p......X...`cmapk......(...Vglyf.g.........Dhead.../.......6hhea..x........$hmtx.G.Q.......ploca.7.&......:maxpp......8... name..YS........post..#.......a1......../.#._.<...........<...............................................................p.....p......................................................f.f............................MSFT.@............................. .....Q............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\boot\fonts\cht_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 15 names, Macintosh, Copyright \251 2006 Microsoft Corporation. All rights reserved.cht_bootRegularVersion 1.01
                              Category:dropped
                              Size (bytes):3876772
                              Entropy (8bit):6.621508159631719
                              Encrypted:false
                              SSDEEP:49152:jvLb7Lb7Lrrb7brb7Ewmgi4uYCgrGgCYu+SV7SkCrWGBydrGOIs5KknYNqW8Lf:88WbGOIghnW8j
                              MD5:409CAA06620BFD1EC6D6B10F0A67E428
                              SHA1:8280FF3C730E3D2F62640A859AC752135E791FBC
                              SHA-256:713EA9CDF88A141B9F5FE983AFE7296FF60749F934663D5A2B62CB49AAF7BE12
                              SHA-512:172EFA15F1B5AEAFA909ACF39111F523379B9666F59005C80FA09CD7163A8A54A0EACEE4CC55C99464C82253DD19E2C7615B6FE86BF0C9B03F34A8FCE1DC21A8
                              Malicious:false
                              Preview:...........PDSIG..$.;.@...dEBDT.........0z.EBLC..........(OS/2h......X...`cmap..[........fglyf.g.........Dhead...].......6hhea..xR.......$hmtx.G.Q.......Hloca.n.]...h...maxppU.....8... nameC.ZS...T....postA..j...@..cM........^.R._.<...........<......./!......................................................pR....pR.....................................................f.f............................MSFT.@............................. .....Q............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\boot\fonts\jpn_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 15 names, Macintosh, Copyright \251 2006 Microsoft Corporation. All rights reserved.jpn_bootRegularVersion 1.01
                              Category:dropped
                              Size (bytes):1984228
                              Entropy (8bit):6.670006435019523
                              Encrypted:false
                              SSDEEP:49152:pPe6imLe3IWYidPwzDXV7wPxHaHNzE/DfD3t8ZHHzOxw3wt:1gaHNzyDfD3t8ZHHzOW3k
                              MD5:27B5282821B61D8C6678FC577E9C1E73
                              SHA1:2AB6B331D79FD3BC9C99B11E8AEDD776A4423EC2
                              SHA-256:F2D36224161E8A1772208473C4310B2897F2B25AF7733174AFADF61773870F95
                              SHA-512:6FFDC5AF67F6092C317740603C5F28C9AFA400B23B66064249692A30D44788AC61C9B3DEED98CE23BF53A6B410D438AA2F16A57D40091EBA2391564CB9E94D51
                              Malicious:false
                              Preview:...........PDSIG._.K..+....dEBDT.T)...V.....EBLC......jT...hOS/2Z .....X...`cmapmK..........glyf.g.....D...Dhead...........6hhea..Ez.......$hmtx.G.Q........loca.......L..z.maxp=}.....8... nameE.b[........post.R.j...t..f...........|._.<...........<......./N......................................................=z....=z.....................................................f.f................h...........MSFT.@............................. .....Q............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\boot\fonts\kor_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 15 names, Macintosh, Copyright \251 2006 Microsoft Corporation. All rights reserved.kor_bootRegularVersion 1.01
                              Category:dropped
                              Size (bytes):2371360
                              Entropy (8bit):6.254408952598701
                              Encrypted:false
                              SSDEEP:24576:CpPa2PYJqzMtenwoZ6DcTrk3LM9RlbkwoqR8QKV60MYCByDp7RbIUQ+b:OBrk3LM9Rlbk/fuGb
                              MD5:FE9445AF8AC72E14F172A12EDF525494
                              SHA1:53691A366606E9A95AD06F3AB7459621D9004D3C
                              SHA-256:295A115432230017AC2E7E892DA1594F58FB3AF04B217E4D0AA4ED948AFE9471
                              SHA-512:CD48889F0B7F40536A19C38D8341FE436621CB3D257A511D1D22DD3598905F2EDCE33C20CDFFB6D1D6878CD273D43249B5279EFED5349A7A1C0CE06D70963D4D
                              Malicious:false
                              Preview:...........PDSIGTJ..$.....dEBDT(./A..GD...vEBLC.. ........OS/2..w8...X...`cmap|.Rr..C....rglyf.g.....<...Dhead...........6hhea..X........$hmtxBG.Q......B.locaMeMU...4....maxpP......8... nameH.hZ........post0d$U...l..%-.........^.._.<...........<......./|......................................................P.....P......................................................f.f................i.|....0....MSFT.@............................. .....Q............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\boot\fonts\malgun_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Malgun Gothic BootRegularMalgun Gothic Boot
                              Category:dropped
                              Size (bytes):178400
                              Entropy (8bit):6.873543579071386
                              Encrypted:false
                              SSDEEP:3072:ISDTk5OhPZl/tjS2G/dTppFlXKHl+S/fLvVyfBsgemclbP:9hP7JS2MTXOF+x3E
                              MD5:3FF3EC226F656B3D718C4E4FEBBD31A6
                              SHA1:5EAB0B797FDFB21610BCB5AA7B52F27D6B332BE6
                              SHA-256:C21592992C7F374ABC6218206BBDA65AFD98C5FF9322C2296DA24C7CFFD72D9C
                              SHA-512:7C1BE17A59B7EF365AA65F67C3C8F226427364183EB24F3E9B2E89E70E34074F80813B18EFE1CC61F00DB954CBEBB0242E8478E663481BBFF56486C1C305E175
                              Malicious:false
                              Preview:...........0DSIG.s...x..#hOS/2P......8...`cmap..{........bglyfC}G,..>T..Q|head.........6hhea...y.......$hmtx.YZ........Tloca.. ...(P....maxp...7....... namez.........post.Q.w...X... ......aHc..2_.<...........<...............................................................*...........L......./...............\.........3.......3.....f..............................MS .@............................. ...*...........1...F...#.....!.P.....P...w.....j...j...V.L.y.....'.3.....p.....P.V...S.P.m.P.{.}.2.P...P.o.P.c.P.Z.P.^...p...'.y...y...y...........).........^.............}.^.....!.............../.........^.{.....^.....@.y.1.).........y.......l.....!.j.......j.5.y...R...%.R...Z.......`...`./.`...5...`...........:...................`.......`.....e.h...+.......................!.j.\.....j.B.y...)...).....^...........^.......Z...Z...Z...Z...Z...Z...`./.`./.`./.`./.`...X...................`...`...`...`...`...................0...l.P...P.j.....@.....T.Z...3.........../.L.B...P.}.......^.y...P.D

                              \Device\CdRom0\boot\fonts\malgun_console.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 15 tables, 1st "DSIG", 9 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All rights reserved.Malgun Gothic ConsoleRegularVersion 1.00Mal
                              Category:dropped
                              Size (bytes):81412
                              Entropy (8bit):6.841696963636173
                              Encrypted:false
                              SSDEEP:1536:hi4wgM7xG6sxdwYokEEIeiEU4wfo+AhPPtfUm7S6LSw3zEB9:Pwt7xGz+QUEUuRUm7S6R3zEj
                              MD5:6AB5EBC02CE731CC6B1938B63693484E
                              SHA1:B4AADE614AD15BD9BD4EEA5A7C996982FA462898
                              SHA-256:C1E77B387320B56B72B32BFB74719C07F28DA2DD8407F45CCCC50C2A26BA9E02
                              SHA-512:CC0E1ED731A22E79AF823FF29E7FFB3142ED475F78645AABB8AE3E27C20EADF87C941A577D37AFD0FF9971420000F2D64092DD768E62720749C64EEF8329BC00
                              Malicious:false
                              Preview:...........pDSIG.L~... @....OS/2D.....x...`cmap.o.;.......*cvt n.xd.......*fpgm,..,...D....gasp...'.. 0....glyfG......|...,head..C2.......6hhea.......4...$hmtx...........@loca.a.S...<...@maxp.......X... namea..8.......fpost.s.x.. .... prep.......L................_.<. ........1H......:.................................................................M...1......./.\...2...................3.......3.....f.s................)...........MS .@. .U.f.f..................... ...........Y...r.......r.].a.b.........................u...............{.......5.....R.......#.....................'.=...............N.N.....................L.L.........y.................................................................h...............Z.............................................................y.............................1...7.....^.j.............................d.....+...Z...y...N.......J.....L.$...L.E...n.2...-.1...F.J...J.....Z.V.........w...V...T.......).b.).R.b.....m...........Z...#...:.....V........

                              \Device\CdRom0\boot\fonts\malgunn_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Malgun Gothic BootRegularMalgun Gothic Boot
                              Category:dropped
                              Size (bytes):175944
                              Entropy (8bit):6.887679604293664
                              Encrypted:false
                              SSDEEP:3072:8LIfTlwGbdvrvnJA+PpDf8+5vzVsG9+5aaRJ7wdnngmR/ME:8oJwAKy8+5voPwxZJ
                              MD5:726B387C66E1FC2EB0B88BDA4C6F4C94
                              SHA1:E86348C969FFB58DB28007C5CE9D223629C74BE2
                              SHA-256:58DD74FB3BA9D0B4E7AE3F5E42289A59F77628BCBE0BF1ED722794A707BA99C5
                              SHA-512:DAFCBF793C50CC4F470F6F7080DAEE845681C95D2F128403B0FF79EF0802EDAE8F306BBDAD8E2B884135D47CEC0F9CCA31103A3E3D3628CA8FF56F8784F6494B
                              Malicious:false
                              Preview:...........0DSIGD-.<......#hOS/2P..t...8...`cmap..{........bglyf.y.\..>T..G.head.........6hhea...%.......$hmtx(,........Tloca......(P....maxp...7....... namez....8....post.Q.w....... ......aH|a.d_.<...........<...............................................................*...........L......./.........................3.......3.....f..............................MS .@............................. ...*...........1.......Z.o.....<.y...<.<.Y.a.o...i.......9.....M...f.l.M.T.V...<.@.V.>.<.R.<.\.^.%.<.{.<.S.<.J.<.C.<.F.M.T.M.................b.........p.....F.5.............F.B.......$...{.......c...}.....F.\.....F.....0.[.%...................Q...l.......F.....(.....}.....=...C...|...H...H.#.H...(...H.e.|.t.l.t.k...|.t.|.+.|.e.|...H...|...H...|...N... .e.l.....V.................E.o.....1...............F.....}.....F.......C...C...C...C...C...C...H.#.H.#.H.#.H.#.H...C.............e.|...H...H...H...H...H.e.l.e.l.e.l.e.l.@.$.C.Q.<...<.O...b.p.{...?.C.|.f.l.W.y.W.y...9...e.|.^.).....F.....<.3

                              \Device\CdRom0\boot\fonts\meiryo_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Meiryo BootRegularMeiryo Boot RegularVersio
                              Category:dropped
                              Size (bytes):144736
                              Entropy (8bit):6.93238749054203
                              Encrypted:false
                              SSDEEP:3072:DDTk5OhPZl/tjS2GnQaowGXKE6qyP4Ua6R9C49:FhP7JS2KQaowEZyP4UPLC49
                              MD5:85D0D36B7FA1671ABAB896C68408B429
                              SHA1:3634D9246F2791AF84E90A357E8A7CFF435909D5
                              SHA-256:542E9827666E0FFD0A42B934BDA65025635DFD3E6B689A9F0530679F8DABEED6
                              SHA-512:9B5B8F7E0F09F221C409F85F88A3C59E0999CAD299C4F06E4A5F6D43E4E0E893CBA004D80553146C6FB77FDFD8F121B395E81104FCCDAC2E563499CA9FE5DBEF
                              Malicious:false
                              Preview:...........0DSIG............OS/2P......8...`cmap.91.........glyfd.G5..)....vhead..........6hhea...........$hmtx...*........loca. .... ...."maxp........... namewL.....8...Rpost.Q.w....... ......aHG>.._.<...........<..............................................................}...........L......./...............\.........3.......3.....f..............................MS .@............................. ...*...........1...F...#.....!.P.....P...w.....j...j...V.L.y.....'.3.....p.....P.V...S.P.m.P.{.}.2.P...P.o.P.c.P.Z.P.^...p...'.y...y...y...........).........^.............}.^.....!.............../.........^.{.....^.....@.y.1.).........y.......l.....!.j.......j.5.y...R...%.R...Z.......`...`./.`...5...`...........:...................`.......`.....e.h...+.......................!.j.\.....j.B.y...)...).....^...........^.......Z...Z...Z...Z...Z...Z...`./.`./.`./.`./.`...X...................`...`...`...`...`...................0...l.P...P.j.....@.....T.Z...3.........../.L.B...P.}.......^.y...P.D

                              \Device\CdRom0\boot\fonts\meiryo_console.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 15 tables, 1st "DSIG", 9 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All rights reserved.Meiryo ConsoleRegularVersion 1.00MeiryoCons
                              Category:dropped
                              Size (bytes):90600
                              Entropy (8bit):7.027463315882515
                              Encrypted:false
                              SSDEEP:1536:dvw0/RAEMUChRQYFMEi3+P//EBTawhzn46GyIXVVNvj/NMEBT:Fw8CheYqEi3+P/DwEye5jKEt
                              MD5:600E450207722049644A03F47941B1AC
                              SHA1:70FB2CE2F14D31F502B6E674458DD9C01F54D202
                              SHA-256:1375B4D85BBCA1B20987004C3B4D6CA159F8008AC049CA6A1D14006D4E89BBF7
                              SHA-512:7FBAFFF2A35BCDDD508AAF3C0A5B8A0D8885083DDCF725A5C9A2A0CBB08ABE4087324AC01D211C2A5EC719AC9A0B4735433524457258132A19FE7842B9D87DB9
                              Malicious:false
                              Preview:...........pDSIG..d...D$....OS/2PE.+...x...`cmap$......`....cvt FVZ.........fpgm.Ek....@....gasp./.)..D.....glyf.l.t.. .....head.]~........6hhea.......4...$hmtx...g........loca#..........maxp.......X... name].7..?....>post.6.g..C.... prepG#.q.......l..........._.<. ..........S.....:.....T.....................{.{.................................@............./.`...'...................3...%...3.....l..................(...........MS .@. .Y.......{..`........j..... .............................q...%.......\.\.....`.s.,...B.q.............e...................0.........\.......@.p.s.....`.....f...P.W.P.........W.\...}.....;.P.........1..._.u.....1...;.....]...).........C.z...Z.u.V.H...........q...y...........m...m.2.\..._...D.#...........-...u.u.......o.......\.s.B.o.........=.).....%...J.....T...^...X.N...`.........j.j...............{...;.{.{.....-.5...u...\.........c.z.Z.7.....V.......Z.1...\.T.........V. .k....... .X.....(...N.....;...c.P.C...T.7.+...e.w.7.....T...X.>...R.....,.A.J.C.!

                              \Device\CdRom0\boot\fonts\meiryon_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Meiryo BootRegularMeiryo Boot RegularVersio
                              Category:dropped
                              Size (bytes):143072
                              Entropy (8bit):6.9076965895867355
                              Encrypted:false
                              SSDEEP:3072:NLIfz6WubdvrvnJA+PpDf8+54FNl8kk5gqs9TrQEvNmsY8cXIFbgC:NoIKy8+54FNl8Vgn9Trvv0L3IFd
                              MD5:B4568E137C1815C8C2ABD6041460E16F
                              SHA1:2932E854D4D2457AEA375C1A2708F7AB18499569
                              SHA-256:96A248044009C664909EC944BB0D0079A088269394B14A12516D4A648506AAAB
                              SHA-512:E3339CD650B97E7109BE6126E8EA84AA906B0838D61C099D64B7CCA6AE47BB87018AFFECB2B23D633E0681739069A992B8CBBF263DA5E57F535C83E17BAED724
                              Malicious:false
                              Preview:...........0DSIG..o....,....OS/2P..t...8...`cmap.91.........glyfA.....).....head.........6hhea...x.......$hmtx..ze........locab.... ...."maxp........... namewL.........Rpost.Q.w....... ......aH.!"._.<...........<..............................................................}...........L......./.........................3.......3.....f..............................MS .@............................. ...*...........1.......Z.o.....<.y...<.<.Y.a.o...i.......9.....M...f.l.M.T.V...<.@.V.>.<.R.<.\.^.%.<.{.<.S.<.J.<.C.<.F.M.T.M.................b.........p.....F.5.............F.B.......$...{.......c...}.....F.\.....F.....0.[.%...................Q...l.......F.....(.....}.....=...C...|...H...H.#.H...(...H.e.|.t.l.t.k...|.t.|.+.|.e.|...H...|...H...|...N... .e.l.....V.................E.o.....1...............F.....}.....F.......C...C...C...C...C...C...H.#.H.#.H.#.H.#.H...C.............e.|...H...H...H...H...H.e.l.e.l.e.l.e.l.@.$.C.Q.<...<.O...b.p.{...?.C.|.f.l.W.y.W.y...9...e.|.^.).....F.....<.3

                              \Device\CdRom0\boot\fonts\msjh_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Microsoft JhengHei BootRegularMicrosoft Jhe
                              Category:dropped
                              Size (bytes):161416
                              Entropy (8bit):6.866658086234466
                              Encrypted:false
                              SSDEEP:3072:lgTk5OhPZl/tjS2GGNjJVPnwd16OcPDyeJ3H0RTIBxk3:MhP7JS2BdJK7ncbvJQTmxk3
                              MD5:26EC06F33F50FEA79C909FDB87C80EAC
                              SHA1:3D9DF5F8410756C2BB1E93E7338D83447460E571
                              SHA-256:761ADE9653C0C814A95893BB00DAA2935AE5ED717B2C798AC9CA5205CEE49332
                              SHA-512:270AAD53F4958574C5D33A6BADE95FBE55B19ED0B3BF1299AF5E66BCDC4176F3635271EB1C760F0F714AECAA9C64A69CAE56AB414A3EF2291180033321520091
                              Malicious:false
                              Preview:...........0DSIG..U...e,...\OS/2P.1u...8...`cmap...-...D....glyf......4t..*.head..c.......6hhea...y.......$hmtx2...........loca._....!.....maxp.../....... name.}...._\....post.Q.w..e.... ......aH8..._.<...........<...............................................................*...........L......./...............\.........3.......3.....f..............................MS .@............................. ...*...........1...F...#.....!.P.....P...w.....j...j...V.L.y.....'.3.....p.....P.V...S.P.m.P.{.}.2.P...P.o.P.c.P.Z.P.^...p...'.y...y...y...........).........^.............}.^.....!.............../.........^.{.....^.....@.y.1.).........y.......l.....!.j.......j.5.y...R...%.R...Z.......`...`./.`...5...`...........:...................`.......`.....e.h...+.......................!.j.\.....j.B.y...)...).....^...........^.......Z...Z...Z...Z...Z...Z...`./.`./.`./.`./.`...X...................`...`...`...`...`...................0...l.P...P.j.....@.....T.Z...3.........../.L.B...P.}.......^.y...P.D

                              \Device\CdRom0\boot\fonts\msjh_console.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 15 tables, 1st "DSIG", 9 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All rights reserved.Microsoft JhengHei ConsoleRegularVersion 1.
                              Category:dropped
                              Size (bytes):202808
                              Entropy (8bit):6.877586993777387
                              Encrypted:false
                              SSDEEP:6144:WXcf7AzDZGhGPlgsL9Jj7q9nWFhVoOU3FmU9AdZioFx6squ+zPIc0LHgX8PjR7KU:Wc0fYh+lgsL9Jj7q9nWFhVoOU3FmU9Ad
                              MD5:404CCA9EF1A112D1617F6198104C6FB4
                              SHA1:D571527AB44EC39FDA45120CBB9C13F4851AECD5
                              SHA-256:8D753E0B32D05060D5F65BC6DEBE502DE1D658AC7645704061A2D2D5529BA6D4
                              SHA-512:8E553B7C0F940A22468737A730758674857F30A0157DC003C539FC002A8A2FA3BB9CAF16CD36472F0FB11FC523896894F974F5466AC3248209D7BC145D393D28
                              Malicious:false
                              Preview:...........pDSIG..n....t....OS/2I.F....x...`cmap..u.........cvt C.CT........fpgm...........Pgasp.#.'...d....glyf......".....head..+U.......6hhea.......4...$hmtx............loca..i>........maxp.^.....X... nameeC..........post.Q.x...D... prepG.h..................K.._.<. ........1H......:............................................................................./.U...d.P.................3.......3.....f..................(...........MS .@. .....................R..... .................!...D...V.{.D...........y.5...L.......F...........;.3...3.....7.?.........T...?...=.....w...L...;.L.....J.Z.}.......D.......y.....?...............u.............!.........................7.D.......}...............w.f.q.b.j.q.{.{.y.w...}.u.....{.}...{.w.........................w.......................................}.......}.........{.............w.............................h.q.....w...w...w.............................................y...w.....{...}.........y...............{...u...................}.......y

                              \Device\CdRom0\boot\fonts\msjhn_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Microsoft JhengHei BootRegularMicrosoft Jhe
                              Category:dropped
                              Size (bytes):159388
                              Entropy (8bit):6.861417062904686
                              Encrypted:false
                              SSDEEP:3072:2LIfbEfDbdvrvnJA+PpDf8+5q820RBqTbtJRKr/w3BEAoJ1MBxkZ:2oQVKy8+5q8C/tJRKrIREA7xkZ
                              MD5:D9CCE26C671B31F427909DEB60D275B6
                              SHA1:73EADA64D838AA5F4D40A86F99597E3581EA764E
                              SHA-256:AF3D41967979F7F54C7FCE038E07E830D3673D89BEA4883E02F3254EC7189CCE
                              SHA-512:1434FA53355CF826A731BBB99AFE25292D3CF72915C6047E0967A7F43C350D8DA2CD826D00D1956DEF06602B1C5C9C1CF77EB9BB430560B0A02BBD558C31A43D
                              Malicious:false
                              Preview:...........0DSIG{....]@...\OS/2P......8...`cmap...-...D....glyf......4t..".head.e.......6hhea...%.......$hmtx..........loca.T.8..!.....maxp.../....... name.}....Wp....post.Q.w..] ... ......aH:.s._.<...........<...............................................................*...........L......./.........................3.......3.....f..............................MS .@............................. ...*...........1.......Z.o.....<.y...<.<.Y.a.o...i.......9.....M...f.l.M.T.V...<.@.V.>.<.R.<.\.^.%.<.{.<.S.<.J.<.C.<.F.M.T.M.................b.........p.....F.5.............F.B.......$...{.......c...}.....F.\.....F.....0.[.%...................Q...l.......F.....(.....}.....=...C...|...H...H.#.H...(...H.e.|.t.l.t.k...|.t.|.+.|.e.|...H...|...H...|...N... .e.l.....V.................E.o.....1...............F.....}.....F.......C...C...C...C...C...C...H.#.H.#.H.#.H.#.H...C.............e.|...H...H...H...H...H.e.l.e.l.e.l.e.l.@.$.C.Q.<...<.O...b.p.{...?.C.|.f.l.W.y.W.y...9...e.|.^.).....F.....<.3

                              \Device\CdRom0\boot\fonts\msyh_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Microsoft YaHei BootRegularMicrosoft YaHei
                              Category:dropped
                              Size (bytes):157576
                              Entropy (8bit):6.867304542992183
                              Encrypted:false
                              SSDEEP:3072:BxTk5OhPZl/tjS2GVohZLacGMuheTC4EBoVpe5h:phP7JS25ZLacGMKeJbe3
                              MD5:E7981E4EABF8EECFD2B04CB0E8A2EC66
                              SHA1:2DD97EBF698EE17D920CAD426DBC3E0544036BF7
                              SHA-256:CF0302DDC22FECB5188A21A925E54CEA4AE13F56A280AB6FD782DB9F3682EE67
                              SHA-512:A96935A25F9E83268914A0A701869F713E5342EA144271044FF5526DB762FB87E5355CC432325E8716A2E645A51BF6F2749D195A5E16EF95F0B17FF0BB9E1BE6
                              Malicious:false
                              Preview:...........0DSIGP.u...D ..#hOS/2P.1a...8...`cmap/Y.........xglyf......3.....head..l.......6hhea...y.......$hmtx...........rloca.1....!....@maxp........... name|....>h....post.Q.w..D.... ......aH...._.<...........<...............................................................*...........L......./...............\.........3.......3.....f..............................MS .@............................. ...*...........1...F...#.....!.P.....P...w.....j...j...V.L.y.....'.3.....p.....P.V...S.P.m.P.{.}.2.P...P.o.P.c.P.Z.P.^...p...'.y...y...y...........).........^.............}.^.....!.............../.........^.{.....^.....@.y.1.).........y.......l.....!.j.......j.5.y...R...%.R...Z.......`...`./.`...5...`...........:...................`.......`.....e.h...+.......................!.j.\.....j.B.y...)...).....^...........^.......Z...Z...Z...Z...Z...Z...`./.`./.`./.`./.`...X...................`...`...`...`...`...................0...l.P...P.j.....@.....T.Z...3.........../.L.B...P.}.......^.y...P.D

                              \Device\CdRom0\boot\fonts\msyh_console.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 15 tables, 1st "DSIG", 9 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All rights reserved. Portions \251 2015 Beijing Founder Electro
                              Category:dropped
                              Size (bytes):96504
                              Entropy (8bit):6.905150890688311
                              Encrypted:false
                              SSDEEP:1536:uwgyQxUdVPoiXPUtsLwO7nl5v5jy/CrY/d64x9JEALs24Eiwkixhh65LF1LtC2FY:uwrQxYLwO7DxMCcHHEAw24fTixmD82FY
                              MD5:4D8E8240854B778200380C44DEF4D74D
                              SHA1:9D9D54BA0AB6452EB175ED22497930054970DEAA
                              SHA-256:561007583B37EF03C930D6D38A7D7CF91225FE0F4A9F92DBE4509785B4B378AE
                              SHA-512:08734977D29A5C90E80D48C4D9781CB05D11A8E14E42ABD002B447A3C6AFB50733B5227BE31453FDD5E50AAA54ED00ED2A3D703B9E68ABDF67DD71D846F5F45F
                              Malicious:false
                              Preview:...........pDSIG..B...[4....OS/2F.D....x...`cmapD...........cvt NWW....d....fpgm,..,...h....gasp...#..[$....glyf..).......<.head.^.X.......6hhea.y.....4...$hmtxw4t.........loca.>.D...L....maxp.......X... names.....U.....post.Q....[.... prepD......p.............S.._.<. .........<......:...........................w................................................./.\.......................3.......3...E.f..................(...........MS .@. .........w...........R..... .....................7...N...7.......5.....'...D.......=...........5.-...-.....%.1.........L...-.q.).....h...B...1.B.....=.V.f.....}.9.......%.....;...............`.......................................4.4...0.........*.....$...0...&.........T..... ...0...............(.....:...v.....&.$..."..... . ... .J.....$.8.n...2.".&..... .........<...................r....... .......&..... .*.4............. ...,. .&.....>.$. .....6..... .8..... .................................n.~ >0.N.N.N.N;NKO\P.QeQsQ.R.R7RMR.R.S:S.S.S.T.T.T&T/TXVhW(

                              \Device\CdRom0\boot\fonts\msyhn_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Microsoft YaHei BootRegularMicrosoft YaHei
                              Category:dropped
                              Size (bytes):155740
                              Entropy (8bit):6.885260309833718
                              Encrypted:false
                              SSDEEP:3072:ALIfwrgbdvrvnJA+PpDf8+52iqYJIrA/j3CuqXZ07F:Ao+SKy8+52fxrA/FY07F
                              MD5:366DE78FA51A6CAAE6F506F11DCE7818
                              SHA1:C72CBD2EF98FAC3F1C2B98C4D997CD3F94DD89B3
                              SHA-256:AD022D7317CF6AC8FC8A9A86F777A62DA396B513AA2577A6233DBC6A66492A59
                              SHA-512:A284E9EEAA29140E2EFC64DF1AF8149F5FDC2DC6AA68DFB9EBEBCA4BAFA62E299843D894289DC55771146776C588F2AD42E9491BB31D96B2D48355D4954FF50F
                              Malicious:false
                              Preview:...........0DSIGT.....<...#hOS/2P......8...`cmap/Y.........xglyfw.O...3....vhead.o.......6hhea...%.......$hmtx.lE........rloca.'....!....@maxp........... name|....7<....post.Q.w..<.... ......aHw.i._.<...........<...............................................................*...........L......./.........................3.......3.....f..............................MS .@............................. ...*...........1.......Z.o.....<.y...<.<.Y.a.o...i.......9.....M...f.l.M.T.V...<.@.V.>.<.R.<.\.^.%.<.{.<.S.<.J.<.C.<.F.M.T.M.................b.........p.....F.5.............F.B.......$...{.......c...}.....F.\.....F.....0.[.%...................Q...l.......F.....(.....}.....=...C...|...H...H.#.H...(...H.e.|.t.l.t.k...|.t.|.+.|.e.|...H...|...H...|...N... .e.l.....V.................E.o.....1...............F.....}.....F.......C...C...C...C...C...C...H.#.H.#.H.#.H.#.H...C.............e.|...H...H...H...H...H.e.l.e.l.e.l.e.l.@.$.C.Q.<...<.O...b.p.{...?.C.|.f.l.W.y.W.y...9...e.|.^.).....F.....<.3

                              \Device\CdRom0\boot\fonts\segmono_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All Rights Reserved.Segoe Mono BootRegularVersion 1.36SegoeMono
                              Category:dropped
                              Size (bytes):43836
                              Entropy (8bit):6.743630972093941
                              Encrypted:false
                              SSDEEP:768:yMqc6zKj4VbPfNmZHjHw1/9bnvRzZXEBns:yMqc6zKj4VbPfQy1/RF9EBns
                              MD5:1814642F244BE03E70DD436543BD097B
                              SHA1:52A4123EE7B85739F13D5795A5446A0A3A59A22B
                              SHA-256:6B724E470E125B5C622CD6BA950CAFED16DCD42796930C930320FF3CF807CF4F
                              SHA-512:9390009F552DE97DF8F17CAFF9AFEAE21DB9BC5A7C286E6DCBE7658AF090196D1F41AC3839C24D094D0A46AEF39BBC4999711CEA2308E3B9195AAB45254206AF
                              Malicious:false
                              Preview:...........0DSIG......p....OS/2L.<....8...`cmap.q.....D...$glyfm0G.......{.head..ZO.......6hhea...D.......$hmtx.K..........locaJ.j....h....maxp........... namer-.........8post.Q.x...P... ......\).'"._.<...........<x.....{vD.....X.R...........................u.X.......................S.L...j......./.Z.......................3.......3.....f..............................MS .@..#!......................... .....w.............-.0...................U...^.........h.....s.y.............................y...........^...W...X.....W...%...&...E...f.#.............z.....z...........D...n...z.........`.....e.........z.....................#.....U.....Q...L.]...........~.....".2.5...................................,...W.W.W.W.W...............................!...................n...n.n.n.n.n...4.........e...e...............................I.,.z.....................y.z.y.z.y.z.y.z.......1...................................................W.....................W.n.W.n.W.n.7...............................W

                              \Device\CdRom0\boot\fonts\segoe_slboot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 12 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All Rights Reserved.Segoe Boot SemilightRegularVersion 1.36Sego
                              Category:dropped
                              Size (bytes):85156
                              Entropy (8bit):6.6448134576461335
                              Encrypted:false
                              SSDEEP:768:BepCQplqLXsx4htkOJIF54vILHMlUwZaIRi5Eiboeb6BfSpnAGWJFXEBE:nfrsxWLu54v4HqVZaGDF2ifS2GgEBE
                              MD5:3D8EE538822C7AF6FA9568DA92211E34
                              SHA1:5E217728102C2B704ACCD83DB83C9D87121B7C5A
                              SHA-256:7EFA071273D63913839333050A2B9842E4B4A268B50219F2C2847071EFCDA673
                              SHA-512:3C48CE160F5702B30563614CDC731280AF11EF62D8E526B4AEA44252268472A4931F004547E51FB303E8FEF33291FF6EAFCF216C84FF8C9F81D4FB4495DAEAA4
                              Malicious:false
                              Preview:...........PDSIGW.>.........OS/2M......X...`cmap.....4....gasp...#........glyf............head.C>F.......6hhea.x.........$hmtxi.E........zlocaS.+...T...8maxp.......8... name}....)0...vpost.Q.w....... prep.."....P..........\)*..H_.<........... ?.....{vE.Q...............................Q.Q...............................g......./.\..._.........N.^.......3.......3.....f..............................MS .........Q..................... ...*...........1...F...........7...i.R.........V...V...J.I.V.....+.1...........7.Y...S.7.f.7.{.d.2.7...7.u...F.7.b.7.b.......+.V...V...V.....}.......(.x.....e.............j.e.............m.................e.j.....e.........$.2.W.......Q.&...+._."...1.V.......V.4.V...R.....O...b.......^...]...].[.,...].g.......................g.....].......].....@.k...!.h.....................-.V.].....V.E.V.....(...(...e...........e.W.....b...b...b...b...b...b...^...]...]...]...].................g.....]...]...]...]...].h...h...h...h.........~.7...7.].....5.....b.?...1......

                              \Device\CdRom0\boot\fonts\segoen_slboot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 12 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All Rights Reserved.Segoe Boot SemilightRegularVersion 1.36Sego
                              Category:dropped
                              Size (bytes):84840
                              Entropy (8bit):6.596968699365827
                              Encrypted:false
                              SSDEEP:768:0VbS59oFdCP0E5qV8p7NVtsSo4PfrTfdp9rG/0CGoW4vz8OIFCm1DkXEB0N:+b2hP0EhVts4nrTXI/moLp+sEB0N
                              MD5:26940BC68D7CA50C3069F225CBEDE544
                              SHA1:8564878420094B18BF5CE8CFE1870C2530061187
                              SHA-256:B1EE933A85278A7BF0CD5C0FC19DBB145223C8F3A3E8A999DBA7A269F1C246CC
                              SHA-512:A95181462CD1215D6FFD4DF7AE5BF3D91C8CA22AECE4990432E277ED30DDABBB092CAD2E7BBB53ECD8AD0023AB026497372B5E7CC2C348DC4C77AF9DB7D77C4C
                              Malicious:false
                              Preview:...........PDSIG0.B&..-.....OS/2M......X...`cmap.....4....gasp...#..-.....glyfzp.t.......fhead.C>G.......6hhea.x.........$hmtx...U.......zlocat......T...8maxp.5.N...8... name}....'....vpost.Q.w..-l... prep.."....P..........\)#~aB_.<........... ?.....{vF.Q...............................Q.Q...............................g...............[.......N.^.......3.......3.....f..............................MS .........Q..................... .....|.......................".).y...=.5.a.T.....m.....w.7.....Q. .e.l.Q.`.D...).C.@.>.).L.).\.K.%.).x.).X...4.).I.).I.Q.`.Q. ...............^.........Z.....L. .............L.)...{.......R.......1..._.....L.O.....L.v.....a...%...~.....}...u. .G...k.%.....<.....'.....}.....;...I.q.|...F.r.F...F...!.r.F.M.|.W.g.W.W...|.W.|...|.M.|.p.F.q.|.r.F...|.p.P.....N.k.....3............."...F.e.....4...............L....._.....L...~...I...I...I...I...I...I...F...F...F...F...F.W.f.W...W...W...M.|.p.F.p.F.p.F.p.F.p.F.N.k.N.k.N.k.N.k.;.".J.^.)...).F...o.h.{...I./.|.e.l.P..

                              \Device\CdRom0\boot\fonts\wgl4_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 17 names, Macintosh, Copyright \251 2006 Microsoft Corporation. All rights reserved.wgl4_boot is a trademark of Micro
                              Category:dropped
                              Size (bytes):47452
                              Entropy (8bit):6.653349676863251
                              Encrypted:false
                              SSDEEP:768:/8KlPfaMmkeN4bKJX5zJN+D3eegCLmlor54NBHyh87kUJ3JnP/Ba/32UUU5wD2US:1CiuJXNuofSUBozIvS0YHaeYE
                              MD5:D5CED633BF8446A3315EC58CD60148C1
                              SHA1:8B4BCFC504A763FD47FB85D49BF23C1C68C5BCFC
                              SHA-256:9AB081731E46DB6CF1248669DB7D6B09E9178B61B552A6A2287CA4202C83DA2B
                              SHA-512:6224C2B8E24A3A8C4AD46D9324098C8CC776659F86E1CFA60B15C32199D741D2652489FF2F7AC996B0A899804F4BAF72AFB0B6338F0B15363AD1F8938072EE3A
                              Malicious:false
                              Preview:...........PDSIGu..u.......dEBDT.....4...^MEBLC.t:.........OS/2.B.....X...`cmappE5{...$...Lglyfk]L........Dhead...........6hhea...........$hmtxU..A.......lloca.Q.s...p...8maxp.......8... name.P.E........post.......l...%............_.<...........<......./............................................................................................3.......................f.f............................MSFT.@............................. ...3.A.........3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3..

                              \Device\CdRom0\boot\memtest.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):1000760
                              Entropy (8bit):6.6888887558795895
                              Encrypted:false
                              SSDEEP:24576:4LgV83LzXYJLKSMech6ispJzc5YYmsRr6ylMwpbdgaocZT:4LgVLKRWTQ6Zs5DhgPm
                              MD5:A91EDE8485DE4F179527E94E6E6AFC72
                              SHA1:846105578B87EF9A75333A71ACA7A42E7F2E3609
                              SHA-256:BF8A9CC6A9774F7603CDE0C988E8E4AAE34CAC0C23663DFDFBB8DF8D719D41D2
                              SHA-512:3780F36FE14A22B1411588DF87A3BFEAE463606164E6BCAF992ADEEB4D4B29BA2B37EEDFB632795650F27B83DD40F1CBD72EF8399CA0CCDE76095437A285C4D4
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........w.g.$.g.$.g.$...%.g.$...%.g.$...%.g.$...%.g.$...%.f.$...%.g.$...%.g.$..Q$.g.$...%.g.$Rich.g.$................PE..L...a............................................@.................................c................................4..4............................$..8!...`...`......p............................................................................text...Vr.......t.................. ..`PAGER32C......... ...x.............. ..`PAGE.....].......^.................. ..`.rdata...&.......(..................@..@.data........@......................@....rsrc................4..............@..@.reloc...`...`...b..................@..B........................................................................................................................................................................................................................................

                              \Device\CdRom0\boot\resources\bootres.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):92472
                              Entropy (8bit):7.906208295556921
                              Encrypted:false
                              SSDEEP:1536:RedILJQtthcQJB/uJ7+0glW7Rl30s6Sc6GvtaDBH1dvNIUo//xFAxkZa+oP7fqDc:RedIkhxGJ56SOtaDBpIwGhG/p
                              MD5:F8E8A4D7CBAF0B763B4E29454127F2A5
                              SHA1:1CB0AE6C8CF065701C45EAE9FB92D29F23CEBCAE
                              SHA-256:65E25EA21A2F873AFFEE8034E2C3381DF48FF4129D447FA288FBD92307647582
                              SHA-512:70B1B76D434135C91F0F382753266C4E2865C615A5E96851567EF7E6ECF8C880543900CE6C7707599FFE136B6B85503CE3CFEB54F4EDAC3FC942CFCEB2241A39
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....<.%.........." .........F...............................................p...........`.......................................................... ...C...........H..8!..............8............................................................................rdata..............................@..@.rsrc....C... ...D..................@..@.....<.%........T...8...8........<.%........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ...B...rsrc$02.... ......hIgEr.u..0..\...xO.....CT.<.%........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\bootmgr

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:DOS executable (COM)
                              Category:dropped
                              Size (bytes):413738
                              Entropy (8bit):7.891572070474753
                              Encrypted:false
                              SSDEEP:12288:7A8U5dyYVCbc/dS+VOxz0R0WtTDGWffPX63Is:c8Xbc/NR0aGgs
                              MD5:25C4C0632E904DD7C943BC3554E8E449
                              SHA1:356C9752CDD51ACFB24881A2E3BDCDE8BD8BCAA1
                              SHA-256:4EEAC11BE050843D0D824850D8646B966CE45F23102FF955DBEF81D52C82D693
                              SHA-512:2DE601313E2A3E72B011FBC63A21694E044D2AC20D959D081E4E20031157BA836BD6F611EAC9FC3728ED56231E0CA94B11645DDEB71D044B58019D3066ECC376
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: 5CG2133F5Y_2024-04-05_12_15_35.569.zip, Detection: malicious, Browse
                              Preview:.........R....f3....4..Q......Pf..T.f...f..f............X.0..........Z.....RQ.fS.D...f[..........YZB..J...fSfSP....:.f..Xf....f[.......3......P..f;........f...f..f..X.(..f[.fPfRfQfS.f..L.f..f.M....]..f[fYfZfX.PfQ3..$.A.......@;.....fXfPf;..........fYX.P&g....>.......$........fCfC.................f.............X.fQf.....>.......f..f..f....f..f...f3.f..fY.fPfSfQf..L.......f.L.f..\.f..D.f..f+.f..D.f...f...f..fHf3.f..f+.f..D.f+.f..f..L.f3.f..2.f=..........fYf[fX.B...J..........R...f3.f....4...6..n...fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.............f[.0.....f..f_f^f[f]fZfh ...fRf.fUfSfVfWf..`......f3.f...fSf.....f..f...j0......f3...g..&g..f...f.........U.....f.F.fP....f......h..&.v.&.v.&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8&f.F0.f].f.fUf.....f]...&f.F.&f.^.&f.N.&f.V.&f.v.&f.~ &f.^(&f.f4&f.n8fX&f.F<..&f.f0.].....f[.0.....f..f_f^f[f]fZfh ...fRf.fPfPf.....fP...fPfPf.....fP...fPfPf.....fP..fPfPf.....fP..fPfPf.....fP..fPfPf.....fP.

                              \Device\CdRom0\bootmgr.efi

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1541648
                              Entropy (8bit):6.471197612101592
                              Encrypted:false
                              SSDEEP:24576:JoIUrQYOvqgPagJUqBr0ZhSk9WXwVB8tsSxxbviIFbHM:mnaD3oq5X4ijbvPHM
                              MD5:5BD03D407D2D6EF78F360B9008308D6B
                              SHA1:D415EDD11B0BA1E0F6508FFB32C18E01BE2B4D38
                              SHA-256:96B7EE39AC13C0CE9A73F30A6270C526B8C832C1170E5F6774DEECE8AF012684
                              SHA-512:29CE47ABAAB4ABDF04CE8255CD9FD866AA5B9C5ADF4037D671564144A7BACD46260721C893E3E877E289BF068D800C62CE480431C74A0A88EFFFD38D50DBAA30
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: 5CG2133F5Y_2024-04-05_12_15_35.569.zip, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:<.A[R.A[R.A[R..3Q.@[R.U0V.o[R.U0W.Q[R.U0Q.[[R.U0Z.gYR.U0R.@[R.U0..@[R.U0P.@[R.RichA[R.........PE..d................".................p..........@........................................................................................4............................d..."......x.......p............................................................................text............................... ..`TRANSIT............................. ..`.data....!..........................@....pdata..............................@..@.rsrc................J..............@..@.reloc..x............V..............@..B................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\efi\boot\bootx64.efi

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (EFI application) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1557304
                              Entropy (8bit):6.462852640174996
                              Encrypted:false
                              SSDEEP:24576:C6JnRhCHzmfD9v0c/Du6/i3PcB+gGZ4YZBJ82t402y8PE9XrO:CGomf1XD34Pwl6J8zyRK
                              MD5:AE8AF199EF80311F9CEE9DE104A15496
                              SHA1:DDCAB237C2019264121D0A057C0851B02BD89D99
                              SHA-256:D99CA68BB147F5F30BFB96D9F16B557622AC5A86C2EFFA2D918BADECAA6F88EF
                              SHA-512:A16E960EBD8F0E76BE7972F2215865AFE3C46D87339359B25D5DEFB01DBF5303C080E61C2634B0A949192EEB1F9DDFB7CB72EE315F95415911C0BE6E0DE70AAC
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=B..nB..nB..n..oC..nV..ol..nV..oR..nV..oX..nV..oj..nV..oC..nV.]nC..nV..oC..nRichB..n................PE..d...?Ne..........." ...................................................................................................................4.......................l.......8!..............p............................................................................text...$........................... ..`TRANSIT............................. ..`.data...!*..........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\efi\microsoft\boot\bcd

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):16384
                              Entropy (8bit):3.19959031883874
                              Encrypted:false
                              SSDEEP:192:TLtEOHTQlKWZu4NjBp606loecfx/5HfOLB6wm7QwucNcGVgw:TLtEOHqRVIVpoh5/Ss9Ewv
                              MD5:C40D6D0407A253F0BFEE1BA6CF7381BC
                              SHA1:727F2995FB9740CF57CA51CD1697F819FFDE3CD3
                              SHA-256:BFF472748D463452679B3912C6E3317C23F310FC60D580C988F00237F2AB157F
                              SHA-512:A8AA5DC00ACD306986638A2AB8FA174B1B167C5DF95484A58BF61B36147BE9E4ED2751EEF1D0BE13CF31F77B04BCF5E64E70524889FAAC98901202EA1680B1B9
                              Malicious:false
                              Preview:regfr...r......_D................... ....0......\.b.i.n.\.m.e.d.i.a.\.c.l.i.e.n.t.\.e.f.i.\.a.m.d.6.4.\.b.c.d.... ..q?...P..]... ..q?...P..]..4.1.. ..q?...P..]..rmtm.yK....OfRg....5.4.}...............vk......... ......25Type{9de....vk................27Elementd....nk ..O.........x...........................x...............................Description.........nk ..O.........x...........P&..............x...............................Elements....nk ..O.........h!......................`"..x.............k.Y.U....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\efi\microsoft\boot\cdboot.efi

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (EFI application) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1174024
                              Entropy (8bit):6.504425775553499
                              Encrypted:false
                              SSDEEP:24576:fgzoPj1wQ2q8/VmnDIY4YC+a60ILphwPPmDoI3sE:Hvt8tC0YL3cInw3mETE
                              MD5:1309AF23DB7B4CDD16BB29B41D6975E5
                              SHA1:64AAA42897C2AB02B8B6F650C16E76B05E4D9CE9
                              SHA-256:9D10E66C25A7844E0852995F9018D91DA15B0F567B60DD0D806A50A7E7644D2C
                              SHA-512:C36565325E5F0DE8F70D2A678F9E32BE722BFA4E75CC57BD6E9DD99AF15BBB38FED64B9182ACAFC5FDECDA86BB35ABBB0F995CC8BCB0CC1A84E9AB02F8BBEE46
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}...}...}...&...|...i...Q...i...m...i...d...i......i...|...i.>.|...i...|...Rich}...................PE..d....3.o.........." .....0...^......................................................F................................................@..3....................0.........."..............p............................................................................text...j........................... ..`TRANSIT............................. ..`PAGER32C............................ ..`PAGE....Lm.......n.................. ..`.rdata.......`.......4..............@..@.data........P......................@....pdata......0....... ..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................

                              \Device\CdRom0\efi\microsoft\boot\cdboot_noprompt.efi

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (EFI application) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1174024
                              Entropy (8bit):6.504932125187226
                              Encrypted:false
                              SSDEEP:24576:tov4PQ+NpOZXwIbZl3ITj85hbm1g++14/PmVoIWb9:a4ugIlKTAvsgX4nmy39
                              MD5:BA914E4BB811A1B27220F020D2672167
                              SHA1:76331C09BF598A18EE5A86418D3DAB26F28DC25A
                              SHA-256:B95A79DE38A9AE70047ED0B44336B74F42CB63436400CBAA6EAF41AA100F6F12
                              SHA-512:B570A1C3EDA2B5708EFBA83807A34F2E7C361F24F20A101417D74A740C5B0B006CF514F0AAEDA4526677725E1E7E93382144A856E230DFA80547E7772788C8CC
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}...}...}...&...|...i...Q...i...m...i...d...i......i...|...i.>.|...i...|...Rich}...................PE..d................." .....0...^.......................................................................................................@..3....................0.........."..............p............................................................................text...j........................... ..`TRANSIT............................. ..`PAGER32C............................ ..`PAGE....Lm.......n.................. ..`.rdata.......`.......4..............@..@.data........P......................@....pdata......0....... ..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................

                              \Device\CdRom0\efi\microsoft\boot\efisys.bin

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", root entries 224, sectors 2880 (volumes <=32 MB), sectors/FAT 9, sectors/track 18, serial number 0xa04878, label: "EFISECTOR ", FAT (12 bit), followed by FAT
                              Category:dropped
                              Size (bytes):1474560
                              Entropy (8bit):5.643588463148626
                              Encrypted:false
                              SSDEEP:24576:2gzoPj1wQ2q8/VmnDIY4YC+a60ILphwPPmDoI3s:Evt8tC0YL3cInw3mET
                              MD5:39F53846C64B774F2AA3D769ECCE79BB
                              SHA1:211A37BBB3F89FD085C03366D4C03F19268FA273
                              SHA-256:1525B5ABCCDC2C298693DE4DE64AF208EDB080E3068FCD6533967D2E2CF6CB4E
                              SHA-512:45AB6B00F618D8A2B432B74812A040F6F6C6A6838128401193DE1FBFB801E444C89D8873AEDE6254240F1E7B1C1AE9AE3F084928A4C1AA55EE95EBDFDC7EF70D
                              Malicious:false
                              Preview:.<.MSDOS5.0........@..................)xH..EFISECTOR FAT12 .3....|...x.6.7.V.S.>|........E.....|.M..G...>|...ry3.9..|t....|.. |..|.&.|...|...|...|....P|..R|.I|..K|. ..&.|...|..H....I|..K|......R|.P|..r.....r........}.u... ....t...}._.3...^....D...XXX..G.HH...|2.....I|..K|......PRQ.:.r...T.YZXr..........|....|..$|..I|.K|...p....t).........;..|s..6.|...O|3..6.|..%|.M|.......M|.....6O|....$|.6%|.....Non-System disk or disk error..Replace and press any key when ready...IO SYSMSDOS SYS..U........`................. ..@..`................! .#@.%`.'..)..+..-../..1 .3@.5`.7..9..;..=..?..A .C@.E`.G..I..K..M..O..Q .S@.U`.W..Y..[..].._..a .c@.e`.g..i..k..m..o..q .s@.u`.w..y..{..}...... ..@..`................. ..@..`................. ..@..`................. ..@..`................. ..@..`............... ..@..`............... ..@..`............... ..@..`.................!..A..a.................!..A..a................!!.#A.%a.'..)..+..-../..1!.3A.5a.7..9..;..=..?..A!.CA.Ea

                              \Device\CdRom0\efi\microsoft\boot\efisys_noprompt.bin

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", root entries 224, sectors 2880 (volumes <=32 MB), sectors/FAT 9, sectors/track 18, serial number 0xa048f5, label: "EFISECTOR ", FAT (12 bit), followed by FAT
                              Category:dropped
                              Size (bytes):1474560
                              Entropy (8bit):5.6440088850090255
                              Encrypted:false
                              SSDEEP:24576:+ov4PQ+NpOZXwIbZl3ITj85hbm1g++14/PmVoIWb:/4ugIlKTAvsgX4nmy3
                              MD5:FCFEA6EEB6621D715C92C228FCAE72A2
                              SHA1:E128CA8E7E191085D47C372F514BB1D6C118C129
                              SHA-256:D4B0FE8BEB71749901D76327E5246205DC349B360BA7D91E5EF7B6931BB9DFF0
                              SHA-512:491AEA4E634DA5342C006FF0F847B1DC6B8C397B07DC9CA92D2965379026A4FF80A2E616D96ABBC5D3A3EA2A34A9D61C6DF1293CD79C7F6C9BBE31EC80A6E992
                              Malicious:false
                              Preview:.<.MSDOS5.0........@..................).H..EFISECTOR FAT12 .3....|...x.6.7.V.S.>|........E.....|.M..G...>|...ry3.9..|t....|.. |..|.&.|...|...|...|....P|..R|.I|..K|. ..&.|...|..H....I|..K|......R|.P|..r.....r........}.u... ....t...}._.3...^....D...XXX..G.HH...|2.....I|..K|......PRQ.:.r...T.YZXr..........|....|..$|..I|.K|...p....t).........;..|s..6.|...O|3..6.|..%|.M|.......M|.....6O|....$|.6%|.....Non-System disk or disk error..Replace and press any key when ready...IO SYSMSDOS SYS..U........`................. ..@..`................! .#@.%`.'..)..+..-../..1 .3@.5`.7..9..;..=..?..A .C@.E`.G..I..K..M..O..Q .S@.U`.W..Y..[..].._..a .c@.e`.g..i..k..m..o..q .s@.u`.w..y..{..}...... ..@..`................. ..@..`................. ..@..`................. ..@..`................. ..@..`............... ..@..`............... ..@..`............... ..@..`.................!..A..a.................!..A..a................!!.#A.%a.'..)..+..-../..1!.3A.5a.7..9..;..=..?..A!.CA.Ea

                              \Device\CdRom0\efi\microsoft\boot\fonts\chs_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 15 names, Macintosh, Copyright \375 2006 Microsoft Corporation. All rights reserved.chs_bootRegularVersion 1.01
                              Category:dropped
                              Size (bytes):3694080
                              Entropy (8bit):6.624448833616754
                              Encrypted:false
                              SSDEEP:49152:JRLb7Lb7Lrrb7brb7Ewmgi4uYCgrGgCYuU1B3zCOGHrSGjwe18wGHLuRapXtb:5z1GHrHwe1auRa1V
                              MD5:CEC569AA88293C3711AB8CE68523227E
                              SHA1:03AD7AADA17A724FA9B7B2926D99026F7B673008
                              SHA-256:13E470AB455716E87E0C7A89A8605A33D8DADC245F445141B3D9869DA87FEB20
                              SHA-512:01C83C69169CCC560154851219891A4EC9E2A877251FF7AC8373D3627C74AE3FDABA0D15894352D3A81E29926BAAE1C084D7E4F8EB5246F97F44BE49AD1B97D9
                              Malicious:false
                              Preview:...........PDSIG.....8B....dEBDT.K4Q.....-..EBLCa.u.... ...xOS/2p......X...`cmapk......(...Vglyf.g.........Dhead.../.......6hhea..x........$hmtx.G.Q.......ploca.7.&......:maxpp......8... name..YS........post..#.......a1......../.#._.<...........<...............................................................p.....p......................................................f.f............................MSFT.@............................. .....Q............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\efi\microsoft\boot\fonts\cht_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 15 names, Macintosh, Copyright \251 2006 Microsoft Corporation. All rights reserved.cht_bootRegularVersion 1.01
                              Category:dropped
                              Size (bytes):3876772
                              Entropy (8bit):6.621508159631719
                              Encrypted:false
                              SSDEEP:49152:jvLb7Lb7Lrrb7brb7Ewmgi4uYCgrGgCYu+SV7SkCrWGBydrGOIs5KknYNqW8Lf:88WbGOIghnW8j
                              MD5:409CAA06620BFD1EC6D6B10F0A67E428
                              SHA1:8280FF3C730E3D2F62640A859AC752135E791FBC
                              SHA-256:713EA9CDF88A141B9F5FE983AFE7296FF60749F934663D5A2B62CB49AAF7BE12
                              SHA-512:172EFA15F1B5AEAFA909ACF39111F523379B9666F59005C80FA09CD7163A8A54A0EACEE4CC55C99464C82253DD19E2C7615B6FE86BF0C9B03F34A8FCE1DC21A8
                              Malicious:false
                              Preview:...........PDSIG..$.;.@...dEBDT.........0z.EBLC..........(OS/2h......X...`cmap..[........fglyf.g.........Dhead...].......6hhea..xR.......$hmtx.G.Q.......Hloca.n.]...h...maxppU.....8... nameC.ZS...T....postA..j...@..cM........^.R._.<...........<......./!......................................................pR....pR.....................................................f.f............................MSFT.@............................. .....Q............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\efi\microsoft\boot\fonts\jpn_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 15 names, Macintosh, Copyright \251 2006 Microsoft Corporation. All rights reserved.jpn_bootRegularVersion 1.01
                              Category:dropped
                              Size (bytes):1984228
                              Entropy (8bit):6.670006435019523
                              Encrypted:false
                              SSDEEP:49152:pPe6imLe3IWYidPwzDXV7wPxHaHNzE/DfD3t8ZHHzOxw3wt:1gaHNzyDfD3t8ZHHzOW3k
                              MD5:27B5282821B61D8C6678FC577E9C1E73
                              SHA1:2AB6B331D79FD3BC9C99B11E8AEDD776A4423EC2
                              SHA-256:F2D36224161E8A1772208473C4310B2897F2B25AF7733174AFADF61773870F95
                              SHA-512:6FFDC5AF67F6092C317740603C5F28C9AFA400B23B66064249692A30D44788AC61C9B3DEED98CE23BF53A6B410D438AA2F16A57D40091EBA2391564CB9E94D51
                              Malicious:false
                              Preview:...........PDSIG._.K..+....dEBDT.T)...V.....EBLC......jT...hOS/2Z .....X...`cmapmK..........glyf.g.....D...Dhead...........6hhea..Ez.......$hmtx.G.Q........loca.......L..z.maxp=}.....8... nameE.b[........post.R.j...t..f...........|._.<...........<......./N......................................................=z....=z.....................................................f.f................h...........MSFT.@............................. .....Q............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\efi\microsoft\boot\fonts\kor_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 15 names, Macintosh, Copyright \251 2006 Microsoft Corporation. All rights reserved.kor_bootRegularVersion 1.01
                              Category:dropped
                              Size (bytes):2371360
                              Entropy (8bit):6.254408952598701
                              Encrypted:false
                              SSDEEP:24576:CpPa2PYJqzMtenwoZ6DcTrk3LM9RlbkwoqR8QKV60MYCByDp7RbIUQ+b:OBrk3LM9Rlbk/fuGb
                              MD5:FE9445AF8AC72E14F172A12EDF525494
                              SHA1:53691A366606E9A95AD06F3AB7459621D9004D3C
                              SHA-256:295A115432230017AC2E7E892DA1594F58FB3AF04B217E4D0AA4ED948AFE9471
                              SHA-512:CD48889F0B7F40536A19C38D8341FE436621CB3D257A511D1D22DD3598905F2EDCE33C20CDFFB6D1D6878CD273D43249B5279EFED5349A7A1C0CE06D70963D4D
                              Malicious:false
                              Preview:...........PDSIGTJ..$.....dEBDT(./A..GD...vEBLC.. ........OS/2..w8...X...`cmap|.Rr..C....rglyf.g.....<...Dhead...........6hhea..X........$hmtxBG.Q......B.locaMeMU...4....maxpP......8... nameH.hZ........post0d$U...l..%-.........^.._.<...........<......./|......................................................P.....P......................................................f.f................i.|....0....MSFT.@............................. .....Q............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\efi\microsoft\boot\fonts\malgun_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Malgun Gothic BootRegularMalgun Gothic Boot
                              Category:dropped
                              Size (bytes):178400
                              Entropy (8bit):6.873543579071386
                              Encrypted:false
                              SSDEEP:3072:ISDTk5OhPZl/tjS2G/dTppFlXKHl+S/fLvVyfBsgemclbP:9hP7JS2MTXOF+x3E
                              MD5:3FF3EC226F656B3D718C4E4FEBBD31A6
                              SHA1:5EAB0B797FDFB21610BCB5AA7B52F27D6B332BE6
                              SHA-256:C21592992C7F374ABC6218206BBDA65AFD98C5FF9322C2296DA24C7CFFD72D9C
                              SHA-512:7C1BE17A59B7EF365AA65F67C3C8F226427364183EB24F3E9B2E89E70E34074F80813B18EFE1CC61F00DB954CBEBB0242E8478E663481BBFF56486C1C305E175
                              Malicious:false
                              Preview:...........0DSIG.s...x..#hOS/2P......8...`cmap..{........bglyfC}G,..>T..Q|head.........6hhea...y.......$hmtx.YZ........Tloca.. ...(P....maxp...7....... namez.........post.Q.w...X... ......aHc..2_.<...........<...............................................................*...........L......./...............\.........3.......3.....f..............................MS .@............................. ...*...........1...F...#.....!.P.....P...w.....j...j...V.L.y.....'.3.....p.....P.V...S.P.m.P.{.}.2.P...P.o.P.c.P.Z.P.^...p...'.y...y...y...........).........^.............}.^.....!.............../.........^.{.....^.....@.y.1.).........y.......l.....!.j.......j.5.y...R...%.R...Z.......`...`./.`...5...`...........:...................`.......`.....e.h...+.......................!.j.\.....j.B.y...)...).....^...........^.......Z...Z...Z...Z...Z...Z...`./.`./.`./.`./.`...X...................`...`...`...`...`...................0...l.P...P.j.....@.....T.Z...3.........../.L.B...P.}.......^.y...P.D

                              \Device\CdRom0\efi\microsoft\boot\fonts\malgun_console.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 15 tables, 1st "DSIG", 9 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All rights reserved.Malgun Gothic ConsoleRegularVersion 1.00Mal
                              Category:dropped
                              Size (bytes):81412
                              Entropy (8bit):6.841696963636173
                              Encrypted:false
                              SSDEEP:1536:hi4wgM7xG6sxdwYokEEIeiEU4wfo+AhPPtfUm7S6LSw3zEB9:Pwt7xGz+QUEUuRUm7S6R3zEj
                              MD5:6AB5EBC02CE731CC6B1938B63693484E
                              SHA1:B4AADE614AD15BD9BD4EEA5A7C996982FA462898
                              SHA-256:C1E77B387320B56B72B32BFB74719C07F28DA2DD8407F45CCCC50C2A26BA9E02
                              SHA-512:CC0E1ED731A22E79AF823FF29E7FFB3142ED475F78645AABB8AE3E27C20EADF87C941A577D37AFD0FF9971420000F2D64092DD768E62720749C64EEF8329BC00
                              Malicious:false
                              Preview:...........pDSIG.L~... @....OS/2D.....x...`cmap.o.;.......*cvt n.xd.......*fpgm,..,...D....gasp...'.. 0....glyfG......|...,head..C2.......6hhea.......4...$hmtx...........@loca.a.S...<...@maxp.......X... namea..8.......fpost.s.x.. .... prep.......L................_.<. ........1H......:.................................................................M...1......./.\...2...................3.......3.....f.s................)...........MS .@. .U.f.f..................... ...........Y...r.......r.].a.b.........................u...............{.......5.....R.......#.....................'.=...............N.N.....................L.L.........y.................................................................h...............Z.............................................................y.............................1...7.....^.j.............................d.....+...Z...y...N.......J.....L.$...L.E...n.2...-.1...F.J...J.....Z.V.........w...V...T.......).b.).R.b.....m...........Z...#...:.....V........

                              \Device\CdRom0\efi\microsoft\boot\fonts\malgunn_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Malgun Gothic BootRegularMalgun Gothic Boot
                              Category:dropped
                              Size (bytes):175944
                              Entropy (8bit):6.887679604293664
                              Encrypted:false
                              SSDEEP:3072:8LIfTlwGbdvrvnJA+PpDf8+5vzVsG9+5aaRJ7wdnngmR/ME:8oJwAKy8+5voPwxZJ
                              MD5:726B387C66E1FC2EB0B88BDA4C6F4C94
                              SHA1:E86348C969FFB58DB28007C5CE9D223629C74BE2
                              SHA-256:58DD74FB3BA9D0B4E7AE3F5E42289A59F77628BCBE0BF1ED722794A707BA99C5
                              SHA-512:DAFCBF793C50CC4F470F6F7080DAEE845681C95D2F128403B0FF79EF0802EDAE8F306BBDAD8E2B884135D47CEC0F9CCA31103A3E3D3628CA8FF56F8784F6494B
                              Malicious:false
                              Preview:...........0DSIGD-.<......#hOS/2P..t...8...`cmap..{........bglyf.y.\..>T..G.head.........6hhea...%.......$hmtx(,........Tloca......(P....maxp...7....... namez....8....post.Q.w....... ......aH|a.d_.<...........<...............................................................*...........L......./.........................3.......3.....f..............................MS .@............................. ...*...........1.......Z.o.....<.y...<.<.Y.a.o...i.......9.....M...f.l.M.T.V...<.@.V.>.<.R.<.\.^.%.<.{.<.S.<.J.<.C.<.F.M.T.M.................b.........p.....F.5.............F.B.......$...{.......c...}.....F.\.....F.....0.[.%...................Q...l.......F.....(.....}.....=...C...|...H...H.#.H...(...H.e.|.t.l.t.k...|.t.|.+.|.e.|...H...|...H...|...N... .e.l.....V.................E.o.....1...............F.....}.....F.......C...C...C...C...C...C...H.#.H.#.H.#.H.#.H...C.............e.|...H...H...H...H...H.e.l.e.l.e.l.e.l.@.$.C.Q.<...<.O...b.p.{...?.C.|.f.l.W.y.W.y...9...e.|.^.).....F.....<.3

                              \Device\CdRom0\efi\microsoft\boot\fonts\meiryo_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Meiryo BootRegularMeiryo Boot RegularVersio
                              Category:dropped
                              Size (bytes):144736
                              Entropy (8bit):6.93238749054203
                              Encrypted:false
                              SSDEEP:3072:DDTk5OhPZl/tjS2GnQaowGXKE6qyP4Ua6R9C49:FhP7JS2KQaowEZyP4UPLC49
                              MD5:85D0D36B7FA1671ABAB896C68408B429
                              SHA1:3634D9246F2791AF84E90A357E8A7CFF435909D5
                              SHA-256:542E9827666E0FFD0A42B934BDA65025635DFD3E6B689A9F0530679F8DABEED6
                              SHA-512:9B5B8F7E0F09F221C409F85F88A3C59E0999CAD299C4F06E4A5F6D43E4E0E893CBA004D80553146C6FB77FDFD8F121B395E81104FCCDAC2E563499CA9FE5DBEF
                              Malicious:false
                              Preview:...........0DSIG............OS/2P......8...`cmap.91.........glyfd.G5..)....vhead..........6hhea...........$hmtx...*........loca. .... ...."maxp........... namewL.....8...Rpost.Q.w....... ......aHG>.._.<...........<..............................................................}...........L......./...............\.........3.......3.....f..............................MS .@............................. ...*...........1...F...#.....!.P.....P...w.....j...j...V.L.y.....'.3.....p.....P.V...S.P.m.P.{.}.2.P...P.o.P.c.P.Z.P.^...p...'.y...y...y...........).........^.............}.^.....!.............../.........^.{.....^.....@.y.1.).........y.......l.....!.j.......j.5.y...R...%.R...Z.......`...`./.`...5...`...........:...................`.......`.....e.h...+.......................!.j.\.....j.B.y...)...).....^...........^.......Z...Z...Z...Z...Z...Z...`./.`./.`./.`./.`...X...................`...`...`...`...`...................0...l.P...P.j.....@.....T.Z...3.........../.L.B...P.}.......^.y...P.D

                              \Device\CdRom0\efi\microsoft\boot\fonts\meiryo_console.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 15 tables, 1st "DSIG", 9 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All rights reserved.Meiryo ConsoleRegularVersion 1.00MeiryoCons
                              Category:dropped
                              Size (bytes):90600
                              Entropy (8bit):7.027463315882515
                              Encrypted:false
                              SSDEEP:1536:dvw0/RAEMUChRQYFMEi3+P//EBTawhzn46GyIXVVNvj/NMEBT:Fw8CheYqEi3+P/DwEye5jKEt
                              MD5:600E450207722049644A03F47941B1AC
                              SHA1:70FB2CE2F14D31F502B6E674458DD9C01F54D202
                              SHA-256:1375B4D85BBCA1B20987004C3B4D6CA159F8008AC049CA6A1D14006D4E89BBF7
                              SHA-512:7FBAFFF2A35BCDDD508AAF3C0A5B8A0D8885083DDCF725A5C9A2A0CBB08ABE4087324AC01D211C2A5EC719AC9A0B4735433524457258132A19FE7842B9D87DB9
                              Malicious:false
                              Preview:...........pDSIG..d...D$....OS/2PE.+...x...`cmap$......`....cvt FVZ.........fpgm.Ek....@....gasp./.)..D.....glyf.l.t.. .....head.]~........6hhea.......4...$hmtx...g........loca#..........maxp.......X... name].7..?....>post.6.g..C.... prepG#.q.......l..........._.<. ..........S.....:.....T.....................{.{.................................@............./.`...'...................3...%...3.....l..................(...........MS .@. .Y.......{..`........j..... .............................q...%.......\.\.....`.s.,...B.q.............e...................0.........\.......@.p.s.....`.....f...P.W.P.........W.\...}.....;.P.........1..._.u.....1...;.....]...).........C.z...Z.u.V.H...........q...y...........m...m.2.\..._...D.#...........-...u.u.......o.......\.s.B.o.........=.).....%...J.....T...^...X.N...`.........j.j...............{...;.{.{.....-.5...u...\.........c.z.Z.7.....V.......Z.1...\.T.........V. .k....... .X.....(...N.....;...c.P.C...T.7.+...e.w.7.....T...X.>...R.....,.A.J.C.!

                              \Device\CdRom0\efi\microsoft\boot\fonts\meiryon_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Meiryo BootRegularMeiryo Boot RegularVersio
                              Category:dropped
                              Size (bytes):143072
                              Entropy (8bit):6.9076965895867355
                              Encrypted:false
                              SSDEEP:3072:NLIfz6WubdvrvnJA+PpDf8+54FNl8kk5gqs9TrQEvNmsY8cXIFbgC:NoIKy8+54FNl8Vgn9Trvv0L3IFd
                              MD5:B4568E137C1815C8C2ABD6041460E16F
                              SHA1:2932E854D4D2457AEA375C1A2708F7AB18499569
                              SHA-256:96A248044009C664909EC944BB0D0079A088269394B14A12516D4A648506AAAB
                              SHA-512:E3339CD650B97E7109BE6126E8EA84AA906B0838D61C099D64B7CCA6AE47BB87018AFFECB2B23D633E0681739069A992B8CBBF263DA5E57F535C83E17BAED724
                              Malicious:false
                              Preview:...........0DSIG..o....,....OS/2P..t...8...`cmap.91.........glyfA.....).....head.........6hhea...x.......$hmtx..ze........locab.... ...."maxp........... namewL.........Rpost.Q.w....... ......aH.!"._.<...........<..............................................................}...........L......./.........................3.......3.....f..............................MS .@............................. ...*...........1.......Z.o.....<.y...<.<.Y.a.o...i.......9.....M...f.l.M.T.V...<.@.V.>.<.R.<.\.^.%.<.{.<.S.<.J.<.C.<.F.M.T.M.................b.........p.....F.5.............F.B.......$...{.......c...}.....F.\.....F.....0.[.%...................Q...l.......F.....(.....}.....=...C...|...H...H.#.H...(...H.e.|.t.l.t.k...|.t.|.+.|.e.|...H...|...H...|...N... .e.l.....V.................E.o.....1...............F.....}.....F.......C...C...C...C...C...C...H.#.H.#.H.#.H.#.H...C.............e.|...H...H...H...H...H.e.l.e.l.e.l.e.l.@.$.C.Q.<...<.O...b.p.{...?.C.|.f.l.W.y.W.y...9...e.|.^.).....F.....<.3

                              \Device\CdRom0\efi\microsoft\boot\fonts\msjh_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Microsoft JhengHei BootRegularMicrosoft Jhe
                              Category:dropped
                              Size (bytes):161416
                              Entropy (8bit):6.866658086234466
                              Encrypted:false
                              SSDEEP:3072:lgTk5OhPZl/tjS2GGNjJVPnwd16OcPDyeJ3H0RTIBxk3:MhP7JS2BdJK7ncbvJQTmxk3
                              MD5:26EC06F33F50FEA79C909FDB87C80EAC
                              SHA1:3D9DF5F8410756C2BB1E93E7338D83447460E571
                              SHA-256:761ADE9653C0C814A95893BB00DAA2935AE5ED717B2C798AC9CA5205CEE49332
                              SHA-512:270AAD53F4958574C5D33A6BADE95FBE55B19ED0B3BF1299AF5E66BCDC4176F3635271EB1C760F0F714AECAA9C64A69CAE56AB414A3EF2291180033321520091
                              Malicious:false
                              Preview:...........0DSIG..U...e,...\OS/2P.1u...8...`cmap...-...D....glyf......4t..*.head..c.......6hhea...y.......$hmtx2...........loca._....!.....maxp.../....... name.}...._\....post.Q.w..e.... ......aH8..._.<...........<...............................................................*...........L......./...............\.........3.......3.....f..............................MS .@............................. ...*...........1...F...#.....!.P.....P...w.....j...j...V.L.y.....'.3.....p.....P.V...S.P.m.P.{.}.2.P...P.o.P.c.P.Z.P.^...p...'.y...y...y...........).........^.............}.^.....!.............../.........^.{.....^.....@.y.1.).........y.......l.....!.j.......j.5.y...R...%.R...Z.......`...`./.`...5...`...........:...................`.......`.....e.h...+.......................!.j.\.....j.B.y...)...).....^...........^.......Z...Z...Z...Z...Z...Z...`./.`./.`./.`./.`...X...................`...`...`...`...`...................0...l.P...P.j.....@.....T.Z...3.........../.L.B...P.}.......^.y...P.D

                              \Device\CdRom0\efi\microsoft\boot\fonts\msjh_console.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 15 tables, 1st "DSIG", 9 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All rights reserved.Microsoft JhengHei ConsoleRegularVersion 1.
                              Category:dropped
                              Size (bytes):202808
                              Entropy (8bit):6.877586993777387
                              Encrypted:false
                              SSDEEP:6144:WXcf7AzDZGhGPlgsL9Jj7q9nWFhVoOU3FmU9AdZioFx6squ+zPIc0LHgX8PjR7KU:Wc0fYh+lgsL9Jj7q9nWFhVoOU3FmU9Ad
                              MD5:404CCA9EF1A112D1617F6198104C6FB4
                              SHA1:D571527AB44EC39FDA45120CBB9C13F4851AECD5
                              SHA-256:8D753E0B32D05060D5F65BC6DEBE502DE1D658AC7645704061A2D2D5529BA6D4
                              SHA-512:8E553B7C0F940A22468737A730758674857F30A0157DC003C539FC002A8A2FA3BB9CAF16CD36472F0FB11FC523896894F974F5466AC3248209D7BC145D393D28
                              Malicious:false
                              Preview:...........pDSIG..n....t....OS/2I.F....x...`cmap..u.........cvt C.CT........fpgm...........Pgasp.#.'...d....glyf......".....head..+U.......6hhea.......4...$hmtx............loca..i>........maxp.^.....X... nameeC..........post.Q.x...D... prepG.h..................K.._.<. ........1H......:............................................................................./.U...d.P.................3.......3.....f..................(...........MS .@. .....................R..... .................!...D...V.{.D...........y.5...L.......F...........;.3...3.....7.?.........T...?...=.....w...L...;.L.....J.Z.}.......D.......y.....?...............u.............!.........................7.D.......}...............w.f.q.b.j.q.{.{.y.w...}.u.....{.}...{.w.........................w.......................................}.......}.........{.............w.............................h.q.....w...w...w.............................................y...w.....{...}.........y...............{...u...................}.......y

                              \Device\CdRom0\efi\microsoft\boot\fonts\msjhn_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Microsoft JhengHei BootRegularMicrosoft Jhe
                              Category:dropped
                              Size (bytes):159388
                              Entropy (8bit):6.861417062904686
                              Encrypted:false
                              SSDEEP:3072:2LIfbEfDbdvrvnJA+PpDf8+5q820RBqTbtJRKr/w3BEAoJ1MBxkZ:2oQVKy8+5q8C/tJRKrIREA7xkZ
                              MD5:D9CCE26C671B31F427909DEB60D275B6
                              SHA1:73EADA64D838AA5F4D40A86F99597E3581EA764E
                              SHA-256:AF3D41967979F7F54C7FCE038E07E830D3673D89BEA4883E02F3254EC7189CCE
                              SHA-512:1434FA53355CF826A731BBB99AFE25292D3CF72915C6047E0967A7F43C350D8DA2CD826D00D1956DEF06602B1C5C9C1CF77EB9BB430560B0A02BBD558C31A43D
                              Malicious:false
                              Preview:...........0DSIG{....]@...\OS/2P......8...`cmap...-...D....glyf......4t..".head.e.......6hhea...%.......$hmtx..........loca.T.8..!.....maxp.../....... name.}....Wp....post.Q.w..] ... ......aH:.s._.<...........<...............................................................*...........L......./.........................3.......3.....f..............................MS .@............................. ...*...........1.......Z.o.....<.y...<.<.Y.a.o...i.......9.....M...f.l.M.T.V...<.@.V.>.<.R.<.\.^.%.<.{.<.S.<.J.<.C.<.F.M.T.M.................b.........p.....F.5.............F.B.......$...{.......c...}.....F.\.....F.....0.[.%...................Q...l.......F.....(.....}.....=...C...|...H...H.#.H...(...H.e.|.t.l.t.k...|.t.|.+.|.e.|...H...|...H...|...N... .e.l.....V.................E.o.....1...............F.....}.....F.......C...C...C...C...C...C...H.#.H.#.H.#.H.#.H...C.............e.|...H...H...H...H...H.e.l.e.l.e.l.e.l.@.$.C.Q.<...<.O...b.p.{...?.C.|.f.l.W.y.W.y...9...e.|.^.).....F.....<.3

                              \Device\CdRom0\efi\microsoft\boot\fonts\msyh_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Microsoft YaHei BootRegularMicrosoft YaHei
                              Category:dropped
                              Size (bytes):157576
                              Entropy (8bit):6.867304542992183
                              Encrypted:false
                              SSDEEP:3072:BxTk5OhPZl/tjS2GVohZLacGMuheTC4EBoVpe5h:phP7JS25ZLacGMKeJbe3
                              MD5:E7981E4EABF8EECFD2B04CB0E8A2EC66
                              SHA1:2DD97EBF698EE17D920CAD426DBC3E0544036BF7
                              SHA-256:CF0302DDC22FECB5188A21A925E54CEA4AE13F56A280AB6FD782DB9F3682EE67
                              SHA-512:A96935A25F9E83268914A0A701869F713E5342EA144271044FF5526DB762FB87E5355CC432325E8716A2E645A51BF6F2749D195A5E16EF95F0B17FF0BB9E1BE6
                              Malicious:false
                              Preview:...........0DSIGP.u...D ..#hOS/2P.1a...8...`cmap/Y.........xglyf......3.....head..l.......6hhea...y.......$hmtx...........rloca.1....!....@maxp........... name|....>h....post.Q.w..D.... ......aH...._.<...........<...............................................................*...........L......./...............\.........3.......3.....f..............................MS .@............................. ...*...........1...F...#.....!.P.....P...w.....j...j...V.L.y.....'.3.....p.....P.V...S.P.m.P.{.}.2.P...P.o.P.c.P.Z.P.^...p...'.y...y...y...........).........^.............}.^.....!.............../.........^.{.....^.....@.y.1.).........y.......l.....!.j.......j.5.y...R...%.R...Z.......`...`./.`...5...`...........:...................`.......`.....e.h...+.......................!.j.\.....j.B.y...)...).....^...........^.......Z...Z...Z...Z...Z...Z...`./.`./.`./.`./.`...X...................`...`...`...`...`...................0...l.P...P.j.....@.....T.Z...3.........../.L.B...P.}.......^.y...P.D

                              \Device\CdRom0\efi\microsoft\boot\fonts\msyh_console.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 15 tables, 1st "DSIG", 9 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All rights reserved. Portions \251 2015 Beijing Founder Electro
                              Category:dropped
                              Size (bytes):96504
                              Entropy (8bit):6.905150890688311
                              Encrypted:false
                              SSDEEP:1536:uwgyQxUdVPoiXPUtsLwO7nl5v5jy/CrY/d64x9JEALs24Eiwkixhh65LF1LtC2FY:uwrQxYLwO7DxMCcHHEAw24fTixmD82FY
                              MD5:4D8E8240854B778200380C44DEF4D74D
                              SHA1:9D9D54BA0AB6452EB175ED22497930054970DEAA
                              SHA-256:561007583B37EF03C930D6D38A7D7CF91225FE0F4A9F92DBE4509785B4B378AE
                              SHA-512:08734977D29A5C90E80D48C4D9781CB05D11A8E14E42ABD002B447A3C6AFB50733B5227BE31453FDD5E50AAA54ED00ED2A3D703B9E68ABDF67DD71D846F5F45F
                              Malicious:false
                              Preview:...........pDSIG..B...[4....OS/2F.D....x...`cmapD...........cvt NWW....d....fpgm,..,...h....gasp...#..[$....glyf..).......<.head.^.X.......6hhea.y.....4...$hmtxw4t.........loca.>.D...L....maxp.......X... names.....U.....post.Q....[.... prepD......p.............S.._.<. .........<......:...........................w................................................./.\.......................3.......3...E.f..................(...........MS .@. .........w...........R..... .....................7...N...7.......5.....'...D.......=...........5.-...-.....%.1.........L...-.q.).....h...B...1.B.....=.V.f.....}.9.......%.....;...............`.......................................4.4...0.........*.....$...0...&.........T..... ...0...............(.....:...v.....&.$..."..... . ... .J.....$.8.n...2.".&..... .........<...................r....... .......&..... .*.4............. ...,. .&.....>.$. .....6..... .8..... .................................n.~ >0.N.N.N.N;NKO\P.QeQsQ.R.R7RMR.R.S:S.S.S.T.T.T&T/TXVhW(

                              \Device\CdRom0\efi\microsoft\boot\fonts\msyhn_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.Microsoft YaHei BootRegularMicrosoft YaHei
                              Category:dropped
                              Size (bytes):155740
                              Entropy (8bit):6.885260309833718
                              Encrypted:false
                              SSDEEP:3072:ALIfwrgbdvrvnJA+PpDf8+52iqYJIrA/j3CuqXZ07F:Ao+SKy8+52fxrA/FY07F
                              MD5:366DE78FA51A6CAAE6F506F11DCE7818
                              SHA1:C72CBD2EF98FAC3F1C2B98C4D997CD3F94DD89B3
                              SHA-256:AD022D7317CF6AC8FC8A9A86F777A62DA396B513AA2577A6233DBC6A66492A59
                              SHA-512:A284E9EEAA29140E2EFC64DF1AF8149F5FDC2DC6AA68DFB9EBEBCA4BAFA62E299843D894289DC55771146776C588F2AD42E9491BB31D96B2D48355D4954FF50F
                              Malicious:false
                              Preview:...........0DSIGT.....<...#hOS/2P......8...`cmap/Y.........xglyfw.O...3....vhead.o.......6hhea...%.......$hmtx.lE........rloca.'....!....@maxp........... name|....7<....post.Q.w..<.... ......aHw.i._.<...........<...............................................................*...........L......./.........................3.......3.....f..............................MS .@............................. ...*...........1.......Z.o.....<.y...<.<.Y.a.o...i.......9.....M...f.l.M.T.V...<.@.V.>.<.R.<.\.^.%.<.{.<.S.<.J.<.C.<.F.M.T.M.................b.........p.....F.5.............F.B.......$...{.......c...}.....F.\.....F.....0.[.%...................Q...l.......F.....(.....}.....=...C...|...H...H.#.H...(...H.e.|.t.l.t.k...|.t.|.+.|.e.|...H...|...H...|...N... .e.l.....V.................E.o.....1...............F.....}.....F.......C...C...C...C...C...C...H.#.H.#.H.#.H.#.H...C.............e.|...H...H...H...H...H.e.l.e.l.e.l.e.l.@.$.C.Q.<...<.O...b.p.{...?.C.|.f.l.W.y.W.y...9...e.|.^.).....F.....<.3

                              \Device\CdRom0\efi\microsoft\boot\fonts\segmono_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 11 tables, 1st "DSIG", 10 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All Rights Reserved.Segoe Mono BootRegularVersion 1.36SegoeMono
                              Category:dropped
                              Size (bytes):43836
                              Entropy (8bit):6.743630972093941
                              Encrypted:false
                              SSDEEP:768:yMqc6zKj4VbPfNmZHjHw1/9bnvRzZXEBns:yMqc6zKj4VbPfQy1/RF9EBns
                              MD5:1814642F244BE03E70DD436543BD097B
                              SHA1:52A4123EE7B85739F13D5795A5446A0A3A59A22B
                              SHA-256:6B724E470E125B5C622CD6BA950CAFED16DCD42796930C930320FF3CF807CF4F
                              SHA-512:9390009F552DE97DF8F17CAFF9AFEAE21DB9BC5A7C286E6DCBE7658AF090196D1F41AC3839C24D094D0A46AEF39BBC4999711CEA2308E3B9195AAB45254206AF
                              Malicious:false
                              Preview:...........0DSIG......p....OS/2L.<....8...`cmap.q.....D...$glyfm0G.......{.head..ZO.......6hhea...D.......$hmtx.K..........locaJ.j....h....maxp........... namer-.........8post.Q.x...P... ......\).'"._.<...........<x.....{vD.....X.R...........................u.X.......................S.L...j......./.Z.......................3.......3.....f..............................MS .@..#!......................... .....w.............-.0...................U...^.........h.....s.y.............................y...........^...W...X.....W...%...&...E...f.#.............z.....z...........D...n...z.........`.....e.........z.....................#.....U.....Q...L.]...........~.....".2.5...................................,...W.W.W.W.W...............................!...................n...n.n.n.n.n...4.........e...e...............................I.,.z.....................y.z.y.z.y.z.y.z.......1...................................................W.....................W.n.W.n.W.n.7...............................W

                              \Device\CdRom0\efi\microsoft\boot\fonts\segoe_slboot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 12 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All Rights Reserved.Segoe Boot SemilightRegularVersion 1.36Sego
                              Category:dropped
                              Size (bytes):85156
                              Entropy (8bit):6.6448134576461335
                              Encrypted:false
                              SSDEEP:768:BepCQplqLXsx4htkOJIF54vILHMlUwZaIRi5Eiboeb6BfSpnAGWJFXEBE:nfrsxWLu54v4HqVZaGDF2ifS2GgEBE
                              MD5:3D8EE538822C7AF6FA9568DA92211E34
                              SHA1:5E217728102C2B704ACCD83DB83C9D87121B7C5A
                              SHA-256:7EFA071273D63913839333050A2B9842E4B4A268B50219F2C2847071EFCDA673
                              SHA-512:3C48CE160F5702B30563614CDC731280AF11EF62D8E526B4AEA44252268472A4931F004547E51FB303E8FEF33291FF6EAFCF216C84FF8C9F81D4FB4495DAEAA4
                              Malicious:false
                              Preview:...........PDSIGW.>.........OS/2M......X...`cmap.....4....gasp...#........glyf............head.C>F.......6hhea.x.........$hmtxi.E........zlocaS.+...T...8maxp.......8... name}....)0...vpost.Q.w....... prep.."....P..........\)*..H_.<........... ?.....{vE.Q...............................Q.Q...............................g......./.\..._.........N.^.......3.......3.....f..............................MS .........Q..................... ...*...........1...F...........7...i.R.........V...V...J.I.V.....+.1...........7.Y...S.7.f.7.{.d.2.7...7.u...F.7.b.7.b.......+.V...V...V.....}.......(.x.....e.............j.e.............m.................e.j.....e.........$.2.W.......Q.&...+._."...1.V.......V.4.V...R.....O...b.......^...]...].[.,...].g.......................g.....].......].....@.k...!.h.....................-.V.].....V.E.V.....(...(...e...........e.W.....b...b...b...b...b...b...^...]...]...]...].................g.....]...]...]...]...].h...h...h...h.........~.7...7.].....5.....b.?...1......

                              \Device\CdRom0\efi\microsoft\boot\fonts\segoen_slboot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 12 names, Microsoft, language 0x409, \251 2016 Microsoft Corporation. All Rights Reserved.Segoe Boot SemilightRegularVersion 1.36Sego
                              Category:dropped
                              Size (bytes):84840
                              Entropy (8bit):6.596968699365827
                              Encrypted:false
                              SSDEEP:768:0VbS59oFdCP0E5qV8p7NVtsSo4PfrTfdp9rG/0CGoW4vz8OIFCm1DkXEB0N:+b2hP0EhVts4nrTXI/moLp+sEB0N
                              MD5:26940BC68D7CA50C3069F225CBEDE544
                              SHA1:8564878420094B18BF5CE8CFE1870C2530061187
                              SHA-256:B1EE933A85278A7BF0CD5C0FC19DBB145223C8F3A3E8A999DBA7A269F1C246CC
                              SHA-512:A95181462CD1215D6FFD4DF7AE5BF3D91C8CA22AECE4990432E277ED30DDABBB092CAD2E7BBB53ECD8AD0023AB026497372B5E7CC2C348DC4C77AF9DB7D77C4C
                              Malicious:false
                              Preview:...........PDSIG0.B&..-.....OS/2M......X...`cmap.....4....gasp...#..-.....glyfzp.t.......fhead.C>G.......6hhea.x.........$hmtx...U.......zlocat......T...8maxp.5.N...8... name}....'....vpost.Q.w..-l... prep.."....P..........\)#~aB_.<........... ?.....{vF.Q...............................Q.Q...............................g...............[.......N.^.......3.......3.....f..............................MS .........Q..................... .....|.......................".).y...=.5.a.T.....m.....w.7.....Q. .e.l.Q.`.D...).C.@.>.).L.).\.K.%.).x.).X...4.).I.).I.Q.`.Q. ...............^.........Z.....L. .............L.)...{.......R.......1..._.....L.O.....L.v.....a...%...~.....}...u. .G...k.%.....<.....'.....}.....;...I.q.|...F.r.F...F...!.r.F.M.|.W.g.W.W...|.W.|...|.M.|.p.F.q.|.r.F...|.p.P.....N.k.....3............."...F.e.....4...............L....._.....L...~...I...I...I...I...I...I...F...F...F...F...F.W.f.W...W...W...M.|.p.F.p.F.p.F.p.F.p.F.N.k.N.k.N.k.N.k.;.".J.^.)...).F...o.h.{...I./.|.e.l.P..

                              \Device\CdRom0\efi\microsoft\boot\fonts\wgl4_boot.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 13 tables, 1st "DSIG", 17 names, Macintosh, Copyright \251 2006 Microsoft Corporation. All rights reserved.wgl4_boot is a trademark of Micro
                              Category:dropped
                              Size (bytes):47452
                              Entropy (8bit):6.653349676863251
                              Encrypted:false
                              SSDEEP:768:/8KlPfaMmkeN4bKJX5zJN+D3eegCLmlor54NBHyh87kUJ3JnP/Ba/32UUU5wD2US:1CiuJXNuofSUBozIvS0YHaeYE
                              MD5:D5CED633BF8446A3315EC58CD60148C1
                              SHA1:8B4BCFC504A763FD47FB85D49BF23C1C68C5BCFC
                              SHA-256:9AB081731E46DB6CF1248669DB7D6B09E9178B61B552A6A2287CA4202C83DA2B
                              SHA-512:6224C2B8E24A3A8C4AD46D9324098C8CC776659F86E1CFA60B15C32199D741D2652489FF2F7AC996B0A899804F4BAF72AFB0B6338F0B15363AD1F8938072EE3A
                              Malicious:false
                              Preview:...........PDSIGu..u.......dEBDT.....4...^MEBLC.t:.........OS/2.B.....X...`cmappE5{...$...Lglyfk]L........Dhead...........6hhea...........$hmtxU..A.......lloca.Q.s...p...8maxp.......8... name.P.E........post.......l...%............_.<...........<......./............................................................................................3.......................f.f............................MSFT.@............................. ...3.A.........3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3...3..

                              \Device\CdRom0\efi\microsoft\boot\memtest.efi

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1348920
                              Entropy (8bit):6.474608166241942
                              Encrypted:false
                              SSDEEP:24576:VGyIKFKdblSk5H9bsO3lK5+hWBWr+2TdNHgnPmMoILc:V4XnH9IiKpWRdWPmVic
                              MD5:D64BFE061C91DA0D075AB82EA2FCE80F
                              SHA1:DF762E5980404D8BFC78A8820C9A782EB00EAC33
                              SHA-256:C82C03D1AC791411B7010DB2FC9776F2011420E531B8444A3C96CCE6F854EBAD
                              SHA-512:8921D0BE996ECACF1726393665D777E3D415A13433CF7D6248020B34BA1CF24789369F46EEB1EC9C511EDF7B4BB7641A8C2B2FC1E969EC42F7FE6578ADB624E4
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......dw.. ... ... ...{~..!...4}......4}../...4}..:...4}..-...4}..!...4}*.!...4}..!...Rich ...........PE..d................."..........z......h..........@....................................7...............................................`H..4............p...............t..8!......\...`...p............................................................................text...j........................... ..`TRANSIT............................. ..`PAGER32C............................ ..`PAGE....Lm.......n.................. ..`.rdata.......0......................@..@.data....d...P......................@....pdata...............0..............@..@.rsrc........p......................@..@.reloc..\............f..............@..B........................................................................................................................................................

                              \Device\CdRom0\efi\microsoft\boot\resources\bootres.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):92472
                              Entropy (8bit):7.906101345653441
                              Encrypted:false
                              SSDEEP:1536:UedILJQtthcQJB/uJ7+0glW7Rl30s6Sc6GvtaDBH1dvNIUo//xFAxkZa+oP7fqDY:UedIkhxGJ56SOtaDBpIwGhGbJ
                              MD5:28B26CB6B5E9057AB355788EDC72BF21
                              SHA1:F079448DCDC7086A0A47C28463889B15DD98A038
                              SHA-256:6F50669F0D41AC5C7190884ABB382F08BF433323EA31B24BB1C29EE66B669BCB
                              SHA-512:2E39628B1E705139AC6393A19CB907BD901F896F77E73FA3520C0DB0DC0B9C3F833DAAF9C303EAEDFA4774359BE59BCDE43BD3A8223A59BE805369256AC4F1AF
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....<.%.........." .........F...............................................p......+9....`.......................................................... ...C...........H..8!..............8............................................................................rdata..............................@..@.rsrc....C... ...D..................@..@.....<.%........T...8...8........<.%........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ...B...rsrc$02.... ......hIgEr.u..0..\...xO.....CT.<.%........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\efi\microsoft\boot\winsipolicy.p7b

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9796
                              Entropy (8bit):4.455337419548135
                              Encrypted:false
                              SSDEEP:96:+RMUFiTSLlqsR2nUcHDXfDbzk3b1chwpVS+hwDD0pBDXiebs/Am2grWXGuyDXBV5:+BWUc8LZS+hDBQABJSrn
                              MD5:DDF47D8277CC898F8FEBDB9D174B522F
                              SHA1:41BE1F759A40E394570211A23ACFDABEDB5AF2D3
                              SHA-256:5A64E02186231B2BAB79940DFFDDFD7A34EBF83C8939C60464512932147D9111
                              SHA-512:DBBCEA7673B79F72BF5EB7D312921C7A376AE0580757A8B73E4F5A5D9CD38B1A1575307B732738453371DFAB4FCDE27CFFBB8D5D88F14AFFC018AA0B685DE83B
                              Malicious:false
                              Preview:0.&@..*.H........&10.&-...1.0...`.H.e......0.....+.....7O.............j.QY..=M..>[a.......L. M..oD..4........"..............:....@.........+.....7.........+.....7.........+.....7=........+.....7=........+.....7.........+.....7L........+.....7L........+.....7L..........b.a.s.h...e.x.e.........................C.D.B...E.x.e...........................c.m.d...E.x.e...........................c.s.c.r.i.p.t...e.x.e...........................c.s.i...E.x.e...........................d.n.x...E.x.e...........................f.s.i...e.x.e...........................h.h...e.x.e.....................*...i.n.f.d.e.f.a.u.l.t.i.n.s.t.a.l.l...e.x.e...........................k.d...E.x.e.........................l.x.r.u.n...e.x.e...........................l.x.s.s.m.a.n.a.g.e.r...d.l.l...........................l.x.s.s.m.a.n.a.g.e.r...e.x.e.......................>...M.i.c.r.o.s.o.f.t...W.o.r.k.f.l.o.w...C.o.m.p.i.l.e.r...e.x.e...........................M.S.B.u.i.l.d...E.x.e...........................m.s.h.t.a.

                              \Device\CdRom0\setup.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):74184
                              Entropy (8bit):5.949710451370151
                              Encrypted:false
                              SSDEEP:768:e0MY51JNdyjTm2fW3nrY8gV/SzpzlV3Cm0i5q1O+DGpNADd5D3Uf3Lp:HT5OjFfW3nrY8gIVphD0i5UOigf1
                              MD5:F79384EA10CB3239563D3CFEA5560210
                              SHA1:34ECB5B3409B2A2936984CD0C6371A6497CF4392
                              SHA-256:30043368051CCAAD512558F0C08A3F3DA57F15967F38A76208F64EFF06EE8043
                              SHA-512:513D097B9EDCD665DD38911A2C495DF517FD0AD3116A1D3666284148CB4058002673C270B5997625054E25282D9EA2CA81CFAE2ADEDD441FC734994EC629BC2E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................+...........................Rich....................PE..d................."..................".........@.............................P......E.....`.......... .......................................9..d....p..@....`...........!...@.. ... 5..T........................... 0..............81.. ............................text...0........................... ..`.rdata.......0......................@..@.data........P.......0..............@....pdata.......`.......2..............@..@.rsrc...@....p.......4..............@..@.reloc.. ....@......................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\SetupDU_159931.spdx.json

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:JSON data
                              Category:dropped
                              Size (bytes):42555
                              Entropy (8bit):5.509497337550702
                              Encrypted:false
                              SSDEEP:384:E4knqbe2IJXuYJKgXZsWTPbDPpdBUUHD+YL4NHGfIRhPN/OPHOLoB8s4xG:Oqbe22Zs8xdB1ANHvhPzcqw
                              MD5:671D45E023BB27ED2F36720E3C9701BE
                              SHA1:F0589100C7E10AF3BBBA5A4479B2E674E9A163F4
                              SHA-256:5D85B33E59627975EED94B71A46C8938727731335CF28251CB2D923C26E97179
                              SHA-512:1A8FD832D7E29A99D1205672DFFA738B58C5A41189CB470AF1B0B3F7DC2B9EE4A603066051E439D18BC45B606227E4D767B3FEDCEA0B10183E66C07A68D53F2E
                              Malicious:false
                              Preview:{"files":[{"fileName":".windlp.dll","SPDXID":"SPDXRef-File-windlp.dll-67460BE88AA3FBD087189A05E6CF65F754CECD44","checksums":[{"algorithm":"SHA1","checksumValue":"67460be88aa3fbd087189a05e6cf65f754cecd44"},{"algorithm":"SHA256","checksumValue":"ad94d1016f095026f64bbf1b2bc80d7c67643918dd92ef583bd0d875e8c116c2"}],"licenseConcluded":"NOASSERTION","licenseInfoInFiles":["NOASSERTION"],"copyrightText":"NOASSERTION"},{"fileName":".mediasetupuimgr.dll","SPDXID":"SPDXRef-File-mediasetupuimgr.dll-2AE850FACF1FE2EBBCDED4FF51C62BABB15473C6","checksums":[{"algorithm":"SHA1","checksumValue":"2ae850facf1fe2ebbcded4ff51c62babb15473c6"},{"algorithm":"SHA256","checksumValue":"0fdab9d4a6e10c99d352cf60b72a314d48d9be15afcb849717a8163302787bb4"}],"licenseConcluded":"NOASSERTION","licenseInfoInFiles":["NOASSERTION"],"copyrightText":"NOASSERTION"},{"fileName":".setupprep.exe","SPDXID":"SPDXRef-File-setupprep.exe-5DAFC3040DE95C773A1C2771896EA1E7E180E19A","checksums":[{"algorithm":"SHA1","checksumValue":"5dafc304

                              \Device\CdRom0\sources\SetupDU_159931.spdx.json.sha256

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):128
                              Entropy (8bit):2.853680540046664
                              Encrypted:false
                              SSDEEP:3:0ldlyXloYUSl1abyDoKQSldybXlSYV1lzlJHlXAlFXlQlXliGjl5lll:cnClNLl1aKo2l2Sm1lzlElXQl1lZ5/l
                              MD5:F9FBD2DB488F0E28844FDE705DD9D2FF
                              SHA1:58C2ABBEBD89260F5EE609CEED106F1E3AB14EED
                              SHA-256:041242DF12F3F46E369913BE47727A1D0D70AEC51313EA840602B09E52D7A3D6
                              SHA-512:267BA7D366E5E4B5253378786571C25E753F7FBE999C22B4F645771AFE5401860B7B9E2E8B119D40A3F5426170CC3657A1B672779DE45469BA6FBC284C1B76A8
                              Malicious:false
                              Preview:5.d.8.5.b.3.3.e.5.9.6.2.7.9.7.5.e.e.d.9.4.b.7.1.a.4.6.c.8.9.3.8.7.2.7.7.3.1.3.3.5.c.f.2.8.2.5.1.c.b.2.d.9.2.3.c.2.6.e.9.7.1.7.9.

                              \Device\CdRom0\sources\acmigration.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):370008
                              Entropy (8bit):6.218700988367457
                              Encrypted:false
                              SSDEEP:6144:UsT2dMd6UJLZWySKF7bsSfjiR3H7c1e7cbFUb:UhqkyFdwSfjsIQ
                              MD5:B5C4220FEEF7B0165F6EDD5A5D8A7E2D
                              SHA1:3A4B1094FC0558D4F04128A42AEFC8228B3E6BF7
                              SHA-256:A539BE4E927C5B92686226937BE3C4CF5C2CC6799E84D8960D05F271E3E13E13
                              SHA-512:5CD576C3E023F3880B55F4CED0E6E23E042BAC3CA5403D375F69E54DF8739E74A3E5C7BBEE3355AE19A8C0B543E110CEA39ACFBC1EC393092ED593392D2AEA4E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|.5..vf..vf..vf.e.f..vf.vug..vf.vrg..vf..wf..vf.vwg..vf.vsg..vf.vvg..vf.v~g..vf.v.f..vf.vtg..vfRich..vf................PE..d....l.?.........." ......................................................................`A.........................................8..,....9..........(........%......X%..............p...........................`...............x................................text............................... ..`.rdata.."...........................@..@.data........`.......D..............@....pdata...%.......&...N..............@..@.rsrc...(............t..............@..@.reloc...............z..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\acres.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):333672
                              Entropy (8bit):3.690295661687951
                              Encrypted:false
                              SSDEEP:3072:pmB/mc1wub7Yx7WcMvZlW6SHGePnpTNyj9eM1dMxOrUiiyAZ5T:G1T73jGCAeg
                              MD5:33A0EDA33B09E1CF4349BF3BB3D425ED
                              SHA1:80A8981B70AE78A89770696F04F4C19DA2CB2889
                              SHA-256:1705972A2F54011531825D7929DD9E7817658619AF179FB3BAB70B2C69ECD727
                              SHA-512:C45DDB303471FFA3AC723925B9F2DCD831BED1DC89CB001E96D71E91B7D8D7D6E7F0F7F7E7FC9168812FB05FEA0CF1D6D9DCAFE1EA14DA8A2271F8EF74A439EC
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....2.8.........." ......................................................................`A......................................................... ..................h%..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@.....2.8........T...T...T........2.8........$................2.8............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01.....<..h....rsrc$02.... ...*.#..iz..;..A.......g.......2.8............................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\actionqueue.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):188728
                              Entropy (8bit):6.402810124756463
                              Encrypted:false
                              SSDEEP:3072:TXBbIscg1BSL2Rp2axYUVjONjuiHIQu8rKcfAUKXrbE7UvPr4m:Txs/gPSL2+aHsjuPQu8Wcg47UvPZ
                              MD5:5A1F9AF1DB5BFB2BE101F39ADDADA67F
                              SHA1:F9A1D7BF1402C49C1E83E4948A9C4EEA4337FB0E
                              SHA-256:3F7AD230F5E0C5B9292CA4871FFB1F9E8AA539CC448058479D4B1143DAF49A0C
                              SHA-512:0339839873AC17289D83BCB33786D276ECE26B6F9B08EB55023BD404ECB691973FF25C53F44A0AF2CE8366AB4B3363E51BE4F961E57A6DD67B1A85A41681080B
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ml1.)._.)._.)._. u..!._.=f\.+._.=f[.%._.).^.._.=f^..._.=fZ.(._.=f_.(._.=fW..._.=f..(._.=f].(._.Rich)._.........................PE..d...).]i.........." .................................................................5....`A.........................................t..t....t..x........0......h.......8!..........`_..T....................-..(....,...............-..`............................text...S........................... ..`.rdata...`... ...b..................@..@.data...8............r..............@....pdata..h............x..............@..@.rsrc....0.......2..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\adfscomp.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):50704
                              Entropy (8bit):6.076823748119587
                              Encrypted:false
                              SSDEEP:768:REsSPQnWSRVSW2wMeA1zo18kSU7QQV1pQOlNWzJbEKaRk2I1PBFaR:REuRsW2iAFoVSU7QQLqOniJbEDk/PW
                              MD5:E7756F4FA73DA1BD5B4A0F1B7EC1B0E3
                              SHA1:6A30D8D165F96C41094BA9550E99464777078344
                              SHA-256:FE98292A803AF83E3227D17E9A23C7BF7CBCF32320ABFC217BDD769BC86279BD
                              SHA-512:3EC083B82EB3E3A3CB9DD083638B27FBCE59300D829E630AD419A43DD538CD25D9103AC4092323CB831E5CDB13993AFFA683619B8599A9389C538869C1BC7AC6
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X2I.6aI.6aI.6a].7`N.6aI.7a..6a].5`@.6a].2`..6a].3`_.6a].6`H.6a].>`K.6a]..aH.6a].4`H.6aRichI.6a........................PE..d....;.........." .....Z...X...... .....................................................`A............................................\......P....... ................"......T.......T............................q...............r...............................text....X.......Z.................. ..`.rdata...+...p...,...^..............@..@.data...@...........................@....pdata..............................@..@.rsrc... ...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\admtv3check.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):73368
                              Entropy (8bit):6.224231941991184
                              Encrypted:false
                              SSDEEP:768:A4/1oaO3E/Ppw1dwpFbocVGDd/AYSx7+EBq4QLu9hv86YARPwWW7la2Kn9QAKn:p1o0Rwfwv0lSx7+ElnhE6YARYh7nk9o
                              MD5:0C4391652946673BF6208173824AA939
                              SHA1:66437E1454D7D21A934D7C1BF895D2C22FA363E3
                              SHA-256:F23DD5FDEEEA2D5D9CE9CABC89D4921321DF050B4E8C4FBD280A4C4084DC6989
                              SHA-512:0B3061E7761C00E3472DB51E037018446F4B6DBF40BB21AFF8702D679AE8E0A02E4FDD14D670613EB493E75FE8AADCF1BD6655DD464F83BEAFBC9C29D4C972DA
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..*~.y~.y~.yj..x{.y~.y'.yj..xw.yj..x#.yj..xb.yj..x..yj..x|.yj.Vy..yj..x..yRich~.y........PE..d..."............." .........v...............................................p......4.....`A............................................d.......<....P..0....@..4........"...`..`.......T...............................................X............................text.............................. ..`.rdata...1.......2..................@..@.data....0..........................@....pdata..4....@......................@..@.rsrc...0....P......................@..@.reloc..`....`......................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\aeinv.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):773432
                              Entropy (8bit):6.217217916422799
                              Encrypted:false
                              SSDEEP:12288:i8K4CA4yukAe2u1PAlj4OLVIlMFcyBv/0xbQBYsNCxbzD3Ojm9gWl:i8ZClCjAcuv/JBYsUx/D3Ojm9F
                              MD5:AEB5BB00D0B0C031A04BF115504FDAC3
                              SHA1:498583E5F7C7B9D157B52E8557FB85052784B38E
                              SHA-256:AE74EC8D4C8F523CD129B5856B7152A99C88A1CCC1629A392A07DF6126C991EC
                              SHA-512:29294F603DD19BB831E8C27E6534E027366B3F2A5E9184CB726A99513AAF327C4AE6E0E5276BECA80EE4739E6451F4E5BE6B01D73080C7350BE590C26E69535D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%h6Ta.X.a.X.a.X.hq..i.X.ub[.b.X.a.Y...X.ubY.t.X.ub].o.X.ub\.z.X.ubX.`.X.ubU.<.X.ub..`.X.ubZ.`.X.Richa.X.................PE..d................" .................g....................................... ......-'....`A............................................d...D...,...............DX......8!.......... $..T................... ...(....................#..........`....................text...s........................... ..`.rdata...1.......2..................@..@.data...`:...P.......,..............@....pdata..DX.......Z...B..............@..@.didat.. ...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\alert.gif

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:GIF image data, version 89a, 16 x 16
                              Category:dropped
                              Size (bytes):1046
                              Entropy (8bit):5.5930700860728635
                              Encrypted:false
                              SSDEEP:12:IhkR1ILMhowZgGBsNnYd/WsQfVXDS2K4o75/iRVSP+xgaB382TmqdGdSsdEGR:jRBh3g56Q39mn7UpmCskBsdf
                              MD5:185469541D3911CC6FB5DF2A75EBA7AA
                              SHA1:0D0961F6F7ABC819EE06232416346E629F65F01B
                              SHA-256:99C16416A622DAF460B3D15AB332450446EF9A1B86D85D4EDD4B62C770C42CFD
                              SHA-512:049FB488A3A8576812D5AC7CD67A1073274D6CC6D01D769FC002DEABA48CCBFBA59CFBBDE082CFB0B02D2C7A944640B5B13C0F9C5B2E2ABF2A92A49EE2BAA6C5
                              Malicious:false
                              Preview:GIF89a...........%&.*,.)+.PQ.PR.PR.PR.WX.^`.`b.lm.fh.gh.WY.bd.z{.qs.WZ.z}.............................................zyz..................................................................................................{..y....................|....................................!!....,,.,,.00.--....44.66.99.??.DD.44.``.nn.ll.on.rr.........................................................................................................................................................................................................................................................................................................................................................................................................................!.......,..............T.(..'V.H4p ".-^.p....(.9T..D....D.0.....P.....3e..I.....-L@.t...+nh.j@.E.....9t....;.... .......C..:Q.H.q...0K.....N.#N.@..."h....K.'b...J.?5.....K..dS..p...BJ...'....Z.p...#B.... ..,

                              \Device\CdRom0\sources\appcompat.xsl

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document text (XSL stylesheet), ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):11673
                              Entropy (8bit):4.02804793116199
                              Encrypted:false
                              SSDEEP:48:wiZrldNQ5dNQiF8qz8SQ81HQAebE5l3fdNQG4xdNQWLU:wErLufui+qgSRWAvNuGkuWI
                              MD5:16B8DBACCAF28B902E611C9CD6511902
                              SHA1:E6D7E78C6BB0DC35BFAFDD4A64FC2BFFD73E1430
                              SHA-256:D2F700DAE3319DD01E71EFCBD03A11105351B3DB0D17F5EA49B80F7DA2229716
                              SHA-512:03A9404A87FEB2355DFF01058E20DB6717A123A52649D1822AE6A793AEA1ABCFF0676C61335D1A92A0839A403DF388F82E48AA3907198E065EC45C90B506443F
                              Malicious:false
                              Preview:<?xml version="1.0"?>....<xsl:stylesheet.. xmlns:xsl="http://www.w3.org/1999/XSL/Transform".. xmlns="http://www.w3.org/TR/REC-html40".. version="1.0">.. <xsl:output method="html"/>.... <xsl:template match="/">.. <html>.. <head>.. <title></title>.. </head>.. <body>.... <b>.. <xsl:for-each select="CompatReport">.. <font size = "2" face="Segoe UI" color="black">.. <xsl:copy-of select="Help"/>.. </font>.. </xsl:for-each>.. </b>.... .. <br></br>...... <xsl:for-each select="CompatReport/WarnAllApps">.. <table>.. <tr>.. <td style="width: 20px" valign="top">.. <xsl:element name="img">.. <xsl:attribute name="src">.. <xsl:value-of select="AppHead" />.. </xsl:attribute>.. <xsl:attribute name="align">.. <xsl:copy-of select="'center'" />..

                              \Device\CdRom0\sources\appcompat_bidi.xsl

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document text (XSL stylesheet), ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):12498
                              Entropy (8bit):4.025879708102855
                              Encrypted:false
                              SSDEEP:48:wi1ZrwdNQsdNQmdNQiF8qz8SQ81HQAebE5l3fdNQG4xdNQWLU:wIrmuiusui+qgSRWAvNuGkuWI
                              MD5:256FAD0333C99D8A773CF072B204B9E9
                              SHA1:A8CCAF63469100FCAE9B9CC31499B579E48110D0
                              SHA-256:DC2BFD0C1AE68DB38D4F42B37A18DDB0915C525764ECDF55973E59430B2CD912
                              SHA-512:D01B5DAF7375B026258BD49B1F6BFDD5B7778744EDF90B7DFB92C1AC5D1C1D8332034D9990107AF7B3A555878DCE7A8DC6575ED83085D33E5438F1EF6D1D04F4
                              Malicious:false
                              Preview:<?xml version="1.0"?>....<xsl:stylesheet.. xmlns:xsl="http://www.w3.org/1999/XSL/Transform".. xmlns="http://www.w3.org/TR/REC-html40".. version="1.0">.. <xsl:output method="html"/>.... <xsl:template match="/">.. <html>.. <head>.. <title></title>.. </head>.. <body STYLE="direction: rtl;unicode-bidi: normal;">.... <b>.. <xsl:for-each select="CompatReport">.. <font size = "2" face="Segoe UI" color="black">.. <xsl:copy-of select="Help"/>.. </font>.. </xsl:for-each>.. </b>.... <br></br>...... <xsl:for-each select="CompatReport/WarnAllApps">.. <table>.. <tr>.. <td style="width: 20px" valign="top">.. <xsl:element name="img">.. <xsl:attribute name="src">.. <xsl:value-of select="AppHead" />.. </xsl:attribute>.. <xsl:attribute name="align">.. <xs

                              \Device\CdRom0\sources\appcompat_detailed.xsl

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document text (XSL stylesheet), ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):13608
                              Entropy (8bit):4.018504824073635
                              Encrypted:false
                              SSDEEP:48:wipdNQGdNQadNQvB8qz8SQ8Br/euEyiYfdNQro5g4xdNQTS1v:wauMuAuvSqgSR9Y4urlkuTk
                              MD5:12E6FA3AAE0F54E7D59460CF8715386C
                              SHA1:C7579C81A90C54378FE519ADC007AFDF546AE7B6
                              SHA-256:1894F3EC6804562A0C26802AD95FF7E77E4F1130683243DED38E8AB94CCDA780
                              SHA-512:A93EEA88A2069B7D69B8F75BE8E12ABC8B8F1F67C7886D7D70E5E87C43277AF9CC29ABC35E0021AC5953B94120059248F01D33F02144C3C2C8833DAE8B8ECC56
                              Malicious:false
                              Preview:<?xml version="1.0"?>....<xsl:stylesheet.. xmlns:xsl="http://www.w3.org/1999/XSL/Transform".. xmlns="http://www.w3.org/TR/REC-html40".. version="1.0">.. <xsl:output method="html"/>.... <xsl:template match="/">.. <html>.. <head>.. <title></title>.. </head>.. <body>.... <xsl:for-each select="CompatReport/WarnAllApps">.. <table>.. <tr>.. <td style="width: 20px" valign="top">.. <xsl:element name="img">.. <xsl:attribute name="src">.. <xsl:value-of select="AppHead" />.. </xsl:attribute>.. <xsl:attribute name="align">.. <xsl:copy-of select="'center'" />.. </xsl:attribute>.. </xsl:element>.. </td>.. <td>.. <font size = "2" face="Segoe UI" color="#1370AB">.. <xsl:copy-of select="Message"/>.. </font>.. </td>..

                              \Device\CdRom0\sources\appcompat_detailed_bidi.xsl

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document text (XSL stylesheet), ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):13732
                              Entropy (8bit):4.020339342776614
                              Encrypted:false
                              SSDEEP:48:wi1pdNQGdNQadNQvB8qz8SQ8BRoeuEyiYfdNQro5o4xdNQTS1v:wOuMuAuvSqgSRwY4urpkuTk
                              MD5:AA3384EEC54F1A6D34CA27505DFB5CCF
                              SHA1:32B7A57947166CFE33F418FC7E79BAAC7FEDFF7F
                              SHA-256:9D41DB8D6904676D443F8032F018AAFC71610D8A3F5EF9464565CD834419CFCB
                              SHA-512:8A12AAC3E47B825962E6B9A3310112FE2054450953C235F402EA68B1EF75C794C11076CFB75540D6951B9B0CEF0B94A56A81B66E2B9D437D5AFF2FF37D3AAE10
                              Malicious:false
                              Preview:<?xml version="1.0"?>....<xsl:stylesheet.. xmlns:xsl="http://www.w3.org/1999/XSL/Transform".. xmlns="http://www.w3.org/TR/REC-html40".. version="1.0">.. <xsl:output method="html"/>.... <xsl:template match="/">.. <html>.. <head>.. <title></title>.. </head>.. <body STYLE="direction: rtl;unicode-bidi: normal;">.... <xsl:for-each select="CompatReport/WarnAllApps">.. <table>.. <tr>.. <td style="width: 20px" valign="top">.. <xsl:element name="img">.. <xsl:attribute name="src">.. <xsl:value-of select="AppHead" />.. </xsl:attribute>.. <xsl:attribute name="align">.. <xsl:copy-of select="'center'" />.. </xsl:attribute>.. </xsl:element>.. </td>.. <td>.. <font size = "2" face="Segoe UI" color="#1370AB">.. <xsl:copy-of select="Message"/>..

                              \Device\CdRom0\sources\appcompat_detailed_bidi_txt.xsl

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document text (XSL stylesheet), ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):13371
                              Entropy (8bit):4.029534886728297
                              Encrypted:false
                              SSDEEP:48:L1pdNQgdNQedNQiF8qz8SQ8BRUeuEyiYfdNQpo5d4xdNQTSkQxv:BuWuUui+qgSRMY4upSkuTql
                              MD5:AFDC1E45FE7C879C7E555395C91F1797
                              SHA1:015D601F42192C3AF975D5AD69B4D12ED95B289C
                              SHA-256:7B65FE5F76D14FAD190C2443CD880F3A842D966FA8267960A68EB82CE2EAAF9D
                              SHA-512:2E3A8C9954B4E79DE58502ADF004EC5E617B19167A1D9AD2FE52572FFC90814ABDBDBB6D31ED3B90621201EBD2B29DA67EF416B51F434D8264A68281695EE488
                              Malicious:false
                              Preview:<?xml version="1.0"?>....<xsl:stylesheet.. xmlns:xsl="http://www.w3.org/1999/XSL/Transform".. xmlns="http://www.w3.org/TR/REC-html40".. version="1.0">.. <xsl:output method="text"/>.... <xsl:template match="/">.. <html>.. <head>.. <title></title>.. </head>.. <body STYLE="direction: rtl;unicode-bidi: normal;">.... <xsl:for-each select="CompatReport/WarnAllApps">.. <table>.. <tr>.. <td style="width: 20px" valign="top">.. <xsl:element name="img">.. <xsl:attribute name="src">.. <xsl:value-of select="AppHead" />.. </xsl:attribute>.. <xsl:attribute name="align">.. <xsl:copy-of select="'center'" />.. </xsl:attribute>.. </xsl:element>.. </td>.. <td>.. <font size = "2" face="Segoe UI" color="#1370AB">.. <xsl:copy-of select="Message"/>..

                              \Device\CdRom0\sources\appcompat_detailed_txt.xsl

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document text (XSL stylesheet), ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):13326
                              Entropy (8bit):4.02059129239241
                              Encrypted:false
                              SSDEEP:48:LpdNQgdNQedNQiF8qz8SQ8BRUeuEyiYfdNQpo5d4xdNQTSkQxv:DuWuUui+qgSRMY4upSkuTql
                              MD5:3D4221103C6D88D0C0BA5E4F196143FE
                              SHA1:61CE1E92C257F1D0E45B1D9D027305ACB5167D29
                              SHA-256:764383A436E019DBA82FCA07C55B17CFF4BFB48D2736084B1C7705C757F019A2
                              SHA-512:A626DBEC019A9743DAB3D068ECB57DC4BCDE30E6987EC000F27A4A362A225420D7C90C561825D2A7F66C816E8D0DF3B06205CB6D5814F15B200C4C15673F8D33
                              Malicious:false
                              Preview:<?xml version="1.0"?>....<xsl:stylesheet.. xmlns:xsl="http://www.w3.org/1999/XSL/Transform".. xmlns="http://www.w3.org/TR/REC-html40".. version="1.0">.. <xsl:output method="text"/>.... <xsl:template match="/">.. <html>.. <head>.. <title></title>.. </head>.. <body>.... <xsl:for-each select="CompatReport/WarnAllApps">.. <table>.. <tr>.. <td style="width: 20px" valign="top">.. <xsl:element name="img">.. <xsl:attribute name="src">.. <xsl:value-of select="AppHead" />.. </xsl:attribute>.. <xsl:attribute name="align">.. <xsl:copy-of select="'center'" />.. </xsl:attribute>.. </xsl:element>.. </td>.. <td>.. <font size = "2" face="Segoe UI" color="#1370AB">.. <xsl:copy-of select="Message"/>.. </font>.. </td>..

                              \Device\CdRom0\sources\appcompatservicing.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):59408
                              Entropy (8bit):6.192697414053413
                              Encrypted:false
                              SSDEEP:1536:/WZQZTlEASrCJRxGFVO82Xs2BzPVmbP4:+ZQZTlEASrCJuF6/BrVmb
                              MD5:4D491B641514254D78AD45BB889D31FB
                              SHA1:54AF636C6DE1E617805C0CFF7054EF30D9100829
                              SHA-256:E746D6351A29D747C48A0751BE4F1C7874FA989F24EBB9E80F28A1DBDE090535
                              SHA-512:046334AF381D38B9D3B2D30E6AA5DCF83BBCBC471430827856F1251911A6C0586E0278DBE3E8AF330ACD7FE679DE8F6F67EEE84546A1D72F26FA277119227D1E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+..,+..,+..,?..-)..,?..-&..,+..,...,?..->..,?..-...,?..-*..,?..-<..,?..,*..,?..-*..,Rich+..,................PE..d.....z.........." .....h...`.......g..............................................t|....`A...........................................................@................"......L......T............................................................................text....g.......h.................. ..`.rdata...H.......J...l..............@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc..L...........................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\appraiser.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1885008
                              Entropy (8bit):6.398506680965399
                              Encrypted:false
                              SSDEEP:49152:Eybq8/KxoIpdqT6mJOM+d/FBaxaKSZX/DOdX:4oTAsxMZQX
                              MD5:BC2803914E335F5D238596BBE76248AB
                              SHA1:D6B2153DF3848BAA7A72309E032513AC9F0BB173
                              SHA-256:23E8F827941934B40FA0F137FF8C5EC19CB1DEC50F0C948271CCFF8E13017B0D
                              SHA-512:C9528BF9E18B174192AC3E8DD54698E0252008F6A8DB6749349E3C3D8555C953BC646C32BDBE6E2BEF304C6E8361AD94C0E0013BDFD8BC373C25C9F358E9F244
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.5.=~[.=~[.=~[...X.0~[.4..)~[.).X.>~[.)._./~[.=~Z.G|[.).Z."~[.).^.1~[.).[.<~[.).S...[.)...<~[.).Y.<~[.Rich=~[.........................PE..d.....+..........." .....v...f............................................... ......-.....`A............................................@...@...........H....`..hy......P%..........`-..p.......................(....................................................text....j.......l.................. ..`RT_CODE.%............p.............. ..`.rdata..~F.......H...z..............@..@.data....~.......>..................@....pdata..hy...`...z..................@..@.didat..x............z..............@....rsrc...H............|..............@..@.reloc..............................@..B........................................................................................................................................................

                              \Device\CdRom0\sources\appraiser.sdb

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Matlab v4 mat-file (little endian) x\332<\235\177\274U\331\370\307\267\214\244n\347\236{\356\221\221\344\316H3R\3279\347\376\350\226\244\265\327\332\277\316\335\373\354\335\336\373\374\270W:I\232\221$M\223\364\035\031I\337$\031#I\222$\031#I\222$I\2324I\222$I\222\221$\031#\351\233\214\357\347Yk\037\376\360z\317j\235\265\237\365\254g=\353Y?\357\0135\365\277\207f\315\234=`\361\315/\274X{\341b\321, rows 0, columns 1717724282, imaginary
                              Category:dropped
                              Size (bytes):2608429
                              Entropy (8bit):7.989073372204483
                              Encrypted:false
                              SSDEEP:49152:guMq7lb+Tw/TkGZaLb0OMrDg0WVx1ki8Re0H4L37dUaRAR+8k8Jd216GkbAw:bMq7lb+O5kzMA0yxzPlTGkF6Gg
                              MD5:37288288B7637707C101C5B1DEFBF8F0
                              SHA1:176702A43D6A8FDA22D65178A6C44C1AA6D0DE9C
                              SHA-256:F6AFF541CFCA97BA95C3D01A26993C955EE7EC7D1A8AC7A7D4F9971A4B5F0BD1
                              SHA-512:1E103A205670DBC676D0B4E4FC8845FE0CB3B33129C2F152C1B4DDF83C4EA29BD0782D1AB2F75365EB8518622EEC330B716BB17BA0907D0E763059D9811401B2
                              Malicious:false
                              Preview:........zdbf....X...x.<...U.....n.{...H3R.9...............W:I..$M....I.$.#I.$.#I.$I.4I.$I..$.#...Yk...z.j.....g=.Y?..5...f.=`../.X{.b...m@....3.My.....sH3jF..[...=D3..F.9.....$...$....O......v....^.5j.1p=......r......I....;...L......O.7$.\~m.......#...z.nw...\.....h^.,....T..&..+:.h>7E.Q..PrV..;U..(.'v'2.;.u.<.\w.r.^...G.....b..#zT.1..w..W.....v.+..G.........X.............1q.tb.,.uw\..Q=.......vP......:...=.^.:x.Pw..8x..X(..)C.6..M..p.....l...........^3EG...:r.!.D..pW.O.C.\Aq.I:/...).A..4....rlD..E.5.K...c.7Dadu.*......D.Q.a'.Z/L.....c<...y"H...x*.D...Z..p..cu......<.`N..$.WW..e9.g...r~..rC....w.....UT.yf..{.C.j.3.W;z.......\w......\.....=...A..<..ul.q...xQ?....t.X..h......3..+:v..=.m.e...i.6DP...-I].]l.t.....S`l.8j.-.3vW=.SalC.;t&f$.uvl.,......!ZL...9.v..%.|p...1.:..6...s..0&.M..=.%..:;?..02Bp..'..~......k.p..M.U....tbGFT.....c'..l..[.1;8..3......8....s..>..]...R.1..yC..9..y*..^...8.9..k...|..cD.a........0g..........(.~

                              \Device\CdRom0\sources\appraiserdatasha1.cat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9493
                              Entropy (8bit):7.194323422013436
                              Encrypted:false
                              SSDEEP:192:b3V/D1S8f4DBQABJWEFQRW52fqnaj7zdhTaez:5/D1IDBRJRFifl/zdhtz
                              MD5:5C0241251758706E2230DAED5FEDDD23
                              SHA1:1204E41AF9C4DB0F237FA6DC4BCE67BAAB5D8829
                              SHA-256:17C223F13398CED60DF18733C4EED52BEDABB9CB42DF4C1F8372C9FF97E0BEDE
                              SHA-512:D933EB8752C353A8830747451693BDE1A014149919473724A251B652C819E350E7BAEBB10291B0112450A16C7075EA36E8F338994E6CDA92644F8E9404DA0DA1
                              Malicious:false
                              Preview:0.%...*.H........%.0.$....1.0...`.H.e......0.....+.....7.....r0..n0...+.....7..... ...F.......C..191207003620Z0...+.....7.....0...0....R7.8.1.6.7.1.E.2.C.E.9.7.9.A.E.1.F.9.6.8.1.B.6.E.7.6.5.5.A.F.7.1.2.F.C.D.3.F.4.7...1...0E..+.....7...17050...+.....7.......0!0...+........x.q.....h.nvU.q/.?G0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....+.....7...1..0.....F.i.l.e........d.:.\.o.s.\.o.b.j.\.a.m.d.6.4.f.r.e.\.o.n.e.c.o.r.e.\.b.a.s.e.\.a.p.p.c.o.m.p.a.t.\.a.p.p.r.a.i.s.e.r.\.d.a.t.a.\.r.e.d.u.c.e.\.o.b.j.f.r.e.\.a.m.d.6.4.\.A.p.p.r.a.i.s.e.r._.T.e.l.e.m.e.t.r.y.R.u.n.L.i.s.t...x.m.l...0....R8.7.C.5.A.A.C.E.4.C.3.B.5.D.5.E.7.E.F.0.8.6.3.A.2.B.3.0.F.E.9.3.C.F.7.9.2.0.A.2...1...0E..+.....7...17050...+.....7.......0!0...+...........L;]^~..:+0...y .0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....+.....7...1..0.....F.i.l.e........d.:.\.o.s.\.o.b.j.\.a.m.d.6.4.f.r.e.\.o.n.e.c.o

                              \Device\CdRom0\sources\appraiserres.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):145760
                              Entropy (8bit):5.870388346783931
                              Encrypted:false
                              SSDEEP:1536:sAdDTBMTAFYHGVrye/e7TGaiAS7kwzqFEfGRALia1RWhA6z0lnIJRKDE14+Pyd82:sA0EFLyVUWhA6z0lnIJRKDE1pqara
                              MD5:C39990FDAC9F09F75069B145950FB353
                              SHA1:BD983E23464D50119C39C0B0D297BADE3B5829EE
                              SHA-256:610B9F2CCA783571D0035A99B5255A6149E78E1CE6FDECF51797FDD700D02EC6
                              SHA-512:91CB795DB1590B9BE3F8B9DC48FAD36D6423604F71145EC489EA61809C1BFF2DFB9A9F1A39ABD9DA749795F9C2340E140582BC460329157A9E883EF035A44C0A
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............c...c...c...k...c......c...a...c.Rich..c.................PE..d...'f............" .........................................................@.......|....`A.........................................................0..................`%..............p............................................................................rdata..(...........................@..@.data........ ......................@....rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\appraiserwc.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1841192
                              Entropy (8bit):6.398675335834524
                              Encrypted:false
                              SSDEEP:24576:NS8R1Z0BLmkLNONF/hPybW2HdL270Mom7U6hOTzIV3caWqUEK:NSWHYLbNyxhPOLjvUhOPS3caWqU
                              MD5:AD56654490C1C5DB170D50BFA787C064
                              SHA1:A936E4ED218B1D84345D68981E26B96F9AC02C07
                              SHA-256:017443A1711B7E83E225FC7A83BD17F02D06DD2DF5CC3F92CAA50BEE7EB5A60A
                              SHA-512:9C87601B8C9A4173660D11776F55CD83D1CB497C4447F55DA888A550E09B79C8D68393C0CA8F99C9C90996828B9F0663E648F279C646197BA1C0ED79CE1DF806
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........OH..!...!...!..."...!......!..."...!...%...!... ...!... ...!...$...!...!...!...)...!.......!...#...!.Rich..!.........PE..d....=............" .........J.......T.......................................p............`A............................................@...@........@..P........v......("...P.......~..T...................82..(... 1..............`2.......... ....................text...X........................... ..`RT_CODE.%........................... ..`.rdata..|-..........................@..@.data....~...0...>..................@....pdata...v.......x...Z..............@..@.didat.......0......................@....rsrc...P....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................

                              \Device\CdRom0\sources\arunimg.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):825144
                              Entropy (8bit):6.21516819097286
                              Encrypted:false
                              SSDEEP:6144:LoooooooooutHyd0UgPzhQXJgFzhQXJglg:LoooooooooutHyd0Ug1agvaglg
                              MD5:396BE18E0125D3E47EA106EE966A0A88
                              SHA1:DF1A078874EE04F4252204474D83EF73B47CD27C
                              SHA-256:0091A29B7A6DC98269282AD8E113F79C243DEB31D380082EB27ACDF7FFDDF685
                              SHA-512:5F06C5BF09DE796397997DBC04950AF53D227DAC03CAF4F1CBCEC13286B388E6A42CEAAC108C363FCCD401D57E01CDB490E1CB7FDE535CDF5A3EF6324107DE3D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....%...........",.........t......................................................u.....`.......................................................... ...q...........v..8!..............8............................................................................rdata..............................@..@.rsrc....q... ...r..................@..@......%.........T...8...8.........%.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....)..Xh...rsrc$02.... ... r...$...ZS.q{.b..e![ !..L..%.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\arunres.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):14136
                              Entropy (8bit):6.2041297567663705
                              Encrypted:false
                              SSDEEP:192:FrWM9WRaiEhDxoD1S8f4DBQABJRtkwqnaj0ZK:FrWM9WRkhDxoD1IDBRJR5lIZK
                              MD5:F65713E3CCA884F4D8E7E7AED93819DB
                              SHA1:832DDEF19D29A8FBF419C7D6521310E6A5FF555B
                              SHA-256:F5505DFC452BE160DF1F7E9868E56866AFF42376E9E2266D0D8ED167DC7BD98F
                              SHA-512:FDDF8EFC4FAA0DE8B7AC851D955D7508DEAA97E73B577DB1CFAFD4B86185C1E42A4F9C1BC44C5D6DBD8E2188F9C44DA1CD4DBBD27AF12A7BCECCA49F7DB10C96
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d................" .........................................................@.......s....`.......................................................... ..x...............8!..............8............................................................................rdata..............................@..@.rsrc...x.... ......................@..@...............T...8...8..................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....h. k.^.........&..................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\autorun.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):167736
                              Entropy (8bit):6.0416082093731
                              Encrypted:false
                              SSDEEP:3072:hbmf9qx7yTMgZn3JrSbizooAuLtJRnc3ws4MWF:0fEcn3JZzooAu576ws4D
                              MD5:E80A75BD94DBAB6AD8EF67EA57E7CEEB
                              SHA1:01F3B7A91604262BFE5295AF470BA8A9E8A0F8CC
                              SHA-256:4858B218B8730AC2F3457362ABF8EE249180DCCFBE845348F774F0172D67B735
                              SHA-512:8FA6D1090F7E7FFDA1C5E8D2434C528DFC221CA830520720307DAD37D0B89E61FF7C59C491E5CE6EEDCCACE5C3D8819DDE7B134B8C1B3D0563E88E1DC1DAF0DE
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..8..8..8..,..<..,..(..8..Y..,..#..,..1..,..9..,.....,...9..,..9..Rich8..................PE..d...W.h`..........",.....8...<......P...............................................Q.....`A........................................ ....6...7.......................n..8!..............T......................(.......................P............................text....7.......8.................. ..`.rdata..J....P.......<..............@..@.data........`.......H..............@....pdata...............P..............@..@.rsrc................`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\background_cli.bmp

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PC bitmap, Windows 3.x format, 1024 x 768 x 24, image size 2359296, resolution 40306 x 40306 px/m, cbSize 2359350, bits offset 54
                              Category:dropped
                              Size (bytes):2359350
                              Entropy (8bit):1.5850838844501984
                              Encrypted:false
                              SSDEEP:3:6Bhlull8lfXNVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVlVn:7lSff
                              MD5:204BFC9B84E5A4405D00FD1B48E4C8D4
                              SHA1:407AC4978CC8ABD2D00047B8E8E5143BEDBE9D23
                              SHA-256:BAC5792B0A92C84A07AF53231D19090C827B63A0A5050FE5AC300A13E76D5EF8
                              SHA-512:E9D500471BEF6F3E486D9C1DF67005328A0FA2C1F3CFCFA69BB2C83AD489DF21F183AC3CA8435591551B513BFF6096356FAB98650147BA976D55243A4EC380C1
                              Malicious:false
                              Preview:BM6.$.....6...(.....................$.r...r...........R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R..R

                              \Device\CdRom0\sources\boot.wim

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Windows imaging (WIM) image v1.13, 2 images, bootable no. 2, LZX compressed, reparse point fixup
                              Category:dropped
                              Size (bytes):682983055
                              Entropy (8bit):7.998733849944084
                              Encrypted:true
                              SSDEEP:
                              MD5:4866992F84EB813DDB5C8F64FC7C209F
                              SHA1:AF81987A396D6D8F2E3BA2891054BDD7811D66F6
                              SHA-256:A4C7364C823422DD1D7F0457915DF36FBCF1A0AB8426B35DEA1310EA15869B17
                              SHA-512:9340A5E20F8F2FA86F0BE82D862618C20A4A4FCF76CB68F0AC8E591242426F4FAF6E3C38403EF3BD4B63CF0B3C1AFD91F0C30D56269A86C6553B756C926A8EA7
                              Malicious:false
                              Preview:MSWIM......................Z=:M....4..<...................(.....................n.(.............H......._.(......O.................................................................................................TU.U....`4...X..u.....W....S[.Ja...ZH.nqv..7.O[3..xW.x... T...k..B........"..{0.J.F.A..).....y.o.x...........Z.!......T.......d......>.6....}.......\5...x...;.x..Q.x....Kw_ ..-&.lv........,d.}......./.%....vOs.....~._D..x.qy........`.z.p...n......o}Y.s..h<...;_.Z...........Mp..f...~._.~...1...f.S.X.......<.QS.w..7G..r..sioi(.Df...5e..p.Q<...V...S....>.MK>.t..%.n...%Z@.Th`4...M.B.Lk%.j.O...x.V..Y.5 .,{a.D..;......f...l..r....&.6h..k.x.S...M...jU.}.c.<.ge.Tb.E?.U.U.T.......L..Z_.4.......k..+.F>..]..C...&.+"e..8.V8.f.k.S..|%...f..W..I.E 6?H.:.n./...Z_b........Q....x..... ..@....@ .... ..@....@ .... ..@....N ..UU.U....`4.p.Xv.R...07.B>.e...j..BR.7.k...v.nQIM.P.._.Bk......A. ...F.....p.....]......xA.-........../SxDA.l....o.B......f...j.:qu

                              \Device\CdRom0\sources\cdplib.mof

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:C source, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1976
                              Entropy (8bit):5.177570756254742
                              Encrypted:false
                              SSDEEP:48:GKXdkHtNKBe2W8KtYSmdnV0/wbJyKU7OzC7D3K/Laq:GK+r8e23rSmr0I07OzQ3KDJ
                              MD5:8A4A7D39CF9C46C18AAF59D0223A8BAF
                              SHA1:330B5CB59651ACCCDC1A780E4F1E1630AF4CB859
                              SHA-256:CC5C41D02F5D05324FD67D5321FAD6FE5C21E87F53DAAD632537B6EE58205DDD
                              SHA-512:120A1DDD4499965E8F13EA7ADAB93C0F263FEE89454B5E6C165169A8ED7987FB16D94813FC460693C6F0C50E19A9FDA8774DDE81CBD019F1CDD28F99B6D8CDD8
                              Malicious:false
                              Preview:#pragma namespace("\\\\.\\root\\wmi")....// {09D2CF12-29BB-4fb2-B35B-AD99C670CE9A}..// static const GUID cdp_EventTraceProvider_GUID =..// { 0x9d2cf12, 0x29bb, 0x4fb2, { 0xb3, 0x5b, 0xad, 0x99, 0xc6, 0x70, 0xce, 0x9a } };....[.. dynamic: ToInstance,.. Description( "CDP trace event provider." ),.. Guid( "{09D2CF12-29BB-4fb2-B35B-AD99C670CE9A}" )..]..class cdp_EventTraceProvider : EventTrace..{..};....// {47E915BD-50E0-4dd9-ABDE-E6F98E9F015A}..// static const GUID cdp_EventClass_GUID =..// { 0x47e915bd, 0x50e0, 0x4dd9, { 0xab, 0xde, 0xe6, 0xf9, 0x8e, 0x9f, 0x1, 0x5a } };..[.. dynamic: ToInstance,.. Description( "CDP trace event class." ): Amended,.. Guid("{47E915BD-50E0-4dd9-ABDE-E6F98E9F015A}")..]..class cdp_EventClass : cdp_EventTraceProvider..{..};....[.. dynamic: ToInstance,.. Description("CDP library trace event type class."): Amended,.. EventType( 1 )..]..class cdp_LibraryEventTypeClass : cdp_EventClass..{.. [.. WmiDataId( 1 ),.. Descript

                              \Device\CdRom0\sources\cdplibuninstall.mof

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:C source, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):571
                              Entropy (8bit):5.447799495751583
                              Encrypted:false
                              SSDEEP:12:31K2bW5OkCtIQkBdee13/obbW2OkYNKzBeeZNMEg0LIbbW2ZvJkn:3BLntIQ2zo/oJKXmEg0k//vS
                              MD5:70C6EB523CC2EEFD5045B82110DAB0A7
                              SHA1:3FB40DCF9E82B124812385A762E2781288E69D68
                              SHA-256:DD28F26F097D4881AFD1E6995882650F5812FF227DC2F8B3A837CF5F942CB400
                              SHA-512:C095BCE36CD1416CC1183EC8BB1E4C7DB7211E17670ECFF19585A3B6E47F63E8F8D1D2C52F8316CE826D0ECB30102A03EBB9E939A3D6E64DBF0E4DB855B6A3B5
                              Malicious:false
                              Preview:#pragma namespace("\\\\.\\root\\wmi")....#pragma deleteclass( "cdp_LibraryEventTypeClass", NOFAIL )....// {47E915BD-50E0-4dd9-ABDE-E6F98E9F015A}..// static const GUID cdp_EventClass_GUID =..// { 0x47e915bd, 0x50e0, 0x4dd9, { 0xab, 0xde, 0xe6, 0xf9, 0x8e, 0x9f, 0x1, 0x5a } };..#pragma deleteclass( "cdp_EventClass", NOFAIL )....// {09D2CF12-29BB-4fb2-B35B-AD99C670CE9A}..// static const GUID cdp_EventTraceProvider_GUID =..// { 0x9d2cf12, 0x29bb, 0x4fb2, { 0xb3, 0x5b, 0xad, 0x99, 0xc6, 0x70, 0xce, 0x9a } };..#pragma deleteclass( "cdp_EventTraceProvider", NOFAIL )......

                              \Device\CdRom0\sources\clustercompliance.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):21144
                              Entropy (8bit):6.09945937942224
                              Encrypted:false
                              SSDEEP:384:96Do8oQC6gASIzJAtO+nFOpWBa9uWswGypKlNqb0K:rASIzJAtO+29cJK
                              MD5:06D0BF2231B410052F5DFD25472C38F9
                              SHA1:A1F16F04401E2F9ACED9519E3D713E134EE45605
                              SHA-256:B0E856D9E2AD145B2A47C8884A7A3CAC53410F540B73777F4B26495E715209CC
                              SHA-512:7A4600B0A44DB3B76C5BC94124C53C198B9D2CB09C9272E54CD20E70BA813FD7D82E74FED85C4BCB66446A3F6CC555C0958B50D5FEDAE3720958E0C7EF8AEBC9
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B@..#..#..#..H-.#..H*.#..#/.#..H/.#..H..#..H&.#..H..#..H,.#..Rich.#..................PE..d....n.:.........." ......... ......p.....................................................`A.........................................8..h...X9..d....`..p....P..8....0..."...p.......4..T............................0..............(1...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......$..............@....pdata..8....P.......&..............@..@.rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\cmi2migxml.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):191288
                              Entropy (8bit):5.862130263443536
                              Encrypted:false
                              SSDEEP:1536:joClBkiGieMqbCUCIc1FGVtjZn2rdJDx4Z8VJ1namCVdZq9UsFV/isM1sediFj6+:joMBki3jgfjjZp1YkEnWcAPUsRM
                              MD5:C3F8B0D8B5E1710C6653D1721A1E5C9E
                              SHA1:A9C467249E0EEA2B6655F47BF73ED1C31BB165E2
                              SHA-256:2D95BCA83E99CC3E755C310311EEEC24392E9AFEE1D3FD67C15EA358D897C7FB
                              SHA-512:CBA5A3F4BBE921A40305D5B2A6CCEC52B74AAC0A3DAA8526DD101AC22A62B95B41D32D041C346055A17B76786798AA86B4219452DB4C9BE9C6A7A3CD3EA6AA5F
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...R...9...R...9...9..D9...R...9...R...9...R...9...R...9...R ..9...R...9..Rich.9..........PE..d....-............",.....\...p.......:..............................................[)....`A.........................................a..........d...............@.......8!..........`...T..............................................8............................text....\.......\.................. ..`.rdata..>8...p...:...`..............@..@.data...X...........................@....pdata..@...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\cmisetup.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):665400
                              Entropy (8bit):6.496024453732728
                              Encrypted:false
                              SSDEEP:12288:P0ljB6ZK1sndrQ1cDfbjUNF96pifZa4WIYMflClgj1Xz9:PywZK1V1qfUWv4WINuIp
                              MD5:58EA2A2CED080AE5BE64A19F3E35A6E5
                              SHA1:6CFF440D0F6E4687120D769E8950FD490AAB9999
                              SHA-256:6113EE7A236054282CF36DD42C23357C2067110DA6B85F00EE72AFB40FCFC570
                              SHA-512:E910BDF5F17A0891F53024F5569796D6A3FEC41DD166E9933AE61CF0CF81741E9E4F46035A4619908FA270C1BC1EE5CAC0C5CB3392242295C615EF98E666CD3F
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.[J..5...5...5...6...5...1...5...4.B.5...4...5...0...5...5...5...=...5.......5...7...5.Rich..5.........PE..d...zK............",.........L...............................................`....../.....`A........................................ ...............0...........6......8!...P.......a..T........................... ...............8...8............................text............................... ..`.rdata..|...........................@..@.data...............................@....pdata...6.......8..................@..@.rsrc........0......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\compatctrl.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):155960
                              Entropy (8bit):6.113370159294023
                              Encrypted:false
                              SSDEEP:3072:JUC0lpRHhb7vbruA/fPfz3/3vrhEbebqd8kAIJlxfVuXaQkK1:JUjpRBbDbruA/fPfzvfN9Wd8kG
                              MD5:F7194DBC9E487A57430A1B12D602279A
                              SHA1:AFEB328E21C38902F446DEE5DEAD9DBF2563B86D
                              SHA-256:2DE241717BBABBD1F170BD8AA8A62EC1F732A3232D17E21D02908DB21106A395
                              SHA-512:34DF0EA85FF87C8C5FD340B4EBEF81745E392FAD62FB6EE717EF651B233BDD5F1CD36072C11F2F2E164F78930E0C8DF6EBBD7C73F0F39B1513EE184634678814
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Xt....rF..rF..rF.~qG..rF.~vG..rF.~wG..rF..sF..rF.~sG..rF.~rG..rF.~zG..rF.~.F..rF.~pG..rFRich..rF........................PE..d......{.........." .....h...........[....................................................`A................................................H........P..x....@.......@..8!...p..........T...........................p................... ............................text....f.......h.................. ..`.rdata...............l..............@..@.data........0......................@....pdata.......@......................@..@.rsrc...x....P....... ..............@..@.reloc.......p.......>..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\compatresources.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):3810832
                              Entropy (8bit):6.116141478708139
                              Encrypted:false
                              SSDEEP:49152:QkP8vw5h00/GaiTrvoBdd0RzMKkm0ZhWVzO/z6t7DkkQUp8:
                              MD5:1A896EDEF639C6D819022F9A224BFE85
                              SHA1:1FBA655CE9485957FB3AC7427BA8256B08187256
                              SHA-256:FFF91E1AA4E80B5D288E49CCA60AEDFB50525A882FBE5358693CFDA0D1037161
                              SHA-512:7AF3CFD064E252EF1B9415D58E9DD7B8E98B191B0849F90E86997C8BFB078513D3F3F3E284AC7EE8FDA32C06DC286D5984A6747F24986BA706A9753FC7B2C5ED
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....L..........." ..........:.............................................. :.....b.;...`.......................................................... ..\.9...........:.."..............8............................................................................rdata..............................@..@.rsrc.....:.. ....:.................@..@......L.........T...8...8.........L.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....-..X4...rsrc$02.... .......wOt?...`.......).......L.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\compres.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):39576
                              Entropy (8bit):4.632641648073281
                              Encrypted:false
                              SSDEEP:384:PWxMWlkCUk9HHYtJxEm0WR1WPftYDyD+DyDuCoDyDdCSHbuBxrk54NjX8IwGyRvB:mHTuXrkWjsIMvfe5gt3
                              MD5:915F915495D5E5FCB76945E74785D7C1
                              SHA1:CF25180FF263438B9310F0A53F00E697D4983760
                              SHA-256:14F5F1B1E4B00BDE6B4408E636B10BE655558B457B1D5327E51D31071F77C9EC
                              SHA-512:89FEB51592F2C60CAF10B46BC195E435377092D94F6EE45A5F0AB826C9EB78A753466D512D629DE97833AE43E53B6502CC0C3B0D76374E0F2812711BF1822D84
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....y............" .........v............................................................`.......................................................... ...r...........x..."..............8............................................................................rdata..............................@..@.rsrc....r... ...t..................@..@.....y..........T...8...8........y..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#...n...rsrc$02.... ....`.K.u....Uw....J.X....F.aa..y..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\cryptosetup.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):24008
                              Entropy (8bit):6.062446965815151
                              Encrypted:false
                              SSDEEP:192:GKODczWz9IdqYbN9h+rKipXKuS28xb3HWJvah46Flkzl2W4FWEWSawTyihVWQ4e1:6DiWzGG+mKlxb32JyczEW4FWdwGyUlI
                              MD5:6AEAEBF650EFC93CD3B6670A05724FE8
                              SHA1:A4FE07E6C678AC8D4DC095997DB5043668D103B4
                              SHA-256:C86891B9DF9FEEA2E98F50C9950CB446DB97A513AF0C23810F7CA818A6187329
                              SHA-512:5C7E8C7DBAEB22956C774199BAD83312987240D574160B846349C0E237445407FF1CAACD2984BFAD0BBBE6011CC8918AF60A0EBBE82A8561CAFA4DF825ADD183
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q..Q..Q..E...S..E...]..Q..t..E...Z..E...P..E...S..E.S.P..E...P..RichQ..................PE..d....Q.!..........",.........$......................................................Bn....`A.........................................<..X....<..x....p..(....`..h....<...!......(....8..T............................0..............(1..0............................text...p........................... ..`.rdata..>....0......................@..@.data...`....P.......0..............@....pdata..h....`.......2..............@..@.rsrc...(....p.......4..............@..@.reloc..(............:..............@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\csiagent.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):685368
                              Entropy (8bit):6.027130505678364
                              Encrypted:false
                              SSDEEP:12288:Qajjw8vgN+JwmiF1LWcsA6ZE/yxX77UvPM:Qgjw+iF1LWcsNZEM7UvPM
                              MD5:52A757D055B348644057E61B072FCB21
                              SHA1:4CF6F6DA57E08D4EFC9C12A3AE614F016CD6354B
                              SHA-256:55F2B435F1EDE0CE99FBAF9D85FAA86E8E5DE3C0BEF1DE5A92A9270EEB97FAA8
                              SHA-512:B2704C9CD122A7B84AA54E697D6436DA63161E20CC630013FA84A7A8178B453A1C13A8B04BB0317C8877B4BEB08AA158EB11889CB619DBF462B3531BD4D3A0BC
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................................................................9............Rich....................PE..d...6.............",.........t............................................................`A........................................`...$8...@.......@...'.......0...T..8!...p......@x..T....................|..(....{...............|...............................text............................... ..`.rdata..............................@..@.data...(y.......t...f..............@....pdata...0.......2..................@..@.rsrc....'...@...(..................@..@.reloc.......p... ...4..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\cversion.ini

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):49
                              Entropy (8bit):4.614310864346761
                              Encrypted:false
                              SSDEEP:3:ImMP4ovRL+MACcRIh7yXTyYc6LVy:I7Pl586yEgs
                              MD5:602E7555A1DF6E6849AFFC45AA3766F3
                              SHA1:9A236FF4197576031D1AA7CEE5421FB36961CAFE
                              SHA-256:EB7C36A97F38186A9F687F08344FE9B8D030979DD98D01F6289A55CAA1A00918
                              SHA-512:3E2996ED1033E1B43BD75F1ED55769B249300E966C3AD1C284924FCDDFCDD6B385E8C0B4CCDEFB4A0E99E12F79285EF1BCD5074A58CDE0F02CDBF76B4A716E96
                              Malicious:false
                              Preview:[HostBuild]..MinClient=9458.0..MinServer=9458.0..

                              \Device\CdRom0\sources\db_msftproductionwindowssigningca.cer

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Certificate, Version=3
                              Category:dropped
                              Size (bytes):1499
                              Entropy (8bit):7.442262217977073
                              Encrypted:false
                              SSDEEP:24:5dDuDD09SkeDuDqgx07eA6nTHFOKEOzWgIoocWdAliuJKAbuWjt10u60PyxH8vF9:5dDuDD09DeDuDXieAUO5/otmAVgA6W5F
                              MD5:AF749A216C00C7D25C249FCA0D7FD471
                              SHA1:580A6F4CC4E4B669B9EBDC1B2B3E087B80D0678D
                              SHA-256:E8E95F0733A55E8BAD7BE0A1413EE23C51FCEA64B3C8FA6A786935FDDCC71961
                              SHA-512:A30B1E92B99B839D0076808E38F1C65FB42B1A9608778A0596F5350B3EF80DD15F2E226E1624298FF44135E736717D27642225ADFE8A9D10E24B5FA22D912C18
                              Malicious:false
                              Preview:0...0..........a.vV......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1200..U...)Microsoft Root Certificate Authority 20100...111019184142Z..261019185142Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0,..U...%Microsoft Windows Production PCA 20110.."0...*.H.............0....................i..!.i33...T...... .....8....-|by...J?.5 p...k...6u.1.p..7.tF.([.`#,..G.g.Q'.r.....;S5|...'......#.o.F..n.<A..?].jM.i.%(\6..C............['.'x0.[*.k".S`.,.h.S..I.a..h.sD]}.T+.y...5]l.+\..#.on.&.6..O.'..2;A.,...w.TN.\...e.C....m.w.Z$.H.........C0..?0...+.....7.......0...U.......).9...x...O..|U.S0...+.....7.......S.u.b.C.A0...U........0...U.......0....0...U.#..0.....V..\bh.=..[....0V..U...O0M0K.I.G.Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z..+........N0L0J..+.....0..>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0...*.H...............|qQ.y.n..9>

                              \Device\CdRom0\sources\devinv.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):732472
                              Entropy (8bit):6.307566976923437
                              Encrypted:false
                              SSDEEP:12288:1c48cK8ts8q1j0E7sv8NxGwgd6herRrmBYkcMgwcs48EdoPQm23ATs4qI/w:jkyej0Lv6gddRmJp4Hd2br44z/w
                              MD5:65E122C22C2AC10C200A32F038182822
                              SHA1:9DD31043224784C229B7310567135FBC5DA5294E
                              SHA-256:169B2D5A8F6749C2C5AA0611CB33E51E27F02CAB3F95DBF80CFD053B48C0EED1
                              SHA-512:D8E8F36C114FDF995E411974327F8E0A6A514975D14A8500AFE7789AC460AD21BF1DA2E9D1973891BB189A6C174E3C37998795AD3A5F14D5BBC99F33888F63C8
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vi,...B...B...B..p....B..cA...B...C..B..cC...B..cG...B..cF...B..cB...B..cJ.I.B..c....B..c@...B.Rich..B.........PE..d......&.........." .........&......Pe.......................................p............`A............................................4...D...h....@...........;......8!...`..........T...................x2..(...`1...............2.......{.......................text............................... ..`.rdata..B.... ......................@..@.data...x=..........................@....pdata...;.......<..................@..@.didat.......0......................@....rsrc........@......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................

                              \Device\CdRom0\sources\diager.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):54072
                              Entropy (8bit):5.995205373940198
                              Encrypted:false
                              SSDEEP:768:uBqkR284bz5Su33E3nbox26S8tAnGg4rYuVvXot7upZUQpI1P0bFr:1z5Su33E3nbh6ynG5EuVvXot7a+P4
                              MD5:9394F7959E77D16DD7DD0F7E77E90C74
                              SHA1:6C73D317A14EEC6F619898F93F0CD8AE5139B451
                              SHA-256:1434242F49F7E570A8BAAD61CC2939B6A054936CD71C861A4327DF014562786F
                              SHA-512:272E80F1862F61B5BEB09D2E7D436A7B6245F1F17EC6B8A7D6B8FE166FB0D18DAF89EBA866F9CDD17B6995BC80D0C44B8C9DC4F0349E5AFAD7ADEE965733A6EA
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#.H]B..]B..]B..I)..^B..I)..PB..]B...B..I)..RB..I)..XB..I)..\B..I)..WB..I)B.\B..I)..\B..Rich]B..........................PE..d.....C..........." .....`...T......._...............................................7....`A...................................................................,.......8!......4.......T........................... p...............t..........@....................text...._.......`.................. ..`.rdata..,=...p...>...d..............@..@.data...............................@....pdata..,...........................@..@.didat..8...........................@....rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\diagnostic.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):177976
                              Entropy (8bit):6.076771088162926
                              Encrypted:false
                              SSDEEP:3072:Fx02msdR22C2Avx2KU/Qhe12OvuGiHtz1KAsn6/ZnlBRxtoi:Fx0Psd0lpkK0Qhe12WuG+nlBT
                              MD5:BE01A9041BDEB09E316A09BCC3FD84AC
                              SHA1:7836E65C1FB0EC51B911579185955E4293EA3A91
                              SHA-256:BFC83E5AD0045E8E6BE816DA308A31097D41865953CC2063CBE575A90A84637C
                              SHA-512:4728F8F14F6FABD515B34EB9214120BDCB6A6B3A91DC1AB457F3F9FA463066DA2BFFE50C88BE6C23A481F41AA1E588D1316CDD4DD47208F21BEA835D943ABC94
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.R...<...<...<...?...<...8...<...=.D.<...=...<...9...<...<...<...4.#.<.......<...>...<.Rich..<.................PE..d...x$............",................................................................gR....`A........................................ Q.......p..@.......................8!......(...p9..T........................... ........................N..`....................text.............................. ..`.rdata..*...........................@..@.data................z..............@....pdata...............~..............@..@.didat..x...........................@....rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

                              \Device\CdRom0\sources\diagtrack.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1362104
                              Entropy (8bit):6.167419829576066
                              Encrypted:false
                              SSDEEP:24576:B190ETfdgx6IaLO9sqCVxItDWs+yW0p3WY/AQeeBzvyYOXPzcX2xyAT7nq:B16ETFBIT9sqC++P0pPAQ9zPOXLcX2xE
                              MD5:4E9EF68D05038ED69CEDAF123E945C32
                              SHA1:A7EE8F89B7EA5F6A5791BE42F1AC2C4F8737A45D
                              SHA-256:7AEA82C8C38A88E7C66CCAE246367C261A6C230B5CE4540C7970C8EB1D8DC6CA
                              SHA-512:5D45C05D79CFF81BB8A8069F68AB3CE88F48D03A964B8C3D24F27CE758973D44884F8248FA3AF89373C047DF5FE26995C34EDD0210C67E5C9E15A5515D4650CB
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................a..............7...................................3.................Rich....................PE..d....[._..........",.........>............................................................`A.........................................s..]....u..@....`..h..........................@...8...................................................Pr..@....................text............................... ..`.rdata..............................@..@.data...............................@....pdata.............................@..@.didat..@....P......................@....rsrc...h....`......................@..@.reloc..............................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\diagtrackrunner.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):88256
                              Entropy (8bit):5.52638304010264
                              Encrypted:false
                              SSDEEP:1536:3LrfIoQDQxgs0Y5efYVOD8KxLQgSSQlLO3Wn:3Q2xgs35efEOD8KxLQgSdJO3Wn
                              MD5:86C095AF49B6EB83523F819ACA414823
                              SHA1:D51BED201518F2329E60E211F86AF2FA053D58A0
                              SHA-256:3087D18262FC4D8F7655389DC10E36D65D7ACD5FACEAC52114BDFFCB160CCC62
                              SHA-512:0DD3B0B5CC5257D9386404447A581A547576182F725D06A37F7F8A8CA0CCF0C8E9DCBDA13B371A9695880CB64DD437AF866385DDADA3396AB58446FFDDC001B6
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z...z...z....T..z....W..z....V..z....J..z...z...z....R..z....H..z....U..z..Rich.z..................PE..d.....2V.........."......J...........K.........@.............................`...........`.................................................0............................<...P.......~..8...........................`~...............`..`............................text....H.......J.................. ..`.rdata..l5...`...6...N..............@..@.data...`...........................@....pdata..............................@..@.rsrc...............................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dism.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):289112
                              Entropy (8bit):5.727215330923414
                              Encrypted:false
                              SSDEEP:3072:Y5VvsVPUSHmEk6vQWW8mw7T33RtvgdURr7RW1i9MthEej1D8TboZwC2iM5tEz0Vy:U0VPUgjnRtnNlW4RWD8TbVC25rsH
                              MD5:A91179EE0264BB735D2ECE7168F534DB
                              SHA1:4FF3D729E9F17963A42076436D1F4BB03D52246E
                              SHA-256:76ECCFD0B05A981A2D251AB4ECBF4C2AE2215CB632988656F75978171D87C734
                              SHA-512:C32992FC3C1C1C29B0C084C6909DEA5B912593A9BAAE8B0EF80DA7046A74E0EE542F836559AF260293F14251FFE1238174862D85F455AAC7B1218078AC25543E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..en..en..en..l./.gn..q...fn..q...}n..en..Go..q...jn..q...kn..q...On..q.C.dn..q...dn..Richen..................PE..d.....Z..........."......>.....................@.....................................p....`.......... ..................................................hy......x....D..X%...p..........T...........................0X..............HY..x............................text....=.......>.................. ..`.rdata...J...P...L...B..............@..@.data...."..........................@....pdata..x...........................@..@.rsrc...hy.......z..................@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dismapi.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1065272
                              Entropy (8bit):5.9362427354409215
                              Encrypted:false
                              SSDEEP:12288:OWoHuuwbYID+DYJA6QT2I/DrwsXeT9iUdzCSJ1BhW1qe0gw3xfuGNpUpC4:OWoHkbx+DYJA6QTd7rYiKCSK1qoWSC4
                              MD5:715F9A824FEA51984878D5E5AE318918
                              SHA1:1EE8A295F5A67E9585E16451A4518D8C62F48086
                              SHA-256:010AAB43238EDABD7457B30E7BF3221049F40E080DDEE4B8053F53B7431DD9EA
                              SHA-512:6BD7BD4B481870E41791D7C7174DAD532259ACFD83CC18644CAC32EC653398B900F50913D82CC333E4A8BA55663B93D09C9A1691BF966E2CFEB82CF7CB67947A
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................v..........Rich...........PE..d......e..........",.....v................................................................`A.........................................Z..H...(g.......0..81......LP... ..8!...p..........T...........................................................................text....t.......v.................. ..`.rdata..L............z..............@..@.data....1.......&...l..............@....pdata..LP.......R..................@..@.rsrc...81...0...2..................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dismcore.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):405304
                              Entropy (8bit):5.723373137736148
                              Encrypted:false
                              SSDEEP:6144:2jR9+636STkVp89eRmuI73RCIxio+bPnRKQoUh:2jyBgkVpZROpj4kwh
                              MD5:59E5598FF8E695BE316BB738896D52C1
                              SHA1:3E8E113A324FF3E4F5145ABEB2F184937A7B5730
                              SHA-256:0CD4F9FC244734016843940368C5D1037829B3EB08B0DB01E8DF73C88AD84109
                              SHA-512:6BFFB76FCC5AB280B8FAD3CC6A9EEFAE7B87C50A15E3B9985E9A30801537B19702082794A46598A79C9DFF23254FEAC9AE3F06AD4E79CEF82CF943F28F13218A
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#..g..g..g..n...e..s...c..s...s..g.._..s...h..s...j..s...f..s...H..s.q.f..s...f..Richg..........PE..d.....A...........",.........6...............................................P......Y.....`A........................................PJ.......J.......... s..............8!...@......P...T.......................(...p................................................text............................... ..`.rdata...s.......t..................@..@.data....(...p.......X..............@....pdata...............v..............@..@.rsrc... s.......t..................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dismcoreps.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):187920
                              Entropy (8bit):4.480961451090999
                              Encrypted:false
                              SSDEEP:1536:wA5jxij1/4CL6FFJbK1hipbLEXt0GAwlP:wA5jAj1QCL6FFJ+1hipPEXtpXl
                              MD5:CA5E394358DFAE3AEB9C6DC0FAF75B99
                              SHA1:45FC73737DD8FC325D7A9065A9659F0707017E69
                              SHA-256:ECF5239FCB763D5CBB4E312927FFB4C83EA9110DD72E5ADE02AFED5BD2B4150A
                              SHA-512:2DB4F9DA1850CBAD1580D54C0582F632D9098C44A16284A4EDB1A8A2BD7C4AF9062FE44830C26BDC43F2C9391B0EBDB088A7608EFB464967CF67ED973C6D72BE
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n..L..DL..DL..DEwLDN..DXd.EN..DXd.EG..DL..Ds..DXd.EE..DXd.EM..DXd.E{..DXd DM..DXd.EM..DRichL..D........................PE..d...G.P..........." ....."...........%..............................................F9....`A....................................................x........................"......P6......T............................................................................text....!.......".................. ..`.rdata.......@.......&..............@..@.data....s...0...n..................@....pdata...............|..............@..@.rsrc................~..............@..@.reloc..P6.......8..................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dismprov.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):259600
                              Entropy (8bit):5.757526364719958
                              Encrypted:false
                              SSDEEP:3072:5HXTCH+HosHw8NH49z7uHnEzt/8Yt++cNNn5EVY1M1pUQuMwWl:52e5w2oiHnEJ/8wB2ypUQ
                              MD5:EAD5D3D400A569CB4F29478EE59F8A48
                              SHA1:21063A66AC2AB4B3F8EB733B9863C800FFB13220
                              SHA-256:7B1802D2F1BC7D9ECEB97FB22A2FA8D596A886DB6FC5D2E2E4F058C7BF343400
                              SHA-512:04ED63F454DAA8F32807AD24ADA6FDD8A71594D408D581F18CDDC6427825A6D128B205248862AAC1B9D8A92D0956A8D8D181526FE681C72CB21BBB4FDAED34D3
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~SD9:2*j:2*j:2*j3J.j82*j.Y)k>2*j.Y.k)2*j:2+j.3*j.Y+k+2*j.Y/k62*j.Y*k;2*j.Y"k.2*j.Y.j;2*j.Y(k;2*jRich:2*j................PE..d......$..........",.....*................................................................`A.........................................e......Xf..........P$..............."..............T...........................`U..............xV..p............................text....(.......*.................. ..`.rdata...:...@...<..................@..@.data....+......."...j..............@....pdata..............................@..@.rsrc...P$.......&..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\accessibilitycpl-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4717
                              Entropy (8bit):4.952796906381435
                              Encrypted:false
                              SSDEEP:96:22M8Pv8CXGPvJGV0MaPNc5cycTcecIc4cgczcpcNJS2XFiFREluBu:VjODMbkIN
                              MD5:E1F487CC7BE305ED14526AA1AD64018A
                              SHA1:229A0F9004AF165ED2225E418298CCB17BB8787D
                              SHA-256:9669F6DF24CD0DCE23A418332EC0317CC6DCCC83FFE83222D485D0590199FDC2
                              SHA-512:C51CFA106EDC6DE5C2F89966042400198079C6686A2CE926D1118EB1E13F4BB077E03E0020BF5856F74F97EF81CAD8F9DDA0F0A0709E13525F0E74B9AFEA6A61
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="preid".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2003-11-11T22:56:35.2127782-08:00".. description="Accessibility Downlevel manifest".. displayName="AccessibilityCpl".. lastUpdateTimeStamp="2005-07-15T20:27:45.1603430-07:00".. manifestVersion="1.0".. owners="preid".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="".. language="neutral".. name="Microsoft-Windows-accessibilitycpl-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <migXm

                              \Device\CdRom0\sources\dlmanifests\activedirectory-webservices-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):667
                              Entropy (8bit):5.156967991505571
                              Encrypted:false
                              SSDEEP:12:TM3ii1o2Mf8ior5cF+S6TjVgV65wSclDl1mSYDS6rsNZyuhURpG:q/o2e8Zg+SIjVg05wjmSgSRFhUK
                              MD5:B3AFF6666D3E01C7C062D1448BA29833
                              SHA1:096D122C766B0815D1DE09EE7A68530CB698F1B0
                              SHA-256:AEADDDEBF88EDF5C5E46B65BDEBB3B6B81972CD15F4EFB5FAA22CB0E8360F5AA
                              SHA-512:D5BD5CBD83EC9B0EA80481251F4A4BE6555951ECE520D455E25255067231F1089F1D98D0B3B6606AD0E269309D821004FA5919618EB9337CDF77E74E4B24DE1A
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-ActiveDirectory-WebServices-DL".. version="0.0.0.0".. processorArchitecture="*".. language="*".. />.. <migration>.. <migXml xmlns="">.. <plugin.. classId="{06996584-9164-4CD2-BD44-3DEC24314516}".. file="Microsoft-ActiveDirectory-WebServices-DL\adwsmigrate.dll".. />.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\dlmanifests\activedirectory-wmireplicationprovider-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1164
                              Entropy (8bit):5.057099126813335
                              Encrypted:false
                              SSDEEP:24:p/o2e8Zd8+n2Eg0cjaENgwuzg2USwuzg2UFiMgJXn8cmFhUK:22e88+2EgfaIgPUSPUBgJMcQX
                              MD5:D1DF95D9120F8FAC345776CBB9296092
                              SHA1:C3B097D8CB8620911AEEF5113C345380CD522110
                              SHA-256:8D48D1584B8293FCA6A136122C71121F9462D893DB87F8CB688DDDA56DF43D67
                              SHA-512:2CA30A4DA31EEFBB0E5D901EABF04FEF8793778F96607E21717FDE47C8010D71AB7FBD64CA64064DA2B0007AB91D542D07ED95EE5D434CD5F370EDB6E7C273CA
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-ActiveDirectory-WMIReplicationProvider-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DSReplicationProvider [TypesSupported]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\DSReplicationProvider [EventMessageFile]</pattern>.. </objectSet>.. </include>.. <detects>.. Detect supported platform: Win2k3 -->.. <detect>..

                              \Device\CdRom0\sources\dlmanifests\adsi-ldap-extensions-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3725
                              Entropy (8bit):5.378092061130192
                              Encrypted:false
                              SSDEEP:96:22O8PvMuDqOEO9m+OUPvJ2bxo8jo3ovoRo2oooGx1oG2coFoGlo/oZjrojotoT:zUgEO9m+veOj4guXNGxKGeaG6wZAMyT
                              MD5:ED93D4D6F1588AB4986A505BED2EE82D
                              SHA1:60785DEC2ACB0B8A171BE022EE01F71AB359F6BE
                              SHA-256:92945AB8C08AE0A560E4DC4EEB7E183D45092CEBC00C9F28969A1108A7CBD3B2
                              SHA-512:28AC7AB87F3F5D3A4596AEEDB7AF04439485744CEA04CB5D2846424C74E6ADC0297094F83B1BAEE8648FD29FB16F7D4803E5882F207D8298AF598CDC903E2195
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="richak".. buildFilter="".. company="Microsoft Corporation".. copyright="".. creationTimeStamp="2003-07-22T17:28:24.7884597-07:00".. description="Down-level manifest for ADSI LDAP Extensions".. displayName="Down-level ADSI LDAP Extensions".. lastUpdateTimeStamp="2005-03-23T19:16:55.6144014Z".. manifestVersion="1.0".. owners="richak".. supportInformation="".. testers="smithav".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="*".. name="Microsoft-Windows-Active-Directory-Services-Interface-LDAP-Extensions-DL".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <migXml xmlns="">..

                              \Device\CdRom0\sources\dlmanifests\adsi-ldap-provider-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1676
                              Entropy (8bit):5.106259269963326
                              Encrypted:false
                              SSDEEP:48:22e8S8PvMuDqOEub4fmeb4lIUPvJv+wgEgSXMKIgx/o/4Jmg/ocJiX:22O8PvMuDqOEub4fmeb4iUPvJ2BEfoMG
                              MD5:92B0C1007D41A02C886FCFA2E99DA948
                              SHA1:B33AD4881D16466DF2818272BC2EF31CAF71BECD
                              SHA-256:5CF92E49ECFA194EF2E2A16ABAD024287BDB1D45AF4F92F4B4BC8A52F3457FC4
                              SHA-512:C1C6684373E68AD7225510B0CAD125E451029BDBB1A2BDE95F58EFE0E26F56D1B4EFEFE40B12C08DA264AF62474DEF4324963321D3E4B175ED94A4A7D2F94A5F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="richak".. buildFilter="".. company="Microsoft Corporation".. copyright="".. creationTimeStamp="2003-07-22T17:28:24.7884597-07:00".. description="Down-level manifest for ADSI Ldap Provider".. displayName="Down-level ADSI Ldap Provider".. lastUpdateTimeStamp="2005-03-23T19:16:19.5050264Z".. manifestVersion="1.0".. owners="richak".. supportInformation="".. testers="smithav".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="*".. name="Microsoft-Windows-Active-Directory-Services-Interface-LDAP-Provider-DL".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <migXml xmlns="">.. <dete

                              \Device\CdRom0\sources\dlmanifests\adsi-router-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1962
                              Entropy (8bit):5.112446077379604
                              Encrypted:false
                              SSDEEP:48:22e8S8PvMuDqUEmWDtUPvJv+wBgSXMKIg/olJmg/oK/o/I/o3/onS/o4iX:22O8PvMuDqUEmStUPvJ2uxo3joYoWoPm
                              MD5:44D3195DE1D7D0C3975E3B25A4E66EE8
                              SHA1:866F3468711A5CAF30FB2E791217AEBF630A3177
                              SHA-256:3A6D1F6FA7C2C78B778C1BCEA78CD059523BE0A7B500157FD03E552EB79B56D8
                              SHA-512:C36C78DFB1104C5E35DAA5FE2D4EDB0210388CE713A5D0823D47BD090C6993DD6A0E78E76C6738072ECA51172C09D41B4940EEF46DFE3FDC0425A966226F50A5
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="richak".. buildFilter="".. company="Microsoft Corporation".. copyright="".. creationTimeStamp="2003-07-22T10:09:25.0355227-07:00".. description="Down-level manifest for ADSI Router".. displayName="Down-level ADSI Router".. lastUpdateTimeStamp="2005-05-13T17:37:12.8296096Z".. manifestVersion="1.0".. owners="richak".. supportInformation="".. testers="smithav".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="*".. name="Microsoft-Windows-Active-Directory-Services-Interface-Router-DL".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect

                              \Device\CdRom0\sources\dlmanifests\adsi-winnt-provider-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1655
                              Entropy (8bit):5.184674193205256
                              Encrypted:false
                              SSDEEP:48:22e8S8PvMuDqOE14fml4ldUPvJv+whEgSXMKIg/oxJmg/oJiX:22O8PvMuDqOE14fml4fUPvJ2aExorjoy
                              MD5:79B21C987EDB8BF4448FFA41756D8537
                              SHA1:B4076192B736C090B2D393621146655A7A0A99CA
                              SHA-256:753AF0583E047ADA8B8914E243C1C3F02A10D3A3B0BA542EDCC1CBAB5BEB84CF
                              SHA-512:4F9C7B5A94B108B5CA02D45FAD359893B06629C95FBC6E17B6ED5DE878FAC74886B98EBB32205E80F67EC2C7A2ADC18AC49FEA82C2C2AC8BFF7CE4DDC8EEC774
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="richak".. buildFilter="".. company="Microsoft Corporation".. copyright="".. creationTimeStamp="2003-07-22T17:28:24.7884597-07:00".. description="Down-level manifest for ADSI WinNT Provider".. displayName="Down-level ADSI WinNT Provider".. lastUpdateTimeStamp="2005-03-23T19:17:15.4581514Z".. manifestVersion="1.0".. owners="richak".. supportInformation="".. testers="smithav".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="*".. name="Microsoft-Windows-Active-Directory-Services-Interface-WinNT-Provider-DL".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <migXml xmlns="">.. <d

                              \Device\CdRom0\sources\dlmanifests\bluetooth-config-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1424
                              Entropy (8bit):5.087449124636623
                              Encrypted:false
                              SSDEEP:24:p/o2e8G58PvS2co3v96PJcld8+8g0cjmpCdbc7VNHUFCUK:22e8K8PvSA3va1+8gfmodbc7VNHmA
                              MD5:E3E3267A46C79E6BF0D56AC985294959
                              SHA1:3C5ACA11525B06F4700D343315A0E28E2A7B2FB2
                              SHA-256:8AA3C09667C38DA92A6ECE95ABEDDF28175B979CF62FDAC590F8B0DA951CDFA3
                              SHA-512:E7BBAE33D381193B946FBAB3A47A833D3782AE5F6A6508D22ABA780439FA9BE5F3E74EB1C581E5F0A706247A0CE1102D84F464AFE2115F9E64B383A90C0F1A70
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="sandysp".. buildFilter="".. company="Msft".. copyright="".. creationTimeStamp="2003-07-16T15:33:19.8561193-07:00".. description="Bluetooth Config downlevel manifest".. displayName="Bluetooth Config downlevel manifest".. estimatedSize="".. lastUpdateTimeStamp="2003-07-16T15:33:19.8561193-07:00".. manifestVersion="1.0".. owners="sandysp".. supportInformation="".. testers="toddsc".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Bluetooth-Config-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration xmlns="">.. <machineSpecific>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "11.0.

                              \Device\CdRom0\sources\dlmanifests\browserservice-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3193
                              Entropy (8bit):4.916337227233485
                              Encrypted:false
                              SSDEEP:48:22e8z2j+YgLBqg5SKMWcCY4c8IZAii6VnrzJ0NPApzz9B2A:22X2qXZ2+8lddb
                              MD5:7AA2ACBC6738A9B6C75E0E0793BE8CDF
                              SHA1:C6DC1C05B7C09A84858E00A9F4B91617CD00889C
                              SHA-256:0A03C9AA088787E6339F4D435141199774673C8ECC34991FD48302C5E0B76C20
                              SHA-512:926ABDCEEAC75F8A8BAB7FCD636B5E4B9C0E6A9C91119944F577FA29767EBFF928F25CE8EE620506B0CA62A54DBA402C526670CBED97E37EE9316504D9E503DE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-BrowserService-DL".. processorArchitecture="$(build.processorArchitecture)".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\Browser\Parameters [IsDomainMaster]</patter

                              \Device\CdRom0\sources\dlmanifests\capi2_certs-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):7079
                              Entropy (8bit):5.411732558973942
                              Encrypted:false
                              SSDEEP:96:22b8PvMu0hPvJPFU0AlVOChRp7RRmOtD5vgQVbWBIhdtYAChvF/wWjA52tfPhhiC:IUNfroV9hQk6Dl
                              MD5:0E791618D2CD597232E39511B24FFC7B
                              SHA1:B5BDA037ED3ED389679FA8A87EB710EEB65151EB
                              SHA-256:7E9718BD585C13038E468C7D1BC4EABFB4629D0502E336C8E4BE8FA37FED348D
                              SHA-512:EFA9D78FE2BD1DCCF591015B4FF6F417D5F4288320648A5A4786C09D47C8BAF1177290507897C9B9897920740772CFDF136B0B25D52B28084CBC879E65BCFDCC
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="philh".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-18T13:04:43.4054402-07:00".. lastUpdateTimeStamp="2005-02-02T01:39:02.9208750-08:00".. manifestVersion="1.0".. owners="philh".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-CAPI2-certs-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <migXml>.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>..

                              \Device\CdRom0\sources\dlmanifests\commandprompt-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2879
                              Entropy (8bit):5.137667090306924
                              Encrypted:false
                              SSDEEP:48:22e8f8PvMu017rq+FGDgft0Igr0htfhtr0hSfhSr0hLfhLr0hyLfhyLr0h9fhLJQ:22T8PvMu01tFGa0d0Tf0uU0950mc0DXQ
                              MD5:672D9E929894034E9F43FEC5B2856E16
                              SHA1:123D421C1CC2F8285FE062C10105F1006A233778
                              SHA-256:AC5FF75F434F643B0D30DE227B4D8281790B23074EC5162F0784CD33759728A7
                              SHA-512:43E6D4F3BAAE7FF283D850A7264D575E75DB718ACA3E1505A3885143D49497732DF8FB00831B9B988B9DB16D83EACB2F40642C5509813538C1679BF6DCD407F6
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="orenw".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-06-26T10:41:58.4194794-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2004-06-01T18:30:21.8534700-07:00".. manifestVersion="1.0".. owners="markz".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-CommandPrompt-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,USMT">.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKU\.DEFAULT\Software\Microsoft\Command Process

                              \Device\CdRom0\sources\dlmanifests\coreos-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1655
                              Entropy (8bit):4.838075000445489
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+FUg0Lmj39wKstEF4wwV2gXRwwV2gXu6BX0FCUwhi5Ip:22e8z2j+FUgUKtLstY4fpRfpfB26i58
                              MD5:300A64249579AAE21E6A552D42192AC6
                              SHA1:736F35A9FE35A56563CC030243DB0ABC82B155FF
                              SHA-256:678EB7E085D106824917F7DB0FF888CBCC7007815F9AB5D3257C3F20EDA2BB72
                              SHA-512:306D06B055CA5D838B5748D097EE6AC17426D6F5E241591C709954C2E34AA57C38C9A1031E4973A3BB77BBAF08DB34C577EA93FD2D9ED619D09BB92E45917D99
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-CoreOS-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration xmlns="">.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT","6.0.0.0")</condition>.. </detect>.. </detects>.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion [RegisteredOrganization]</pattern>..

                              \Device\CdRom0\sources\dlmanifests\credential-manager-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2224
                              Entropy (8bit):5.136880831258619
                              Encrypted:false
                              SSDEEP:48:22e8s8PvMu0Vnui+FOgftoecVIgPduTludJeecVIg2/oLi8HJuvA/:2248PvMu0WFzoROYPeRFLvp/
                              MD5:4642ACDF557D7BB0D9F86CD5507F515B
                              SHA1:FF90EE06DA9426CAB95468DFF887C6484144EB95
                              SHA-256:B626F189488EDCCBE1482BC11906D8E651684CE947203149828B50BE291B01EB
                              SHA-512:291F9EAD1B35F883FEF1DC0DF106F2AA64DBC4E475384B0E41E9982F8986D110EDFD7B141A7C96500792060245C95E505770FA090DF656177CBF3596C1942765
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="noskov".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:05:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:41:02.9208750-08:00".. manifestVersion="1.0".. owners="noskov".. supportInformation="".. testers="andyliu".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Credential-Manager-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. <rules context="User">.. Only call on 2K, XP .. not pre RTM LH -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT","6.0.0.0")</condition>.. </detect>..

                              \Device\CdRom0\sources\dlmanifests\crypto_keys-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2947
                              Entropy (8bit):5.120077314818075
                              Encrypted:false
                              SSDEEP:48:22e8T8PvMu0846PYPvJ8+F9gUUL0VlxfMUIgPdunPduZJ0gPdunPduZQ/+lx3cCQ:22X8PvMu0LtPvJPF+0VlVO0z60w+lfah
                              MD5:C7E301D9DD77A21C1CDBD73A63AF205C
                              SHA1:715D25AA0C06B2AD162F52A8DE06FB5040C389B1
                              SHA-256:239C9A49ACDA9FC9845B87819A33D07F359803153FEFFE4D2212989F82DE71E1
                              SHA-512:B0E6FFB10EF5EB9EB433A23803591C84F603779306E78B1648374218A50D2F77E8EE7215615E9D1BE033A96B735321FCA9D5F7B0CB65661674346FC1546E43FE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jeffspel".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:04:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:39:02.9208750-08:00".. manifestVersion="1.0".. owners="jeffspel".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Crypto-keys-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <migXml xmlns="">.. Check as this is only valid for down-level OS < t

                              \Device\CdRom0\sources\dlmanifests\cryptoconfig-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1468
                              Entropy (8bit):5.0065780470180306
                              Encrypted:false
                              SSDEEP:24:p/o2e8GFp8PvMu0Vnu7vFPvJ8+FXg0Mej39ImlQu/kKcCEF4wflBX0FCUK:22e8+8PvMu0VnuRPvJ8+FXgMtImlx3cd
                              MD5:E68A33BDAF7AEBE6D5BBBCEFDED6AC5C
                              SHA1:A1120341BB4452FCA47EB5EA8FA62A08BFC48073
                              SHA-256:A5DC5B9F31D69E6F65F405EF4E187BAB262746AAAC08E95C195AA77A0B310DE1
                              SHA-512:69E1A60C0FFE8AA19B55FABE47801EEEA7CF4C84E426318D8B7BFFAF09A14FC5F569573BE30753D354B604911A616C231F485B08C3778E0A214F7E3DC9C21D2C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="artbaker".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:05:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:41:02.9208750-08:00".. manifestVersion="1.0".. owners="artbaker".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Cryptography-CryptoConfig-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration xmlns="">.. <machineSpecific>.. <migXml>.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>..

                              \Device\CdRom0\sources\dlmanifests\dfsclient-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1685
                              Entropy (8bit):5.032496350379527
                              Encrypted:false
                              SSDEEP:48:22e8e8PvMuDkDL7e6+Tgff0mUcR0owVfgAZXA:22y8PvMuDkDLa9qD0vw
                              MD5:F848094787A842BBDE1DE06919C13570
                              SHA1:07085C28F9480969E17982DF9863BCC82FCCD978
                              SHA-256:78B98A06143E3B5E840966489EA58C006541CB57CEC126BF0F33C2902828F460
                              SHA-512:DBB0CDC4FA9961FE9B7360EDE728A4537764F763BC107916BA0A030DCF0AE2C75CC03C7EDA897AAA25F5C64E0CD923E5434287B1357390828F07E5FB70982473
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="dfsdev".. buildFilter="".. company="Microsoft Corp".. copyright="Microsoft".. creationTimeStamp="2003-07-25T13:52:42.1200687-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2004-12-14T00:18:39.1687500-08:00".. manifestVersion="1.0".. owners="dfsdev".. supportInformation="dfsdev".. testers="dfsntest".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-DFSClient-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration xmlns="">.. Begin migration to Vista from non-Vista Client OS, including XP and Win2K3 -->.. <machineSpecific>.. <migXml xmlns="">.. <detects>..

                              \Device\CdRom0\sources\dlmanifests\dfsmgmt-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2062
                              Entropy (8bit):5.144230239550166
                              Encrypted:false
                              SSDEEP:48:TRJfKu2e8U8PvMuDgD9QNOPWPvJ2RgUUTISeD4QWcIJQJaM0Ig6KpJJeT:NJff2w8PvMuDgD94OOPvJ2k3eDKcj8In
                              MD5:C1C44F65296A4193D0E05356DAC4D6D5
                              SHA1:7181CE3F6F5AEE7674C79AC5DF023F5F37F58BCB
                              SHA-256:D076FDC6D7B9204DAF689DB84E922CCDB817B988375B0E4FD5DDCD6F6C455ED3
                              SHA-512:F1048830FF8118804D17FD3E7A11C18BE4032A38E322E7FDCCCFE034F15EA433C5131D56844330A7430555623566D908322983B0E108D14F40CFA73747F2121B
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.... *************** Down Level Manifest For Upgrade from R2 to LH ********************** --><assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="arunl".. buildFilter="".. company="Microsoft Corporation".. copyright="Microsoft Corporation".. creationTimeStamp="2006-02-15T20:46:17.0709288Z".. description="$(resourceString.description1)".. displayName="$(resourceString.displayName1)".. lastUpdateTimeStamp="2006-02-15T19:13:31.5450725Z".. manifestVersion="1.0".. owners="bofdev".. supportInformation="bofdev".. testers="botest".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="DfsMgmt-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. v

                              \Device\CdRom0\sources\dlmanifests\dhcpclient-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1514
                              Entropy (8bit):5.1074886329517755
                              Encrypted:false
                              SSDEEP:24:p/o2e8G68PvMu021yU7Wup/FPvJ8+yg0Ldej3MBMb6MKENgwuhJXMFhUK:22e878PvMu0pU7WKdPvJ8+ygUUETMKIf
                              MD5:A60B3F820EDA9ADDF54D2DCE737AF8A7
                              SHA1:10C9FA291A602085020493113B6FE88100D32625
                              SHA-256:C41411312A127BF8456635A03FD19BD3582FD081362BBF96A4185736559F9CDA
                              SHA-512:E8062DFEBD8D53100BD478EFDCDD89A4B2EA94ABB3992CF6D100A37700F51AA7A5B8810C139444D1C7C25F1510F46443D667B5447AC0D9E8F0FA2BFEB821B3A2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="asetia".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-06-11T06:10:20.2812500+05:30".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2005-03-24T11:48:32.2583542+05:30".. manifestVersion="1.0".. owners="dhcpidev".. supportInformation="".. testers="vamshika".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-DHCP-Client-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration xmlns:auto-ns1="urn:schemas-microsoft-co

                              \Device\CdRom0\sources\dlmanifests\directoryservices-adam-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2199
                              Entropy (8bit):4.84018517853191
                              Encrypted:false
                              SSDEEP:48:22e88+utgfLuvMN/c3c7Y5u8/60Pv0Pv0u1PvXPvH8:22zug7o5uF0Pv0Pvz1PvXPvH8
                              MD5:F0196971DFA756693EBB652D0FE1D218
                              SHA1:2A13E805057111BD8B56B3CA68011C71D3BAA4DA
                              SHA-256:C7FDE91350B3CF61A15571A6BBB933190436A096A3BC33042F88E05F13D008F7
                              SHA-512:022B42FCB82F90B5D0F6BCD0AB47BB6DBFBC1B5A16569372D1A403EA2219C3376D7F5E8D3F49F2A1B5E03A3C33876C7EB9D1E1E4EC70D5694346109AF0EED8E5
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-DirectoryServices-ADAM-DL".. processorArchitecture="*".. version="0.0.0.1".. />.. <migration>.. <registerSDF name="DirectoryServices-ADAM"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.*.*")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SYSTEM\CurrentControlSet\Services\ADAM")</condition>.. </detect>.. </detects>.. </migXml>.. <machineSpecific>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.*.*")</co

                              \Device\CdRom0\sources\dlmanifests\directoryservices-domain-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2030
                              Entropy (8bit):4.826213675870639
                              Encrypted:false
                              SSDEEP:48:22e8zPvJG+dgfxl4ti42MuwnuV0PvOPvl1PvXPvH8:22XPvJZ8Oi/Uq0PvOPvl1PvXPvH8
                              MD5:CD3F6C0D2D5F7B0A5527B6B4C33D9BB9
                              SHA1:CD0D0860001D2E38E0EE86715CC8024E1CE7C200
                              SHA-256:05C5ADD228089ACFBE4994CBD8B27A2C73ED62D56ED8FCB266E3503C96EF5CFB
                              SHA-512:BFB0BA918D12A4D026ED41625340E3305D675716561E17AE8851CEE8BA5CB66ED678D7C6DF57BF8D4CD74392D4CCA17B94319FF4A4727275FA9BEF3BA25CE5AE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildFilter="".. buildType="*".. language="*".. name="Microsoft-Windows-DirectoryServices-Domain-DL".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <registerSDF name="DirectoryServices-DomainController"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.*.*")</condition>.. </detect>.. <detect context="System">.. <condition>MigXmlHelper.DoesStringContentEqual("Registry", "HKLM\SYSTEM\CurrentControlSet\control\ProductOptions [ProductType]", "LanManNT")</condition>.. </detect>.. </detects>.. <rules context="System"

                              \Device\CdRom0\sources\dlmanifests\directoryservices-ism-smtp-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1837
                              Entropy (8bit):4.807622073533838
                              Encrypted:false
                              SSDEEP:48:22e8zPvJG+zgfxP4ti42MNV0PvvPvE1PvXPvH8:22XPvJZOUiM0PvvPvE1PvXPvH8
                              MD5:6DB1B0309447284F0B808C2807CC20F3
                              SHA1:7B6CC6F44EE83150E461161B95735D2F604EB1B1
                              SHA-256:756703FE895AF83D8211F19FBA7887A5401706BD4F73CEE6A4A687DC281C7CAA
                              SHA-512:5068C96DC23EF30DBAF047BAE6637A5FD3FC81AD6DD0C81FA94B196F426A28716C42FCCFBA6F3E6988DF95652FE6C44D4920C5EF2DE01DD836027828E8AD742A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildFilter="".. buildType="*".. language="*".. name="Microsoft-Windows-DirectoryServices-ISM-Smtp-DL".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <registerSDF name="DirectoryServices-ISM-Smtp"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.*.*")</condition>.. </detect>.. <detect context="System">.. <condition>MigXmlHelper.DoesStringContentEqual("Registry", "HKLM\SYSTEM\CurrentControlSet\control\ProductOptions [ProductType]", "LanManNT")</condition>.. </detect>.. </detects>.. </migXml>.. </migration>.. <l

                              \Device\CdRom0\sources\dlmanifests\dns-client-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3754
                              Entropy (8bit):5.057797049480245
                              Encrypted:false
                              SSDEEP:48:22e8c8Pv8tOPBPvJ2I+igUKMIcCY4vDvuUUE9daTpyu3zpspycAyIgBu4vuWyA:22g8Pv8tOpPvJ2rqQsu2sn
                              MD5:8F1A813A4EDB4E8A9A19C8E98A6CA00B
                              SHA1:0CA39D381237A663679E80716E32BE5C82924B2A
                              SHA-256:6CFF1BAB441B05F0EFBC08668A8BB3F4E1EEF967AAB5D32950D94690CFF8A255
                              SHA-512:A0957A407ECD5D345C4B768B6D495CF1AA90F53E69D45D7FE0581255A18A34EE5BB94840D4E44E6CF6E9881978CEF770C7D5332301D7ED0AC59CCEC9EA51B7C2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="yizhao".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2003-07-20T21:58:19.3497755-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName1)".. lastUpdateTimeStamp="2004-10-25T23:37:54.0182701-07:00".. manifestVersion="1.0".. owners="moonma;jamesg".. supportInformation="".. testers="rasundar".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-DNS-Client-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">..

                              \Device\CdRom0\sources\dlmanifests\dns-server-service-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2305
                              Entropy (8bit):5.092037446296555
                              Encrypted:false
                              SSDEEP:48:22e8pF8PvMuDgD9RJpe+Ugfjz8/o9MN/IPI1cCY4fwBYB2A:22z8PvMuDgD9RRraRBvb
                              MD5:256181677E4DABD8F6B0111F1269FA0B
                              SHA1:1793C5C740AB5C3779A6D442ED7BB47B6A804932
                              SHA-256:8A7FC4C6D785C52156D6CF5CEBC9E0BF8CEF169E6A901BB655A26EB422EA59AF
                              SHA-512:E8B0CD48D4920072505E81145C4204DCCBA3A2BFF285BF2E0ABE524CB3468FB7B85CDD2CEC2F8076BF80E3776FAEE522C13F0A4C28FCA9C9B7F173D7A7848BC9
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jwesth".. buildFilter="".. company="Microsoft Corporation".. copyright="Microsoft Corporation".. creationTimeStamp="2004-10-21T22:15:26.4141421-07:00".. description="$(resourceString.description1)".. displayName="$(resourceString.displayName0)".. lastUpdateTimeStamp="2005-03-31T02:22:45.6392567Z".. manifestVersion="1.0".. owners="jwesth".. supportInformation="".. testers="rasundar".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-DNS-Server-Service-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration xmlns="">.. <registerSDF name="DNS-Server-Full-Role"/>.. <migXml>.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("

                              \Device\CdRom0\sources\dlmanifests\dpapi_keys-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4533
                              Entropy (8bit):5.1021772201912805
                              Encrypted:false
                              SSDEEP:96:22X8PvMu0jPvJPM0UJl1/Qi9XexcElVOaBIpgmQlwYBwkbsgobVu:MUnZUb1xXMV37BhgVu
                              MD5:477F010FDB6BD5E5E57D6DEC5449F2FB
                              SHA1:73F9C03AF35B29EC2404BB70FEDC8C9ADADE74F6
                              SHA-256:2DBEDD5D4D6645E9ED45563FDB1DC42387EF24C9CF5D6A08EC3BE448073C4696
                              SHA-512:3C630BE96FC7FCD0036D254BA4D197AB31F37F6DAC411F8C78E624B0501D0205AF36CD5A29EC98D96D5D8D88EF2DBB2DF3A62C6F658A93302ECA500B8EC74F2F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jeffspel".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-13T14:05:43.4054402-07:00".. lastUpdateTimeStamp="2005-09-13T15:41:02.9208750-08:00".. manifestVersion="1.0".. owners="jeffspel".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-dpapi-keys-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <machineSpecific>.. <migXml>.. Check as this is only valid for down-level OS < than Windows V

                              \Device\CdRom0\sources\dlmanifests\etw-core-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1459
                              Entropy (8bit):5.0681317500333405
                              Encrypted:false
                              SSDEEP:24:p/o2e8Ga8PvMu06oKH5TwWkd8+5jg0cjllrG8cCEF4wWYBX0FCUK:22e8z8PvMu0G0o+dgfl9cCY4NYB2A
                              MD5:F345A58227574BD34BB1D7BECCEC4A7D
                              SHA1:C27E7C7EB375F0736BEF8B40D8F08C31C8EF8E05
                              SHA-256:EFD9CD84DB0869F8009991CA32AE6EF33AEB9A60BF23F70432F0F7562BD501EE
                              SHA-512:20249FC2EA7102F2F27F6BCB4D449B7788718607EA3DA7FF444B637D873F6CEA94708B72BD1877FD8A596BDE533B07B21CDA9DEF67180D6794F0CD37EFA2BA5F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="sabama".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-12-12T10:49:44.7745989-08:00".. description="ETW migration from downlevel OS".. displayName="Core ETW settings".. lastUpdateTimeStamp="2005-09-07T02:04:58.0140097-07:00".. manifestVersion="1.0".. owners="sabama".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-ETW-core-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT","5.0.*")</condition>.. <condition>MigXmlHelper.DoesOSMatch("NT",

                              \Device\CdRom0\sources\dlmanifests\etwtracing.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):15130
                              Entropy (8bit):2.923581769489548
                              Encrypted:false
                              SSDEEP:96:3Zdu1MTYwrxRy5QxDRPbW3rB4wUHNxUZ3E/4bh6v3gfgagIiW6fbgC:+WTjIrB4wUHaPh6vwonIirjgC
                              MD5:3562F40A0EAABAEA150EF3A4AF54679C
                              SHA1:7D17242AEB90C818254F268D4AC1D805158EC425
                              SHA-256:0410C30538D32BFB47F8C56FA0D5000883B939BA106B73AC788BF289ECBE9C78
                              SHA-512:77D1A84BAA386523AFEF706D4D04C89AEB28F7F893A872B6C08A023187A6C97A985EA6A0CDA6679AFFBEAB157AC12FC0E02AACCC8AB593CC7D3E9701410100CA
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.M.a.n.i.f.e.s.t..... . . . .x.s.i.:.s.c.h.e.m.a.L.o.c.a.t.i.o.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.m.a.n...x.s.d."..... . . . .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s."..... . . . .x.m.l.n.s.:.w.i.n.=.".h.t.t.p.:././.m.a.n.i.f.e.s.t.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.w.i.n.d.o.w.s./.e.v.e.n.t.s."..... . . . .x.m.l.n.s.:.x.s.i.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.-.i.n.s.t.a.n.c.e."..... . . . .x.m.l.n.s.:.x.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a."..... . . . .x.m.l.n.s.:.t.r.a.c.e.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.t.r.a.c.e.".>..... . . . .<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.>..... . . . .

                              \Device\CdRom0\sources\dlmanifests\eventlog-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1759
                              Entropy (8bit):5.073629101116812
                              Encrypted:false
                              SSDEEP:48:22W8PvMu0jPWPvJ2j+BgUU+9YcVIgaLJmgQ9giX:22W8PvMu0jOPvJ2qZtq0
                              MD5:F531DD0495A6BC691B3BF642F46B5652
                              SHA1:908597F558DC63AE830F2A0080923AF79A04526F
                              SHA-256:221DFAEA127C7272EB84FC4D10B679BC9CD524DEE01C291ADF45B39B15CF0D2E
                              SHA-512:A7DDB15F1DDC2BC11DE92F18EDBC72C6990C63955E5A84AF73AF95495EAE185FD37694963959B70201F429E13D2B8B1A5C7E2EAAB36F9E45A9507ED968D0553E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. authors="zzuo".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-08-04T13:57:43.5495832-07:00".. description="$(resourceString.EventLog.description)".. displayName="$(resourceString.EventLog.displayName)".. lastUpdateTimeStamp="2003-08-04T13:57:43.5495832-07:00".. manifestVersion="1.0".. owners="zzuo".. supportInformation="".. testers="jayantb".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-EventLog-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <migXml xmlns="">.. <rules context="System">.. <detects>..

                              \Device\CdRom0\sources\dlmanifests\explorer-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2571
                              Entropy (8bit):5.164518089307863
                              Encrypted:false
                              SSDEEP:48:22e8NECS7bH+4gftHMUIg60666R6B6Rlv6jape606GJmg6RlaivhR/:226CSGJzI/xwAR4uj/qWRt
                              MD5:87354E386F0C6B4D1FD4D9301A468C76
                              SHA1:5DB934E5D59A9AB14E7FDF794639865A1F8C4857
                              SHA-256:FD9CCCD527E3E342340C0B5BB92446EB90A5FC0984B1C20C8A4615A0EDC0CE9F
                              SHA-512:D3AFEBFEFE0AF4BE1F64499BF10A535E1B30D39819E68CB56D5D8E4CDE6E7C4493431172C2E06EA11EA431FA62C04A4C9EE4A6267E0BB42AF4BB129EB63D23AC
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="ericflo".. company="MS".. copyright="".. creationTimeStamp="2003-11-11T22:56:35.2127782-08:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2004-06-22T20:56:25.0993422-07:00".. manifestVersion="1.0".. owners="ericflo".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-explorer-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT","6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="User">

                              \Device\CdRom0\sources\dlmanifests\feclient-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1613
                              Entropy (8bit):5.142043752091904
                              Encrypted:false
                              SSDEEP:48:22e8j8PvMuD2lO70TR+ZgftRMUIg6cJ7IgfcJuv2b/:2238PvMuDqOITIctIA7RAP
                              MD5:D2D8AA7F6E439B9C1B745306827C6577
                              SHA1:4888D90472360820A77F97CF97722904673F05BE
                              SHA-256:5F4E3C66BC08898DC960F494868133E7870B1D458D822B015803CFF406E2C3FB
                              SHA-512:24EF5F73BB075339F67CD912CCC3A4E9745A6925D51846D5DD3B3E062A129AC1BFB7B03435A38547D4F06A9E881F8987561D4F22FD8B205244D009DD95BEF1F9
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="duncanb".. buildFilter="".. company="Microsoft Corp.".. copyright="".. creationTimeStamp="2003-07-16T23:57:37.3369251-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2005-02-09T23:52:06.1446342-08:00".. manifestVersion="1.0".. owners="duncanb".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-feclient-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT", "5.*.*")</condition>.. </detect>.. </detects>..

                              \Device\CdRom0\sources\dlmanifests\fonts-type1-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):788
                              Entropy (8bit):4.861772372580544
                              Encrypted:false
                              SSDEEP:24:2dtOiI2c+hMjVgJ5YMKENgwwV2iuLCJXMFhU6:cEj+hkVgJGMKIgfbuLCJu3
                              MD5:067D7C8756E0E6FC4564B151B428A5EF
                              SHA1:C4BD29E9B323930E5632355E3C381435106D051B
                              SHA-256:559C3BEAAA6DF22DFB972130B6CD9806824CEC7E2FCDD4E7707B63C7712697C6
                              SHA-512:0CB04F4C67772D278F3DAE68B66D5AF0DB3518C3E62AEC9FE94C4E6BCE8192D1CA17B4BCCDEF4A3CA7C6B46DD2D9BB60276137E1228E6AE192563A1A664E476D
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. Downlevel, migration gathering only manifest for pre Vista Type 1 Fonts -->..<assembly>.. <assemblyIdentity .. name="Microsoft-Windows-Type1-Fonts-DL".. language="neutral".. version="0.0.0.0".. processorArchitecture="*"/>.. <migration>.. <migXml>.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly> ..

                              \Device\CdRom0\sources\dlmanifests\frs-core-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4453
                              Entropy (8bit):4.935376432614549
                              Encrypted:false
                              SSDEEP:48:22e828PvMuDkDL7APvJ2I+ggUUBecKz4mstY41s6Zje0wBPpn4ts/i/mFstY41sk:22C8PvMuDkDLkPvJ2rHKzKyPpZcyPp1S
                              MD5:59A6DDDD8886EE44802284205193A8E4
                              SHA1:03755313220B78AA44D41C7C607861F7E3578EFD
                              SHA-256:838C62CE083395219A5DF722BB7B222E673DD3753E51C733BABDE4795A618F4A
                              SHA-512:4AEA3CB461200E6205C4F64D4F92AAB55E0AB51BAA9BB7B235CDA0230629664A9BD507D88A3853899DB39471242519AD736DF7666B5025E0076124B1616A0338
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="dfsrdev".. buildFilter="".. company="Microsoft Corp".. copyright="Microsoft".. creationTimeStamp="2004-05-24T17:39:48.5440428-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2005-05-10T17:21:13.088724Z".. manifestVersion="1.0".. owners="dfsrdev".. supportInformation="dfsrdev".. testers="dfsrtst".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-FRS-Core-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. Begin migrati

                              \Device\CdRom0\sources\dlmanifests\gpbase-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):7121
                              Entropy (8bit):5.035856406265263
                              Encrypted:false
                              SSDEEP:96:22q8PvMu0W0zRlBOZtOGZ7aXJiNIjcT3Dx/9aqG6ZNt7I5FGZIEmEKSWcWR:HU6ABOZ9J9zN0
                              MD5:C73FACB9A1F1709A518D9418AB4EBF02
                              SHA1:AFC48CA8872A076CD37C47FDC359A09DB0CB02D4
                              SHA-256:39D706D3E66E712266F6B6F97E4B7138A37812CF362EFDA44C9E8CDF61900407
                              SHA-512:95564469E66EB1F585EE4A705339A7205F51AE8E0C4CE4E9C40470F298F3DF4CB651B2E7E7B221DC97DA3DE6926A5B2C652B5ED195450D90AC7F5FD4BEC10D20
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="gpdev".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-10T16:57:29.7034046-07:00".. description="Downlevel manifest to upgrade Group Policy Engine settings".. displayName="Downlevel manifest to upgrade Group Policy Engine settings".. lastUpdateTimeStamp="2005-05-04T04:33:18.0345801Z".. manifestVersion="1.0".. owners="gpdev".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-GroupPolicy-Base-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz">.. <migrationDisplayID>Performance_and_Maintenance\System_Settings</migrationDisplayID>.. <migXml xmlns="">..

                              \Device\CdRom0\sources\dlmanifests\gpmc-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1383
                              Entropy (8bit):5.100745392673965
                              Encrypted:false
                              SSDEEP:24:p/o2e8G7yA8PvMuDqSKdIqPGsL89yYd8+cDg0cj4lQu/0KMUENgw5pdJXMFhUK:22e8hA8PvMuDqSaIqushf+ogf4lx9MUD
                              MD5:BA7AC943B390CD19C83FE97FA6C6A036
                              SHA1:0B75CBDB79AD33882E6EC69D5E8ACFC76381FC73
                              SHA-256:5739AACDEF6832EC2464BECA8E983A1EE82B0059BDEBC5CB2DBB6EA52322BDF1
                              SHA-512:8A06BC2C0C82278F63A373B2040E14E90DDD3F797344BF6E2E5A57105EA8456B1170E17FD471318517C8114B47C0F271067060BBC5945CD93FF00D89B8EED61F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="gpdev".. buildFilter="".. company="Microsoft Corporation".. copyright="".. creationTimeStamp="2005-07-01T21:42:41.1667237Z".. description="Downlevel manifest to migrate GPMC UI settings".. displayName="Downlevel manifest to migrate GPMC UI settings".. lastUpdateTimeStamp="2005-07-06T21:51:03.5983541Z".. manifestVersion="1.0".. owners="gpdev".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-GroupPolicy-GPMC-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>.. <detect>.. <condition

                              \Device\CdRom0\sources\dlmanifests\gpmgmt-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1509
                              Entropy (8bit):5.134219269732836
                              Encrypted:false
                              SSDEEP:24:p/o2e8G7yA8PvMuDqHuqPrsgyYd8+9g0cj4lQu/0KMKENgwQV2OwQV2hJXMFhUK:22e8hA8PvMuDq/Ydf+9gf4lx9MKIg/j9
                              MD5:B2B074FF954EB41E93FF53F8F3852EAD
                              SHA1:5B369CCE9C0BCC0E237AC56CC58F3CC6EA0506B1
                              SHA-256:4D4BB032F32115BB2FE85211F643DF9FBE8954905E46B65CB83482980F923D46
                              SHA-512:52D19ECF377DDB12911C2AB5B3738CCA6ED6AD34BF025AAF81A63222117188EA8C0EFFE6A0A671A9C922E4863DFF8D203033DA65BD86AB83FF47DFF74BC53E0E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="gpdev".. buildFilter="".. company="Microsoft Corporation".. copyright="".. creationTimeStamp="2005-06-30T02:52:56.0682307Z".. description="Downlevel Manifest for GPMC APIs".. displayName="Downlevel Manifest for GPMC APIs".. lastUpdateTimeStamp="2005-07-06T18:55:27.0085532Z".. manifestVersion="1.0".. owners="gpdev".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-GroupPolicy-GPMC-Api-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlie

                              \Device\CdRom0\sources\dlmanifests\grouppolicy-admin-gpedit-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1444
                              Entropy (8bit):5.110590315700379
                              Encrypted:false
                              SSDEEP:24:p/o2e8G7yA8PvMu02HHpP1/JDVyYd8+SDg0cj4lQu/0KMKENgwQV2MZKWJXMFhUK:22e8hA8PvMu0QJN/Nsf+2gf4lx9MKIgg
                              MD5:4C1989692F01B80E3D8835B9576AB8D7
                              SHA1:EEFB8DD282A6E896E42179EEFF7C926844505DFA
                              SHA-256:B2DCA71D12D3D3AC941D53B379EDABB222426A96C87128FB28592A3FB7134713
                              SHA-512:71777C94DCB8B712B13D963AC2FADC2C19164866D2071A7C3F384A86A18F539B9AB2E6AB98C4736D3C0F25A4CC7FD17616A0D61BA5AAE739C56B8B148ACBBB73
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="gpdev".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-16T13:40:23.7027464-07:00".. description="Downlevel manifest to upgrade Group Policy Administrative tools settings".. displayName="Downlevel manifest to upgrade Group Policy Editor API settings".. lastUpdateTimeStamp="2005-05-04T04:25:50.5317161Z".. manifestVersion="1.0".. owners="gpdev".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-GroupPolicy-Admin-Gpedit-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detec

                              \Device\CdRom0\sources\dlmanifests\grouppolicy-admin-gpedit-snapin-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1454
                              Entropy (8bit):5.097552841749035
                              Encrypted:false
                              SSDEEP:24:p/o2e8G7yA8PvMu02HHpPt/JDVyYd8+SUqg0cj4lQu/0KMUENgw5VoJXMFhUK:22e8hA8PvMu0QJ9Nsf+Rqgf4lx9MUIgw
                              MD5:BC18582D8C7CCB4D60E1FFF11ED880C1
                              SHA1:D4AC5546CEFCA761677F795C49F6FDD3178E402A
                              SHA-256:BE7C0DAA7881FD574DF580E5A0D5172092C40B959C04DBE3706BBC2DFA6E67AC
                              SHA-512:62A8D64F55E38964DD9A92298DFBAD3C0125FEBA8EEE1622D05376DE4478BAA9095EF74CA42BDE1CD260CCEAF11EDB15BAFD069CF058B0E1224905BAF9857C15
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="gpdev".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-16T13:40:23.7027464-07:00".. description="Downlevel manifest to upgrade Group Policy Administrative tools settings".. displayName="Downlevel manifest to upgrade Group Policy Administrative tools settings".. lastUpdateTimeStamp="2005-05-04T04:25:50.5317161Z".. manifestVersion="1.0".. owners="gpdev".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-GroupPolicy-Admin-Gpedit-Snapin-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ?

                              \Device\CdRom0\sources\dlmanifests\grouppolicy-cse-softwareinstallation-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1923
                              Entropy (8bit):5.088770742725198
                              Encrypted:false
                              SSDEEP:48:22e8hA8PvMu0xLthAf+2SOgf4lx9MKIgT/T//J5Ig6dJuX:22q8PvMu0BT+lBJrB5IPQ
                              MD5:12E02F00D7A917554F5BBAB7BF495848
                              SHA1:922C7B5479A466AA18DB851269C7333759809CBD
                              SHA-256:FB23B8890A40EF5AD0EA622F6C20FD29698BEE15A4A077E056C26367F8854C64
                              SHA-512:9D37B541A3FEC9190949732E3E201A06CC453239099ABDB38875B3CE34199601C71D1EF0CBE17337ECD24A7F46E0333E5A5E9B7D7C60F7CDEED20FE21868BB2D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="gpdev".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-10T16:57:29.7034046-07:00".. description="Downlevel manifest to upgrade Group Policy Software Installation settings".. displayName="Downlevel manifest to upgrade Group Policy Software Installation settings".. lastUpdateTimeStamp="2005-05-04T04:33:18.0345801Z".. manifestVersion="1.0".. owners="gpdev".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-GroupPolicy-CSE-SoftwareInstallation-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows V

                              \Device\CdRom0\sources\dlmanifests\grouppolicy-serveradmintools-gpmc-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:exported SGML document, ASCII text, with very long lines (620), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1591
                              Entropy (8bit):5.191687891083589
                              Encrypted:false
                              SSDEEP:48:VMe6teGTBujuDpfa/Z81/+xsgtgkGTGS2NGTU9+d73y0tp+MVX:V6gGTsjuDFVmUkGT9gGTU0d73btpR
                              MD5:599FE9BB462C01004FF9955671AB54BE
                              SHA1:825D7F46E3257E12BF6D4C55C99DA110D5A825C3
                              SHA-256:E84174A2D08FECEBB20CB43E4E2EAF01B1418ADD3D99F5F0A4CF6FC14BEB62C6
                              SHA-512:E813E657E9B4E3310F57ABB1E5F26322C77E8928615F75C13F26F667F4A7665BE7E339E26306248C5C9B5D50F0F5E92C790D4C03204748AE7F89FD117C7E1BCE
                              Malicious:false
                              Preview:<assembly manifestVersion="1.0" description="Downlevel manifest to check if Out-of-band GPMC is installed in XP or Server 2003 and install GPMC (an optional component in Server 2008) on upgrade" displayName="Downlevel manifest to migrate Out-of-band GPMC" company="Microsoft Corporation" copyright="" supportInformation="" creationTimeStamp="2005-07-01T21:42:41.1667237Z" lastUpdateTimeStamp="2005-07-06T21:51:03.5983541Z" authors="gpdev" owners="gpdev" testers="" buildFilter="" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="urn:schemas-microsoft-com:asm.v3">.. <assemblyIdentity name="Microsoft-Windows-GroupPolicy-ServerAdminTools-GPMC-DL" version="0.0.0.0" processorArchitecture="*" language="*"/>.... <migration>.... Refers to the name of optional component that this manifest corresponds to -->.. Install the optional component if the conditions specified below are satisfied -->.. <registerSDF name="Microsoft-Wi

                              \Device\CdRom0\sources\dlmanifests\ieframe-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1085
                              Entropy (8bit):5.08928213291473
                              Encrypted:false
                              SSDEEP:24:p/o2e8Zd8+Ojg0cj36D2K8RIK7lcE0y0oweyxXSkKUK:22e88+OjgfK78RIKZchy0oSxCko
                              MD5:8699D4E688A2A5D4B2288503178E4CE9
                              SHA1:6BA2BF33226D422ACCD87438C83F872558F01DC8
                              SHA-256:E6EB3C633255C676D65D6C0EAB39C514C2D7D58EB2E6AE3841BCBCFF410E2AE8
                              SHA-512:1782E8F2E8386C302EF3D96190B6F0D944C5109F0B9C8AA8CAA38BA62B5E377AC04536DBA943FEC08B71E3D9A8EDA7B7297C7FA37A2A5D288909B3C148FEF329
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-IEFrame-DL".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <migrationDisplayID>IEFrame_migration_plugin</migrationDisplayID>.. <rules context="System">.. <include>.. migrate something simple so plugin is assured to run -->.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Classes\HTTP\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. No plugin here since w

                              \Device\CdRom0\sources\dlmanifests\ime-traditional-chinese-migration-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1534
                              Entropy (8bit):5.109574969789153
                              Encrypted:false
                              SSDEEP:24:p/o2e8G+l8PvHAMKJ3IQj7d8+yKg0cj4lQu/RKM33pQiENgw58+w53GJXMFhUK:22e85l8PvH0JY0G+yKgf4lx0M33/Ig6C
                              MD5:E6595DE51831018A40DF08CBAC1D40A7
                              SHA1:4C6D9FC7ED1F39D7D7136228C707DE92C45F7A1E
                              SHA-256:5A69C26D3911570E63E5A0B17F72746815F964C75188555C1D09480530B6CB1A
                              SHA-512:F9EB9682D2D311CCDE13B1CBE2D3BA3A977A427FC7FEF6BDCF75D66857EB9A2B4253910A94723EE7605CE8AD09DC102CB91E6FA2517260658FBB6C8EAF917436
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="masarun".. buildFilter="".. company="MPD".. copyright="".. creationTimeStamp="2005-08-05T09:11:13.9731782Z".. description="$(resourceString.description1)".. displayName="$(resourceString.displayName0)".. lastUpdateTimeStamp="2005-08-05T09:13:55.3804612Z".. manifestVersion="1.0".. owners="masarun".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-IME-Traditional-Chinese-Migration-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("

                              \Device\CdRom0\sources\dlmanifests\isns_service-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:exported SGML document, ASCII text, with very long lines (371), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1745
                              Entropy (8bit):5.08539567840419
                              Encrypted:false
                              SSDEEP:48:VMy0c++uDYm81/+xsglmwZjzMNYPcY4M/8QH/KB2f:Vhu+uDYpmLmwZx0c8QfGY
                              MD5:9D298A38FDDAC0F4A9C6C4DC7F170745
                              SHA1:251A32C5AC5F332A8CAFD6D240DEB63813291D20
                              SHA-256:4A145F6AD90B6EE7C9F02B0309966717DE6796F67AEC94A8C71788C05EED597A
                              SHA-512:D4079D5C3B3BC845D109D10578FCDC44437F0185FE56C14FEF29E2F02A511B6016B8E4B2D52DF79918BE65492F10BCB0D90A0D024C72A01CEE017C0CE5E67FFF
                              Malicious:false
                              Preview:<assembly manifestVersion="1.0" description="iSNS Downlevel OOB Migration" displayName="Microsoft-Windows-iSNS_Service" company="Microsoft Corp." copyright="" supportInformation="" authors="KeithFr" owners="KeithFr" buildFilter="" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="urn:schemas-microsoft-com:asm.v3">.. <assemblyIdentity name="Microsoft-Windows-iSNS_Service-DL" version="0.0.0.0" processorArchitecture="*" language="*"/>.... <migration>.. Declare that this OOB (if found) is tied to the iSNS_Service Optional Component (OC) -->.. <registerSDF name="iSNS_Service"></registerSDF>.... <migXml xmlns="">.. Detect if the iSNS OOB is installed -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT" , "6.0.0.0")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SYSTEM\CurrentControlSet\Services\MSiSN

                              \Device\CdRom0\sources\dlmanifests\kerberos-key-distribution-center-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2062
                              Entropy (8bit):4.925445222257812
                              Encrypted:false
                              SSDEEP:48:227+9gUKl+lxFcCY4/YBu4yTy3opyLyXyoyOyzylpjyA:22Sw+lxaWm3uCL9Gv
                              MD5:60145F68B1CF9440FA663820AE11CE4B
                              SHA1:10195A2926015E3024D769673E004AA60DFEC0A3
                              SHA-256:4805E01EB0C9B3DFEB6B754D4148588E2FB798734D9EDE20E53EB8E75158B64F
                              SHA-512:55D088040D25D4CBFF5A4210A85107666E628C67CA3134B0C836E135DBFE82AA4FA70185993E99D951307F7D159C1428B390727DA17EFEC5AA4BE9D799B96895
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Kerberos-Key-Distribution-Center-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\kdc\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern type="Reg

                              \Device\CdRom0\sources\dlmanifests\ldap-client-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1390
                              Entropy (8bit):5.094446467191311
                              Encrypted:false
                              SSDEEP:24:p/o2e8Go8PvMuDq29VEPOIJZFPvJO8+cg0vj3oYMKENgwuGJJXMFhUK:22e8X8PvMuDqSVEmIZPvJv+cgSXMKIgf
                              MD5:50E4232AE1D4800E1949125D7F87B024
                              SHA1:4FD0914797FF244800A8CBDBBEBE7BCF7AAEBF0D
                              SHA-256:8B455A31A4A6A61000DAB3D5C31B4CA952727B684D5BC9DAF350F576D079FAD2
                              SHA-512:C9CEA3F118C7C46FCF93C3851316A6E1828C4625AA62AFE166BEBF5786638991CA8F8FD3EC69E694D0166FA1646610C6D6E62EFC66201E7A1255FED70C4DDBDF
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="cmaca".. buildFilter="".. company="Microsoft Corporation".. copyright="".. creationTimeStamp="2003-07-20T21:54:22.7548148-07:00".. description="Down-level manifest for LDAP client".. displayName="Down-level LDAP Client".. lastUpdateTimeStamp="2003-07-20T21:54:22.7548148-07:00".. manifestVersion="1.0".. owners="asafk;andrewst".. supportInformation="".. testers="michra".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="*".. name="Microsoft-Windows-LDAP-Client-DL".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condit

                              \Device\CdRom0\sources\dlmanifests\microsoft-activedirectory-webservices-dl\adwsmigrate.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):103224
                              Entropy (8bit):5.82518278024743
                              Encrypted:false
                              SSDEEP:3072:lS9dIE7UHAsdW4tsSFFJ1uL/jpIILB7dOa:lSIE7UHAsdWBuFJ1u5h75
                              MD5:2BD3BD3F7243DC7159377B249281B8F0
                              SHA1:4BD757743E1902F6EAD1159AAF6FF429797AB5A8
                              SHA-256:5DCDF536BAFB6DD3EB1D1DF282519198636B4035CD1310829BA3EC2BF5E278AD
                              SHA-512:2FC6E2CCDA4ACE8EC0F5345C3D8286890D5597C3C2A049770E52BB31967CFDB56639B6E492F9BBC75B8029998FA3D4007F89D6C09BC7B1B1F2CFE7708E4E588F
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........dGMx..Mx..Mx..Y...Nx..Y...Bx..Mx...x..Y...Bx..Y...Lx..Y...Ax..Y...Dx..Y...Lx..Y...Lx..RichMx..........................PE..d................",................0...............................................N.....`A........................................PW.......X..........P.......d....r..8!..............T............................................................................text............................... ..`.rdata...s.......t..................@..@.data........p.......L..............@....pdata..d............\..............@..@.rsrc...P............h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-bits-client-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1614
                              Entropy (8bit):5.194660343937567
                              Encrypted:false
                              SSDEEP:48:22e8z8PvMuDF9GiL+LfgflxstY42ucG2ucN/nVBB2A:22n8PvMuDF9GLkwh7KnFb
                              MD5:B8CD2E3380A57A1A261BACFA488FFF4C
                              SHA1:925BB8994E333C9B2EF3B82725E8B54B0D9D1FF6
                              SHA-256:B88B6CFC7CCCAA40E3F43B04DF20CBA99908B95B780F79EA23B739E2B5E24522
                              SHA-512:DA77E395AE7085FB419EEB7D8EE5F24804FBD4F066F0606AAF0BF6974416A89868ADEA2B2AE15D5C974C196853576752592C7481BFF9DA219473729AB560EF07
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jroberts".. buildFilter="".. company="Microsoft Corporation".. copyright="2005".. creationTimeStamp="2003-07-17T17:35:42.9174496-07:00".. description="Background Intelligent Transfer Service (BITS) core components".. displayName="BITS Client Core".. lastUpdateTimeStamp="2005-05-04T22:19:20.6095083-07:00".. manifestVersion="1.0".. owners="jroberts".. supportInformation="".. testers="narayanm; frankcao".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Bits-Client-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <detects>.. <detect>.. <cond

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-bluetooth-config\bthmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):105984
                              Entropy (8bit):5.688659352207382
                              Encrypted:false
                              SSDEEP:1536:x8UfjCAYEtoCdzLrx1gk/kOq0c9L+86+8iaA5cIzdn+Gzzn8kfSC:WUf+9qZ1pg+gLa6F+Qzn8u
                              MD5:9614694FF263B23FC7085D4A0A5F2888
                              SHA1:217100B7605DB2BB1CD5473157F5D7C980962C80
                              SHA-256:73F2FCBA664B1B7E0287257A590EFC99885DB650FEFC4D78761841A57552F0B2
                              SHA-512:1C407B1BFA6DDA29486B317B1CE3F3FB370620BE81F938AC22E71D847C00E4EA621FDB698AA4747A3C2CA2A545CE312DA6BD4040A79F6656A35CF81BEB676F84
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)d!Um.O.m.O.m.O.ynL.n.O.ynK.c.O.m.N...O.ynN.x.O.ynJ.k.O.ynO.l.O.ynG.y.O.yn..l.O.ynM.l.O.Richm.O.........PE..d.....V...........",.................................................................6....`A........................................ ..................0.......................T...pt..T............................................................................text............................... ..`.rdata..f...........................@..@.data...............................@....pdata..............................@..@.rsrc...0...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-certificateservices-ca-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1865
                              Entropy (8bit):5.096486064338565
                              Encrypted:false
                              SSDEEP:48:22e8a8Pv8MjF5lFPvPvJv+F1lgMY92cMKIgqw0UiJuX:22u8Pv8M55fnPvJ2FAHQUuQ
                              MD5:04DF7A15A7FC1C5D777C2B5E724E1DD8
                              SHA1:36E69692DA3A0759DEA66CF81B9085EE6EC06B16
                              SHA-256:BCB014D7F483389021D7D9E9B75A9D32DEAD45AFE729CD73BBD6E5D08E338B47
                              SHA-512:2137532A46BDC51D02744E792B9BDF950990E1B4E4DCD9755308423E9455D38D3EF35B9489FBFF09AFDA9D142657C9E4A38123125662ED2EEE3CE6BEC986832A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="vishala".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2004-10-15T21:30:37.0535545-07:00".. description="Downlevel manifest for Certificate Services".. displayName="Downlevel manifest for Certificate Services".. lastUpdateTimeStamp="2005-02-16T22:40:06.8387341-08:00".. manifestVersion="1.0".. owners="vishala".. supportInformation="".. testers="shawncor".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="*".. name="Microsoft-Windows-CertificateServices-CA-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration xmlns="">.. <registerSDF name="Certificat

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-certificateservices-camanagement-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1439
                              Entropy (8bit):5.0920759681984595
                              Encrypted:false
                              SSDEEP:24:p/o2e8GgI8PvGFM9xPD3njhFPvJO8+F1Wg0Mej3o9+ExwZKMPFhUK:22e8a8Pv8MLLvPvJv+F1WgMY9+3cMNX
                              MD5:AE8B30E04A3785D32C06BEA3CC4BD120
                              SHA1:30FCB7CB91BBB051A2BAC57A25C731E981FED5B4
                              SHA-256:F3330F3D6CBD9F60B6B1B4BEB33C783429C292500E549FEDD0232CE431070A61
                              SHA-512:6001D9EB9DF5AEDC065437727F76C0845D6EF24B4E652C684ACF442A449D345564E8AB45B4369D63D617CCB7CC0209FED2DEEFF0B7242F456D3616EA6B58DB56
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="vishala".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2004-10-15T21:30:37.0535545-07:00".. description="Downlevel manifest for Certificate Services Management Tools".. displayName="Downlevel manifest for Certificate Services Management Tools".. lastUpdateTimeStamp="2005-02-16T22:40:06.8387341-08:00".. manifestVersion="1.0".. owners="vishala".. supportInformation="".. testers="shawncor".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="*".. name="Microsoft-Windows-CertificateServices-CAManagement-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-certificateservices-mscep-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1721
                              Entropy (8bit):5.145103622619316
                              Encrypted:false
                              SSDEEP:48:22e8R8PvMu0JJHPvJv+F1dgMYltcMKIg/0foYJuX:22F8PvMu0JNPvJ2FglaxqRQ
                              MD5:CA8A8B54C1720BC9023AF3A3CF0FC3A7
                              SHA1:1B1052FD76C120233D4A87E5AF4BFFF7A001DEF1
                              SHA-256:A4435386678CA713AF41F60EF4E4CE5F8CE45115DB5391697261732F24382B7A
                              SHA-512:5930DB44BA8DA98CEDC697B8402D5619D3072C1A3BFBCCD3C8E585348DC32879AF7ADE4E3C2F926C4B58C26CF8B7CCE94C2A3BB243246ECFCAB4043424D20714
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="charfa".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-01-01T00:35:52.6386021-08:00".. description="$(resourceString.description1)".. displayName="$(resourceString.displayName0)".. lastUpdateTimeStamp="2005-03-01T23:47:26.4788237-08:00".. manifestVersion="1.0".. owners="charfa".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="*".. name="Microsoft-Windows-CertificateServices-MSCEP-DL".. processorArchitecture="*".. publicKeyToken="".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration xmlns="">.. <registerSDF name="NetworkDeviceEnrollmentServices"/>..

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-com-complus-setup-dl\commig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):161792
                              Entropy (8bit):5.414397135527631
                              Encrypted:false
                              SSDEEP:3072:h+KFbtjH7gRWMNb0hOTp9YV5dbj5aNCFD:hfjbgpkOTpYFaU
                              MD5:C151C66427B592C84D897B421EFD6162
                              SHA1:0C9B3D95410C066E2349A93ECD29E67F1A15BFA3
                              SHA-256:728BAEE181199E07F56E73A8F703AC99A9E7B7531C17021D6D45538554C6B42B
                              SHA-512:EF42A02EDD8CED1CB67D2A24ABC157EE7660EBEB3466FD702CF3BD7AE8480B81060B9FC6BA96659B16778C861BEB2355C3BBA62DC364007E58AACD9F11B7C848
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@..@.z...z...z.......z.......z.......z...z...z.......z.......z.......z.......z.......z..Rich.z..................PE..d....].5.........." .....j..........@f....................................................`A....................................................................4...............8.......T............................................................................text...^i.......j.................. ..`.rdata...u.......v...n..............@..@.data....p.......h..................@....pdata..4............L..............@..@.rsrc................V..............@..@.reloc..8............t..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-com-dtc-setup-dl\msdtcstp.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):83768
                              Entropy (8bit):5.915651101900372
                              Encrypted:false
                              SSDEEP:1536:yoRZTZZFJ7fbMdrqUb5FhJAEwsbEV/1ClPDIN:yoRrZFJ7AqOJAXV/1ybIN
                              MD5:5F67267EE24978FBC8370A8D0E8746CD
                              SHA1:6DE562B98FB0C233EFA26D74F68AB1F0F9398DC5
                              SHA-256:ACFBD8E9940762F9208A486660624BEDA11999793742EA09694828410C24352C
                              SHA-512:55E377B1589EFF8BEF7837F18A2ED5BDA5A4E815EBF6CDA895F51297BAA6A24D5F97A148B5CA5ED5645911D7E4504D29B8277D8D0FBADF5F0BE9DFDF6BE379CA
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v...2.k.2.k.2.k.&.o.=.k.&.h.1.k.2.j...k.&.j.%.k.&.k.3.k.&.c...k.&.n.7.k.&...3.k.&.i.3.k.Rich2.k.........................PE..d...:............." ......................................................................`A.........................................................P.......@.......&..8!...p..`.......T............................................................................text............................... ..`.rdata..J\.......^..................@..@.data...P,..........................@....pdata.......@......................@..@.rsrc........P......................@..@.reloc..`....p.......$..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-dhcpservermigplugin-dl\dhcpsrvmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):134144
                              Entropy (8bit):5.934232391201464
                              Encrypted:false
                              SSDEEP:3072:U1107lrt3mdo5WZJVXeWx/FQ7aD32QozbLahc9IkyQECD:UvSlR3zBkG7aDGhXLOr
                              MD5:DD3BBEE7AAC33192681232FA76E1B4AA
                              SHA1:F1197DBDFA201122C36344894DC2FA1C88507BBC
                              SHA-256:E32B83584F2996EF6D03594E0D4C8FA0FF381FC2186F7961E53566573F019F9C
                              SHA-512:2C3F04A4B7848FEE3F47B3E6691303B0FBE06011A23243388AE6804147499E45C6351FE9E45F0D97BF3D88CEA56637AA3D337704AAD880AE3CBE79E9AFED8E8E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.L.J...J...J...!...J...J..^J...!...J...!...J...!...J...!...J...!...J...!Y..J...!...J..Rich.J..........PE..d....V'...........",.....R..................................................p......J.....`A.........................................................P..8....@..x............`..t.......T...........................pw...............x...............................text...0P.......R.................. ..`.rdata..\w...p...x...V..............@..@.data....O......."..................@....pdata..x....@......................@..@.rsrc...8....P......................@..@.reloc..t....`......................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-directoryservices-adam-dl\adammigrate.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):131896
                              Entropy (8bit):5.729446087353747
                              Encrypted:false
                              SSDEEP:1536:cQ/P3Zh7JqPM++lXiV2rfUUCUIIb8TrnGsLI2q3IJXQE0wkPz:x3H1qPT+oV2YUCUIhTLJYIJXQEjkL
                              MD5:08C232848EFD76131E4CDC10BEFF3574
                              SHA1:373E854831485CCBB7226733BA73D746EE470F32
                              SHA-256:05E5D9B65F34A7CB0B3DFD5C7180D2F46BF99B60B69AE22827BDAE25B2A4D836
                              SHA-512:0245BA4340D2B847B2FFE65DE3A2BEBDECA43DAB0BFEBB8539D12F595E33880E94C07E5CA4F8EAFE2BE848DC7734DC66035F30ED84FFAC68BCDD2ED4EACB1EAC
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~..~..~...}..~...z..~...._.~......~...~..~...v..~...{..~.....~...|..~.Rich.~.........................PE..d...#._>..........",................`........................................ .......B....`A................................................L...........p.......X.......8!...........d..T....................(..(....'...............)...............................text............................... ..`.rdata...... ......................@..@.data...@...........................@....pdata..X...........................@..@.rsrc...p...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-errorreportingcore-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1938
                              Entropy (8bit):5.037529820616263
                              Encrypted:false
                              SSDEEP:48:22e88+JugCbKzMKIg/JrY/JrS/Jrz/JrhiJ5Ig6JrY6JrS6Jrz6JrhiJuX:22zOuxJyJEJ/J1u5IJHJFJ6J1uQ
                              MD5:62093C46539F91BC2055D2105E9795DF
                              SHA1:6A3A41286B5EB5A1EA64F9C4CD2D867215E1BAC4
                              SHA-256:13EA757D3F0465AAA95B3C35BA7968C8E7CDB53E478C71D4A325BD01A8292024
                              SHA-512:0BDB76086A211E18F93FB02B959B8719E8B3D58D71B72C56D724F49A1D90F1FA49DD4E12FA94FF189AAD3E1BA18CC2B6593ABBB218C2F7CD40EF780CE47D1A48
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-ErrorReportingCore-DL".. processorArchitecture="*".. publicKeyToken="$(build.WindowsPublicKeyToken)".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "5.2.*")</condition>.. <condition>MigXmlHelper.IsOSLaterThan("NT", "5.1.*")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\PCHealth\ErrorReporting [DoReport]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\PCHealth\ErrorR

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-errorreportingfaults-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with very long lines (432), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1142
                              Entropy (8bit):5.194105853432685
                              Encrypted:false
                              SSDEEP:24:VM7uTXTIlzX7xD8+OMA0F+Jgsg0jDMKENgwEnJXMFhUK:VM7ur0l581kF+Jgsg+MKIgRJuX
                              MD5:989DC46E215876A1EE9C8BEBC5C97AD4
                              SHA1:DAAFD23889AADF4489A914FB25D355CEDE086121
                              SHA-256:FDD61F905CCA1712B587DB7A0AA8EB4F57E04552FCEB8EAC27EC77C03DE3DDAD
                              SHA-512:70EE7B9962A2BB2B65CED35926B44223DBE37F958FBD8AE96EFD18A80F99F57DCA18DF96A21FF3720AE0B08265B76A4DFDF8C6E05A9AB0FBDE1FEFE884D839C4
                              Malicious:false
                              Preview:<assembly manifestVersion="1.0" description="" displayName="" company="Microsoft" copyright="Microsoft" supportInformation="" creationTimeStamp="2004-04-04T18:21:41.4684914-07:00" lastUpdateTimeStamp="2005-04-14T03:02:06.6003799Z" authors="haseebq" owners="haseebq" testers="" buildFilter="" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="urn:schemas-microsoft-com:asm.v3">.. <assemblyIdentity.. name="Microsoft-Windows-ErrorReportingFaults-DL".. version="0.0.0.0" processorArchitecture="*".. language="neutral".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "5.2.*")</condition>.. <condition>MigXmlHelper.IsOSLaterThan("NT", "5.1.*")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Contr

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-fax-client-applications-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3761
                              Entropy (8bit):5.000994504777243
                              Encrypted:false
                              SSDEEP:96:22k8Pv80EcPvJ2r87001UIfP+EAppIIybtJcInO69o:dHE8ko1UNoFRJcv6W
                              MD5:1871775764C01E082EC3C9ADE31309DE
                              SHA1:CE085C1462A0354385009ECF2FB5A998C18F2A38
                              SHA-256:9820A7AC4807039D7A770EDFB428AA4EE7AC285CCAD392636B9820646E93AFC7
                              SHA-512:E1E1B7DCB388D2A1B58A6AE66DDF575A45BEF031B713182501437E09C20E94A6DB5559C1ADC0B0851BE63B251864C367B4A1C2AAF7988C58390635BE7DD3CFB6
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="anoopc".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2004-10-07T01:01:33.6028792-07:00".. description="".. displayName="".. lastUpdateTimeStamp="2004-10-11T17:43:48.5230435-07:00".. manifestVersion="1.0".. owners="anoopc".. supportInformation="".. testers="nareshc".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-Fax-Client-Applications-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. buildFilter="not build.isWow".. scope="Upgrade,MigWiz,USMT".. >.. <mig

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-fax-client-proenterprise-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1831
                              Entropy (8bit):5.080714352919618
                              Encrypted:false
                              SSDEEP:48:22e8A8Pv8cEQIPvJ2I+vgUKL0FISThgFlzmZdsE6ODUMNvH/:22k8Pv8cEvPvJ2rm0F3ThWlzmZdsEZ7
                              MD5:8240CEEDEA27D2DBF23A35EC8F69669C
                              SHA1:EC87F55793EBBD95819639C32A34CB2C3E0EBAEE
                              SHA-256:181201D7235F032C3ACD1B4D82430BA1BABA001054D7EE6A6F534C874CDE6BBB
                              SHA-512:59FA6F69A4AC7E09763BA618F5FF19FBE7F75035326B87DEA8B06607F1108C85B880D4A5B18D77872DD0985525970EB7BC084FDE49552DA03296FEB8FF774CD3
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="anoopc".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2006-01-03T01:01:33.6028792-07:00".. description="".. displayName="".. lastUpdateTimeStamp="2006-01-03T17:43:48.5230435-07:00".. manifestVersion="1.0".. owners="anoopc".. supportInformation="".. testers="nareshc".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-Fax-Client-ProEnterprise-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. Declare for which Longhorn equivale

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-fax-common-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4829
                              Entropy (8bit):5.035426372588507
                              Encrypted:false
                              SSDEEP:96:22k8Pv80EcPvJ2r70VcI/BK1NdQDHXSt36bBJaIC3wKcN3qrYQ:dHE8k0Vc3KbBJav
                              MD5:1D9BAF2FA0E095A9FB78A739020CC1F9
                              SHA1:21096BCCCB49DB54D1C48BAB56977DDC2C6E60A2
                              SHA-256:0905350B41E132B8733B3C4CC9FB73C8D681304C515185356C542E283B7DDA17
                              SHA-512:BF136583A138856FC8FB183DA5CFB9010D1BE9DB6C083F4F81A1C398E926CAF1CDF1DBE1EF0E45BAE9DC5806B1AD93C18ECCA3D9F954851FA8F2F0F11DD0B82A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="anoopc".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2004-10-07T01:01:33.6028792-07:00".. description="".. displayName="".. lastUpdateTimeStamp="2004-10-11T17:43:48.5230435-07:00".. manifestVersion="1.0".. owners="anoopc".. supportInformation="".. testers="nareshc".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-Fax-Common-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <migXml>.. Common settings for XP, WS03 & wi

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-fax-server-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1855
                              Entropy (8bit):5.084148755310959
                              Encrypted:false
                              SSDEEP:48:22e8A8Pv8cEQIPvJ2I+lEgUKL0FISThfhhFlzmZdsE6ODUMNvH/:22k8Pv8cEvPvJ2r90F3ThfhjlzmZdsE9
                              MD5:D92F4D4F96DED8F8E2C08CA2F9A7B01A
                              SHA1:BB4F0F6707B531F5299D2AD5B01DD09B5351710C
                              SHA-256:A6ABF7FE1749C6228A9E49CEABAD8C85777F3C145BB1C623410462DEC1160620
                              SHA-512:4A9FE9B01D2E3F80E3E96270B44DFC6648EB8D2C391E2A368D3F9A6CE8B7181EF75AE7BF9A75D346E790FFB7D4A9D067FB3C91B620944D7B694B009502121F5A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="anoopc".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2006-01-03T01:01:33.6028792-07:00".. description="".. displayName="".. lastUpdateTimeStamp="2006-01-03T17:43:48.5230435-07:00".. manifestVersion="1.0".. owners="anoopc".. supportInformation="".. testers="nareshc".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-Fax-Server-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. Declare for which Longhorn equivalent OC this man

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-fax-service-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):7636
                              Entropy (8bit):5.089620857068488
                              Encrypted:false
                              SSDEEP:96:22k8Pv8d3PvJ2rN01aRtRSqN/irg/VEern0t36nPZrhcwTm4S6JqGMG+2tRSqN/Z:d6/ky1aKLKnXcH6oIe8Pke
                              MD5:3A7D416201B60830DB53D29363FAEAEE
                              SHA1:779BEDB6CC07256F0EDE0FBA5645B97E254058F6
                              SHA-256:ECA208BD1D46268D83359B228C395C2348B87E4E180B2AFE0EF4C7B2D2A6C1EA
                              SHA-512:E7FD5CF260D712FC375D88D8EDB7B7BCC79C06018E0A5150B5E53274FAC158BEE4D89E0D681DD2B2339DF1E090C0FC708766819EE2A3F1FAD9509697A2494ADB
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="anoopc".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2004-10-07T01:03:17.4233170-07:00".. description="".. displayName="".. lastUpdateTimeStamp="2004-10-11T17:02:16.5517111-07:00".. manifestVersion="1.0".. owners="anoopc".. supportInformation="".. testers="nareshc".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-Fax-Service-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrade,MigWiz,USMT".. >.. <migXml>.. Common settings for XP, WS03 & w

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-htmlhelp-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1789
                              Entropy (8bit):5.010629187839805
                              Encrypted:false
                              SSDEEP:48:22e8X8PvMuCD9qOPCPvJ2j+BgUUzMKIgfdJuVC8:2278PvMuCD9qOqPvJ2qSRPqC8
                              MD5:23701985866C9BE3441401768F70BA81
                              SHA1:13ED10090C2E9643E8BA356E7B86715F7739CDA6
                              SHA-256:14C9D671B9051C059CCC896C26C76B0DAC6C0C7BF5E724EFFF1B67E3A508187A
                              SHA-512:7B64394400433D0986EB3676EFEC879693448B299167703C0003FFD9F24C8DEBD7666E71CF93D7F31682003AC2B218D7896B204549661C27F87ACD4D9DECBF8D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="pkamani".. buildFilter="".. company="Microsoft".. copyright="Microsoft Corporation".. creationTimeStamp="2004-05-18T14:23:35.1938400-07:00".. description="$(resourceString.description0)".. displayName="$(resourceString.displayName1)".. lastUpdateTimeStamp="2005-06-06T16:10:33.0645462-07:00".. manifestVersion="1.0".. owners="pkamani".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-HtmlHelp-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <migXml xml

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-iasserver-migplugin\iasmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):696336
                              Entropy (8bit):4.996211653951287
                              Encrypted:false
                              SSDEEP:6144:2uYX5sSRTnBZ+MihWhq45YaZFt/+9a2YQbGtshZ7uXPl:CXznBZ+q5YSR3o4h
                              MD5:035D82BD4F8F727B972F857ED5BD2CB5
                              SHA1:507A5B714F15B189D6D9AC62BF20A6B26FEECA7F
                              SHA-256:260E090A3D2CF2A02671CA71E1855600FA248A0EE612EC602430AEFFC14CA220
                              SHA-512:C875BC4F5138A115601E4F7FFB71C4607DB2270369CD9117EED8C7EA933548D9CD829025896321CC325F7C80905FD54029A849B776B483ADA9B8D18D2EEA2416
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s1].7P3.7P3.7P3.#;0.4P3.#;7.$P3.7P2./Q3.#;2. P3.#;6..P3.#;3.6P3.#;;..P3.#;.6P3.#;1.6P3.Rich7P3.........................PE..d.....|<..........",.....x..........0.....................................................`A.......................................................0...........*...~..."..........."..T......................(...................................................text....w.......x.................. ..`.rdata...E.......F...|..............@..@.data...............................@....pdata...*.......,..................@..@.rsrc........0......................@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-iasserver-migplugin\iasmigreader.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):487936
                              Entropy (8bit):4.546770618518273
                              Encrypted:false
                              SSDEEP:6144:E2t6Nk3tbvB5thn3FOzZlA9qB8/q7YCDhZ7uXPluxm:E2t6N4J5715QB8S7JkMxm
                              MD5:A480B9DB8220FC1F95FBC185F24342DE
                              SHA1:DD56E414A4B1895624E5D344513822AD40F983EB
                              SHA-256:21DFE5F48A30A052ECEA36EC93C8BE2EEE58DE03956689178EFE68AEB42EFF28
                              SHA-512:9750B06D1DDF5BFE05250F3FD5BDBCC4327D46BF83622949B8C6DE0239BEE0D13AF0FD8A9E1439837304AE0AFC38E8A2DEC3BDFACFEE25A37464D2B078718866
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........6.O.e.O.e.O.e.$.d.O.e.$.d.O.e.$.d.O.e.$.d.O.e.O.e.O.e.$.d.O.e.$.e.O.e.$.d.O.eRich.O.e........................PE..L...aco..................N...&...............`....@.......................................@...... ..........................hs..........H....................p..0*.. ...T...................,5.......4..@............p..d............................text...dM.......N.................. ..`.data...<....`.......R..............@....idata.......p.......V..............@..@.rsrc...H............l..............@..@.reloc..0*...p...,...F..............@..B........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-ie-clientnetworkprotocolimplementation-migration\wininetplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):43520
                              Entropy (8bit):5.824918871859753
                              Encrypted:false
                              SSDEEP:768:hyQE9A/W2z1Kt/yIEvBJoW71qpoEhca1DpCnL0woCLQy4YZ4AhcdpH9+my4:hyH9AApW9hk9Ca1DLpCcJ+sdp1/
                              MD5:9DF43270B161326E096508F7EA3EA095
                              SHA1:5CE1E2F7243968CCAC364649C7D748FDB289F0A1
                              SHA-256:89C2D05C9802C946609CD3C83626CC819101B298ED032306D223E4A6CB7F685A
                              SHA-512:3D4ACC646DBAD07028A34F5C3B2FE2ED0348CF833EEE86551EE91FEF6A1AA3EFE32DB36F9B3CA7AA95645C8202B11C8EE4224B89FC2A2F28F8F31CBCCF919DAD
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C...-L..-L..-L.L..-L...M..-L..)M..-L..,L..-L..,M..-L..(M..-L..-M..-L..%M..-L...L..-L../M..-LRich..-L................PE..d......!..........",.....t...<......@i....................................................`A................................................4...................@...............(.......T...........................0...............H...(............................text...pe.......f.................. ..`.wpp_sf.Y............j.............. ..`.rdata... ......."...x..............@..@.data...............................@....pdata..@...........................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-ie-esc-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:exported SGML document, ASCII text, with very long lines (498), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1927
                              Entropy (8bit):5.268702650013656
                              Encrypted:false
                              SSDEEP:48:VMv+wuDprv81iIIeg+QsgKz1lxjl3n54WWItCAg/nnl/nwDJuv5i/:VTwuD+irezr1lFlp4WbCpntwdn
                              MD5:363D39CEA7AB47F43EC0EE3A36B2ABA1
                              SHA1:0D1AB794F05B424D0FC65B0EEBE0F8AF1ECE1DF5
                              SHA-256:AFD1318BB222F9F20F8B23C32ED046BEBFB8303EF1E8594795F3BEDF93476AFE
                              SHA-512:E1A66A027AF8E3C810972807B4288404739F8F872E29D05261BF669FF7F751F1E7EFD93F69AE159DA7DE4AAF15EF1E235525DF0A71E6192CC10784B93263A5A8
                              Malicious:false
                              Preview:<assembly manifestVersion="1.0" description="ESC's Downlevel Settings" displayName="Microsoft-Windows-IE-ESC-DL" company="Microsoft Corporation" copyright="" supportInformation="" creationTimeStamp="2006-10-05T00:28:14.1973236-07:00" lastUpdateTimeStamp="2006-10-05T00:28:14.1973236-07:00" authors="durgav" owners="mpurohit" testers="anupamv" buildFilter="" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="urn:schemas-microsoft-com:asm.v3">... .. in DL manifest, we only care about name, processorArch, language and version .. elements in the <assemblyIdentity> hence can delete the rest if you like .. -->.. <assemblyIdentity name="Microsoft-Windows-IE-ESC-DL" version="0.0.0.0" processorArchitecture="*" language="*" versionScope="nonSxS"></assemblyIdentity>.... <migration scope="Upgrade,MigWiz,USMT"> .. <migXml xmlns="">.. Check this is only valid for down-level OS < than Windows Vista..

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-ie-feeds-platform-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2339
                              Entropy (8bit):5.153710436431522
                              Encrypted:false
                              SSDEEP:48:22e8p8PvMu0J7p+eKgftrkMUIgajlujluhi3JBU99ccgaOZaQpa5ivv/:2218PvMu0JMsrWooo8BCnO4HC
                              MD5:029FE1BD94E1F6BA290FD005F185AF08
                              SHA1:12B8F2EF24958602A75304317EF22A4D1C9A1FE2
                              SHA-256:219E784B5562BA8FC6E32A05CBFACCB13B685918D16AB78AF5182816263F99CE
                              SHA-512:74BFF7AFD30CE8905EBC9361F80C495AFE6029F1EE3BE2E8E3EF2F08725631685B3021F248759660272F96625C1BC710ADFB4580862D159295A07F78ECA53D96
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="johnlue".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2004-08-20T22:01:03.3397033-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2004-08-20T22:06:41.4113372-07:00".. manifestVersion="1.0".. owners="johnlue".. supportInformation="".. testers="robertr".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-IE-Feeds-Platform-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml.. xmlns="".. xmlns:auto-ns2="urn:schemas-microsoft-com:asm.v3".. >.. <detects>.. <detect>.. <condition>Mi

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-ie-internetexplorer-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:HTML document, ASCII text, with very long lines (487), with CRLF line terminators
                              Category:dropped
                              Size (bytes):13279
                              Entropy (8bit):5.062350268837018
                              Encrypted:false
                              SSDEEP:96:Vlu/CmtXJtobvRaYtq7l4L02l/NZyyfBcG96UDtqLfq7CHIglqvZuBRuazV2DcAG:VlSjev4OQpDRz
                              MD5:FFD0543EDD2C67F85B78FFA35F50F91D
                              SHA1:49AC3F4335D195C8792BABC59DEFB8CDAA147368
                              SHA-256:A46FB3502F66663C73ABBCA01D3DD156EE07C6896B72CC0EE7F46D668DC38250
                              SHA-512:B89EE4ED18DBA89C10538EFA6661A1EB4ED05D79D8F7CCC61524C6F137FA401A4E0DCEC3DB281193B2256FB6B304103D6BCE5D764594964F37C112D33B5DD54E
                              Malicious:false
                              Preview:<assembly manifestVersion="1.0" description="$(resourceString.description)" displayName="$(resourceString.displayName)" company="Microsoft" copyright="" supportInformation="" creationTimeStamp="2004-08-20T22:01:03.3397033-07:00" lastUpdateTimeStamp="2004-08-20T22:06:41.4113372-07:00" authors="tonyschr" owners="lihsinh" testers="" buildFilter="" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="urn:schemas-microsoft-com:asm.v3">.. <assemblyIdentity name="Microsoft-Windows-IE-InternetExplorer-DL" version="0.0.0.0" processorArchitecture="*" language="*"/>.... Gather rules for the downlevel settings -->.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>.. MigXmlHelper.IsOSEarlierThan("NT", "6.0").. </condition>.. </detect>.. </detects>.. <environment context="System">.. <variable name="InternetExplorer.BrandGUID"

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-iis-corewebengine-deployment-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1461
                              Entropy (8bit):4.991883698846158
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YQ8+gFg0Ldej3BO5s0W2FPaPsS6KSJYMKENgQ0JXMFhUK:22e8z2I+KgUUxSs1rqSMKIgpJuX
                              MD5:072F2F6C9CC6B88F63E01E4820A4F528
                              SHA1:6F1C7FFDF1625FB098D7A5744A42257843ECD664
                              SHA-256:414B961F321018D324CA3177295CFA726AB52DC864B1DE567B4FBD4952BFC39B
                              SHA-512:C78EDE9B8BB83BB6D15DA3824B6B5D41E4D6DBA46EC522DB904E1BCE604F712F947CFB724E4658C37AB9C41B81527CDC759DDF308E1E1B3B9FAF8C2C2406185D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-IIS-CoreWebEngine-Deployment-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <registerSDF name="IIS-CoreWebEngine"/>.. <migXml xmlns="">.. On a down-level system, we detect the presence of WWW by -->.. looking for the W3SVC service. We base this on the -->.. registry key for the service declaration. -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0")</condition>.. </detect>

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-internet-naming-service-runtime\winsplgn.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):51200
                              Entropy (8bit):5.617165640831408
                              Encrypted:false
                              SSDEEP:1536:fwYG/fuWO3LO8oS2gb+zclbPiBtI+05V9xbt:IYQNGGS2gb+zPI+ILxh
                              MD5:1C3138D600059BEB184624942F19082C
                              SHA1:98C974464E790190C6318F637ED8A21B619ED71C
                              SHA-256:2887D0A3858253E51FBDB9CFFCA3604411C3F794D71579BCE0B16EB9D7E63586
                              SHA-512:9F10ADEF8098AAF40EA37245B8CA0218CCB8BC35B4E2D615F4EB56DE716FE22C1142BB887055E77200C9681C57CBE4BC96AB7DA4BEFC9C806FDD3448968CF42B
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........K...%..%..%.&..%.!..%..$...%.$..%. ..%.%..%.-..%....%.'..%.Rich..%.........................PE..d...:.~...........",.....p...\.......m....................................................`A........................................`...................(.......T.......................T...............................................X............................text....o.......p.................. ..`.rdata...;.......<...t..............@..@.data...............................@....pdata..T...........................@..@.rsrc...(...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-msmq-messagingcoreservice\mqmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):146744
                              Entropy (8bit):6.220934651140321
                              Encrypted:false
                              SSDEEP:3072:wK6itHnGuW/y/tySpbsobu6W7rKq8k61ov86S+HPoO/QDpcmdVty9ZT:wK6ityQRps77rKq8kUuKdkZT
                              MD5:EFDF5752A52A0C1719E9ED34F4F6A15E
                              SHA1:E99D63E5D9511CFD165F11AA7A2FE146B02BB5C7
                              SHA-256:59863AFAC6B8D572E0CB010BCB16AFD8A56AB53541A4E08242793581E45815C2
                              SHA-512:2F09BF65C6A6C290A40B7B79A913E8623BE82BF1413A54F92953112061918F598DA16A6034E3C38E00275879085145AE83AE551D142A0B5ABA91AB7D997CBBA3
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.J.3.$.3.$.3.$.'.%.>.$.3.%...$.'.'.9.$.'. .O.$.'.!...$.'.$.2.$.'.,.?.$.'..2.$.'.&.2.$.Rich3.$.........PE..d.................",.....f...........e...............................................u....`A.........................................................`.......@..........8!..........@...T...........................................(................................text....e.......f.................. ..`.rdata...q.......r...j..............@..@.data...@5..........................@....pdata.......@......................@..@.rsrc........`......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-netfx35-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):9028
                              Entropy (8bit):4.991463607447326
                              Encrypted:false
                              SSDEEP:96:tMb2X2rmoZ+TkuYDdEiU6xBvODeopeADdEiU6xBvO9rlDdEiU6xBvODeg:t+7imr+
                              MD5:F3E99F695CE37AD2DEB2517989284FEE
                              SHA1:D17F59F93BB0EECEC07B6DADCC143BE7758DB593
                              SHA-256:D64EAEC5467DB9F5F38F0325CE9CE6A081BBF75184206AE547EC559AB33CD201
                              SHA-512:5A04E33D7317A625C3DB833E110B7DEAF686A0AC292D5F169DA783352C3EFC0AD68F4185E2D116F69A09EAEC6E1BA3844DA41BB3B338A44AA8886CB0ED876E43
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.... Downlevel manifest for component Microsoft-Windows-NETFX35LinqComp --><assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-NetFx35-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <registerSDF name="NetFx35"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry","HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5 [Install]")</condition>.. <condition>Mig

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-netfx35cdfcomp-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1273
                              Entropy (8bit):5.237404909704361
                              Encrypted:false
                              SSDEEP:24:p/fMtQ2e8GV+8PvMu0VLiFPvJ2YQ8+8g0Ldej3oKMPFhUK:tMtQ2e8L8PvMu0VLiPvJ2I+8gUUJMNX
                              MD5:2C060DAC3163B678F141EA10629BC722
                              SHA1:C2B536B9E9646D04499E14436965B4DEBB453769
                              SHA-256:85B1C323F9C6010ED269489E11CC3EC58B359F4B0B23350C9DB37FD39AB99B49
                              SHA-512:972923C93472A538A327EA65D7A75D748B54EBDA2611B382DFDB92B9017075C87390863EF90DCBB83D7ADB278EFEA597B0A82E0860098D1ABC65DBB016BACC4A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.... Downlevel manifest for component Microsoft-Windows-NETFX35CDFComp --><assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="wdong".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2006-07-27T12:29:38.8364502Z".. description="CDF for .NET Framework 3.5 Downlevel".. displayName="CDF for .NET Framework 3.5 Downlevel".. lastUpdateTimeStamp="2006-07-27T12:29:38.8364502Z".. manifestVersion="1.0".. owners="cdfsetc".. supportInformation="cdfsetc".. testers="cdfsetc".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-NETFX35CDFComp-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0"..

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-netfxcorecomp-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):45175
                              Entropy (8bit):5.249877021842
                              Encrypted:false
                              SSDEEP:192:tUfkCzkPLHGcD9BsdKD+NnQPvnJPQICSZWpO2PEjMKQmM/Lh3yyysFAMrQd:tUHkz0iCEgKo/L5LysFrQd
                              MD5:F9611CDF952294B519A10BA8C7F9A4D8
                              SHA1:C2A874E06894725267C93390CA72C6EE99BDBAB5
                              SHA-256:70D560ADF7C8384D1D6AC8D471A66F1E2286A6DCA4691E309E88B0AF70F558EE
                              SHA-512:344006BF909BCB1CA7A4198B8F83B726D9197F0D9327CFFC29A3EB798D8D3F24B6E68D75F4F338B9D9196AAFB8AA3C30A7ACBDC54E211D7800EBA7F40464F641
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="ddbwg".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-09-15T15:53:55.2793307Z".. description=".NET Framework component".. displayName=".NET Framework Microsoft-Windows-NETFXCoreComp".. lastUpdateTimeStamp="2005-09-15T15:53:55.2793307Z".. manifestVersion="1.0".. owners="petefang".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-NETFXCoreComp-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration xmlns="">.. <machineSpecific>..

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-networkbridge\bridgemigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):110904
                              Entropy (8bit):5.855988007554627
                              Encrypted:false
                              SSDEEP:1536:d5BlDF15mjQ0KLjHuZgLN+7LytXGYP0wrGes9zthH9CvPyx:1lDF15gQ5GZgR+C2A0wruhtrCvax
                              MD5:133A7E0C5FA564DC354A6926C2FA947D
                              SHA1:2A21221A578477E8EF898E51388D93B2E7D934AA
                              SHA-256:AFDF4C5C145AAAD429A39AE87AB06A6F72A989C5BB23E6F684A0993E528259E2
                              SHA-512:729A2C91452B4F694C937F61ADD26C08D2B1D882991EB101A7E464B66A2E4FDC239AFD702DC304826B5A8289EDA4C3E6EE1A917BBA9A7A843978EFCC84857566
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8Fg\Y(4\Y(4\Y(4H2+5_Y(4H2,5MY(4\Y)4.Y(4H2)5OY(4H2-5WY(4H2(5]Y(4H2 5WY(4H2.4]Y(4H2*5]Y(4Rich\Y(4................PE..d...]A.S..........",......................................................................`A.........................................v.......w..........@...............8!..........pZ..T...........................@...............X................................text............................... ..`.rdata..............................@..@.data................v..............@....pdata...............|..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-networkloadbalancing-core\nlbmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):157696
                              Entropy (8bit):5.88652978564066
                              Encrypted:false
                              SSDEEP:3072:J/yZzR7pNr/UKDpti+JgN9mSKiU0s9quftr79A9aY3g+nW2lGGwwxm+:J/kR/r/UOtZgSv6mHR79AxRGG9c
                              MD5:4927D288AF6331EF4F8D6692CC9EA0A3
                              SHA1:C8F74E5749804DA844C3361827F41A2BA6F630CF
                              SHA-256:B3757348165A0B946A9A853B6430814692284433FE38842CAB98D907410501B0
                              SHA-512:36D5C8AA2A45C2197172FBF086F1E7CA406C11653B2061925AEFF6B5662D006D24A953B0747CB4F48E98533847BE13124AEAB25BB20DF7BEE0C8214252DAEC25
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>...P\..P\..P\.Q]..P\..Q\x.P\.S]..P\.T]..P\.U]..P\.P]..P\.X]..P\..\..P\.R]..P\Rich..P\........................PE..d...2..@..........",................................................................(.....`A.........................................>.......?..........0.......,...............8.......T...........................0...............H...`............................text............................... ..`.rdata..............................@..@.data....6...P.......4..............@....pdata..,............J..............@..@.rsrc...0............^..............@..@.reloc..8............d..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-rasconnectionmanager\cmmigr.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):69632
                              Entropy (8bit):5.701239601318896
                              Encrypted:false
                              SSDEEP:1536:aekOppoRxdOsxYMy3JLMLUJLBG7CuO69hNbpgfMWC:aBDo0jyZ+SU/OYNbqfjC
                              MD5:0E728BE04D0F76350520787AD6912B65
                              SHA1:B0357BC115B139CD77ABB1385C52C39ADE8DCD04
                              SHA-256:57A9D678A703A9ECBD8CD543E69BF8F2080DED2F3F0CF1A31D240D41FA7A7E42
                              SHA-512:E7968C0A885A6F4304EDDD83E9B84B1F4CBEB1BF324A331A89C9A74FE3DA2CEB338A0EAA6F8D6851C9D4FA2EC14710C78F467DEFB7829BF8069BA597C78E0D9D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........h]n.;]n.;]n.;I..:^n.;I..:Sn.;]n.;.n.;I..:Ln.;I..:^n.;I..:\n.;I..:On.;I.(;\n.;I..:\n.;Rich]n.;........................PE..d...LW............",.........h..............................................P.......`....`A........................................P................0....... ...............@..........T...........................@...............X................................text............................... ..`.rdata...I.......J..................@..@.data...............................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-rasserver-migplugin\rasmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):540176
                              Entropy (8bit):5.908357313836613
                              Encrypted:false
                              SSDEEP:12288:E8XNpcZRlTTQKXHWde60DqdZo3QYECIF0Z96wxPBj:z6pEKXHWdCDqnwHIF0Z96oPB
                              MD5:101A4BD5CC27B52F5B17A1DE62241882
                              SHA1:66A971AD801BC44C83E8E622662F4A863FEF9C07
                              SHA-256:B4C471710BE767BA3EE5C8682F7AA64CC7F9364BCC7558B763942CF3A07597A9
                              SHA-512:5A702126B5DFA37FFFD77730C6605C54E8F6D633A7EFAF562FD7ED2EE180123CC4CA6582BEEA38342AA69FD32A92E803882E61E79EB0A7CB21B1B58E0CAAF77D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................|..........................................................................Rich............................PE..d.....{...........",.........D......................................................(V....`A................................................\........p.......0...!......."...........}..T........................... ...............8.......@........................text............................... ..`.rdata..............................@..@.data...($..........................@....pdata...!...0..."..................@..@.didat..8....`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-storagemigration-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):7992
                              Entropy (8bit):4.920618840155548
                              Encrypted:false
                              SSDEEP:96:22L8PvMuDr/fkf/gHsrRVsviMu8tRzKqWwazb:4UkGgMrRcw3v
                              MD5:8877874D59A4B4138375E387B9DF4702
                              SHA1:1CE301E6BDD4A41E2A9E8E1A67EA19A2A6C8CF17
                              SHA-256:1EB0EA176B3C6BD90CE30CB113BDEADFF8F5C1D165C66E5336CFE5C537FBC436
                              SHA-512:C10D2FB5AFB8F4810CA5DB42297D14397EF75268B3DF42C1EB1717331013B59D14A54CDC8CFDA373A7DA4D339ADEF2DBEF53E5EC21DA29C2D59C54EF030CF703
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="KeithFr".. buildFilter="".. company="Microsoft Corp.".. copyright="".. description="Storage Component Migration".. displayName="Microsoft-Windows-StorageMigration".. manifestVersion="1.0".. owners="KeithFr".. supportInformation="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-StorageMigration-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. ******************************************************************************************************************************************.. * Migration plug-in declaration *.. ************************************

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-tapisetup-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2587
                              Entropy (8bit):5.081321346591215
                              Encrypted:false
                              SSDEEP:48:22e8T+8PvMu0t7i6+GgftRcVIgfEd/fEsVTJ+q/XcVIg6Ed/6Eo6EpJuv2/:22/+8PvMu0te9bQRE9EqNR/CIEcErEjf
                              MD5:5E86B2DD0E65149AE1594E45C0B73FF8
                              SHA1:695B6B852EA66F465B2A4B6D5FD3D47A4E1C2D35
                              SHA-256:679CC14546B49D35306EDE3D8FE4F63B466887BE425651D569A4DDFD09C40466
                              SHA-512:4F81C2EDDB95BE926E15D2BAAAC606A61BD6908838584EF51E56BEE5B633EA73AC986FE558B2A8E6DB83393BD06DFAA64E7D8137C9EF62B00C155ABAD41D6576
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="anandsg".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-23T16:58:23.2516123-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2004-08-10T10:14:55.3853460-07:00".. manifestVersion="1.0".. owners="anandsg".. supportInformation="".. testers="smeesala".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TapiSetup-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. <rules context="System">.. <detects>.. <detect>.. DL manifest should not run on Vista itself -->..

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-tapisetup\tapimigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):66048
                              Entropy (8bit):5.757928251237187
                              Encrypted:false
                              SSDEEP:1536:3o+pOOKzuaM6GL9oo/nT7GqR0W0o/Je+0Njpn9OSTJ:4+oO0SjX/TZRCyU+cjp9OSTJ
                              MD5:8A426F26EC1A714ACA3D21E069B829B1
                              SHA1:D53C30A14DE4082DF315432C17A52660CD31FFF7
                              SHA-256:C347B91C778752742F1FC45B7359174EFECFDC960940D33C2B402EDF23BAC5F1
                              SHA-512:DAF33479C51A5245A5234696B9C83FA86B20705A44CDF3437845965B412F1D9E5302350628E6C0E69D57AE18AD82A45150CA90D30D4FCA1C08403A261F36C1F0
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Nt$|..J/..J/..J/.~I...J/.~N...J/..K/..J/.~K...J/.~O...J/.~J...J/.~B...J/.~./..J/.~H...J/Rich..J/........................PE..d...W..g..........",.........f......p........................................@.......Z....`A......................................................... .......................0..H...0...T...........................`...............x................................text...O........................... ..`.rdata...D.......F..................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-terminalservices-clientactivexcore-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1320
                              Entropy (8bit):4.943842646068394
                              Encrypted:false
                              SSDEEP:24:p/o2e8Gyl8PvyZ4ylKH5M+Z4y76Z7d8+Z4yqjg0cjmIhKcCEF4ww/gBX0FCUK:22e878PvyZ7OM+Z75+Z70gfmIQcCY4f4
                              MD5:0C780F1BC8C92E3FFA9008D43E285166
                              SHA1:D93B23C2EC766AE445ACEACBF52AD3A891FC4EE4
                              SHA-256:63EF0EC58FBED32D662DAD2F2F052D972E42D7AF3AA53444993BC17545B042A2
                              SHA-512:674A531658EF3B8068D36C134700479F76F0CD0D4134AC59E95C7C784498AA21642E8DF3B5EF2E4EDB3C70118EA7DC1A3F1AE654FC9993117391A6E1D899215D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="klondon".. buildFilter="".. company="Msft".. copyright="".. description="Microsoft-Windows-TerminalServices-ClientActiveXCore migration from downlevel OS".. displayName="Microsoft-Windows-TerminalServices-ClientActiveXCore settings".. estimatedSize="".. manifestVersion="1.0".. owners="klondon".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TerminalServices-ClientActiveXCore-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration xmlns="">.. <machineSpecific>.. <migXml>.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT","6.0.0.0")</condition>.. </detect>..

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-terminalservices-licenseserver\tlsmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):116752
                              Entropy (8bit):5.7745181201523
                              Encrypted:false
                              SSDEEP:3072:zv+I/CPvLsGo+CclTHeJZuHRY6IV+2uDPwS3RrosQgaco:zv+IqPvloJUeJZuHRaVK9rosQg
                              MD5:024EA4C6BDA8D0CB5B702BD89AA38980
                              SHA1:DD736C242FCD70420A0959C2C59299A0F8CD7CE0
                              SHA-256:6BE297F702D6C2FD1ECCD30BA894BF532B53BE90465DCCBFEE1CD3103CD93231
                              SHA-512:1606AD007CE19DFEC0BF6E0D4F5A67FE1C4B472D26B12B6B390B8717462E95913A38FD33237BCBCBE7264B7223B9DDFC1A2638542F2AA97C289BEB33D5D4F73A
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......MM...,.D.,.D.,.D.G.E.,.D.G.E.,.D.,.D.,.D.G.E.,.D.G.E.,.D.G.E.,.D.G.E.,.D.G5D.,.D.G.E.,.DRich.,.D................PE..d....w.[..........",......................................................................`A.........................................~......\...........P.......L........"...........?..T............................................................................text............................... ..`.rdata.. ...........................@..@.data...@............|..............@....pdata..L...........................@..@.rsrc...P...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\chxmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):139064
                              Entropy (8bit):5.8534157549434624
                              Encrypted:false
                              SSDEEP:3072:pKLMX0oTtA98xvd7l7onGsT3F/2BXF9k/Kw0q+r9p3eFyzy8dB:pKLMX0aA+1UWF9Uj0qu/3rzN
                              MD5:9E8E033480BBD2A1EB365A7BB23D4956
                              SHA1:1193A8834C6960654150240A02BADA230373C890
                              SHA-256:7C38212D8B025B4B546AEF086CC2081E297258747D96DDB59EFFBF6F9AACF429
                              SHA-512:CB2C24A36BAABB6312419533F524F0E76DB0EC035A89009918852DDA687DF2ED9730325E5C12ACA498F7C79F4AC2273C9D379AB0A756730E58FEC2E0C00FA633
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.R.B.R.B.R.B.F.A.Q.B.R.C...B.F.C.[.B.F.G.G.B.F.F.o.B.F.B.S.B.F.J.Y.B.F.S.B.F.@.S.B.RichR.B.........................PE..d....!L..........." .........................................................@......c.....`A........................................P...p.......d.... ..........`.......8!...0..........T...................h/..(...P................/...............................text...,........................... ..`.rdata..T.... ......................@..@.data...............................@....pdata..`...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\imjpmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):157200
                              Entropy (8bit):5.942841683090452
                              Encrypted:false
                              SSDEEP:3072:XQ93Bdc5VOKIB+QqIWax73LvI1Cq3knrM4isKaQuV8clqb+E/etzZbyx4QVCO62D:gVOVLIB+Dtus3BastetzNU7AvN/S
                              MD5:D675C63ADB772D7018A9EB53E0FB88E7
                              SHA1:8C31E8C89DFCB57F5AB5C2D337A542270934FBFD
                              SHA-256:47162B08C46E6A90E8FE6FD1B80C4DE5A39CAF25F93EA9822F90AF692A85443D
                              SHA-512:2A901F68D83FB3D9ABDA2BCFDFCD23C1C3B7B2F86C7D135CAE646074ECAEA2C45EE6A28678273FEB3ED125CA7FC8789A733BE9531F95E361D652A729B3691EF3
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'<..c]..c]..c]..w6..`]..c]...]..w6..r]..w6..w]..w6..]]..w6..b]..w6..v]..w6c.b]..w6..b]..Richc]..................PE..d......&.........." .....T..........04...............................................t....`A.........................................)..p...0*...............`..h....D..."..............T...................X...(...@~...............................................text....R.......T.................. ..`.rdata..B....p.......X..............@..@.data........@.......$..............@....pdata..h....`.......(..............@..@.rsrc................<..............@..@.reloc...............@..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\imkrmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):112440
                              Entropy (8bit):5.919341682354492
                              Encrypted:false
                              SSDEEP:3072:2QrYJxw24GSa7eIJVXjiKL4gaS+QGLNZ1akYb+9Piz2uQnsE:2gOFpzU8GLNZ1a986XC
                              MD5:75375D647FEF71D4213062BB7EC1B16F
                              SHA1:235D21D148EB6E0003A4948E76E68D1AFEF9C21A
                              SHA-256:7C4F92F0BABDCBB8CF08307D1383D7BBDFF50880611CB9AFCDC7B455BA0D21DC
                              SHA-512:0DEAC7FC649DB5F65C25DCFE55586B893D8BFB0D17942965707DDA1D143FD9DC7155BC1A1004B4A76438D219EFEC9BAD6EA38173BBEA257A0C403BC541DA9363
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\..N=..N=..N=..ZV..M=..N=...=..ZV..G=..ZV..[=..ZV..s=..ZV..O=..ZV..D=..ZVm.O=..ZV..O=..RichN=..................PE..d....cm.........." ......................................................................`A...........................................p...@...d...............4.......8!...........e..T...................x...(...`................................................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..4............~..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\msctfmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):199688
                              Entropy (8bit):5.928199815458346
                              Encrypted:false
                              SSDEEP:3072:v+8atJGDM8MZIyjoMlpzj+Ue8jnFhGvCnWuEEMu71SG6ySocW6ET1na9Y:GvtqM9ZIyjowpv+4FogEEz71SDU4Y
                              MD5:9FAE69E42C953271F2817710E1A1911A
                              SHA1:46B0D160DF115D168E9DF86205419B21C01D8634
                              SHA-256:26082FF1313FEFDD897C7E8D739B0E193B438A3D0D9C4EB81A14C490C3968104
                              SHA-512:2FD4C41939225FE572FD64B3153E374B534FF154BB520BCEAA8B9CAEF54D7B99C2C3B542F3BBA913C1088047AE57751386DAC16CDBCA8EBEF762F0F4F65980A1
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n.^.............d~.......~.q....d|......d{......dz......d.......dw......d.......d}.....Rich............................PE..d....j.]..........",.........P......0........................................P.......{....`A........................................0...$...T........0..(................"...@.......R..T............................................................................text...`........................... ..`.rdata..............................@..@.data...`C......."..................@....pdata..............................@..@.rsrc...(....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-textservicesframework-migration-dl\tabletextservicemig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):77624
                              Entropy (8bit):5.831857826082389
                              Encrypted:false
                              SSDEEP:1536:zXewMwwldDz39949F46wuMwK8hvs8fOrPLE:yfV+dE8hvs8fOrTE
                              MD5:E12E0CC3712C111A39E1E2CEAD7E5043
                              SHA1:D7C70EFF5B32C022168DDEBC5AB78301F35BEDF5
                              SHA-256:C18AD335238272518BEEC550050F9F5466BA1B8D8A7E9DEE99B5F533D0D0E02D
                              SHA-512:B30790C9E71815DA6331C83802F4305745E273DD4E9290685D3ABE09981BC4CBAB0E3A029B1AF68813BE35ABCDFF4E3408343AFA5DBC1345DA21503BEDF663EB
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........'...t...t...t..u...t..u...t...t..t..u...t..u...t..u...t..u...t..}t...t..u...tRich...t........................PE..d....S!3..........",.........~...............................................P......C.....`A............................................|.......d....0..`.... ..X.......8!...@......0...T........................... ...............8................................text...k........................... ..`.rdata..T\.......^..................@..@.data...p...........................@....pdata..X.... ......................@..@.rsrc...`....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-unimodem-config\modemmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):154624
                              Entropy (8bit):6.087264983507474
                              Encrypted:false
                              SSDEEP:3072:MQcE8LJB/HUg4UNrC7BwCCV7gjMI7BydaVAOt+sGkn8AzN7N:t8Lz0g4tBwCW7IMI9yU1zN
                              MD5:07534E1E44293331DD7A4A018D036DF0
                              SHA1:64C2F4197A9A9BF8D152D79303C309E2FAFE4922
                              SHA-256:01B41BC424A1D4EF2001731C5FBC9302C8B9D95EA5F98F0FA83AC07E41CF8AB3
                              SHA-512:7FBBFE1231AFCA50E1E5F0614885B9DA7FCCFF7721B2B27134D1058ED1473FDFA4ED2E75FF2866399B3E289E37587B14605C6C85D3CB3964F2042816F433AEBF
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........q..h"..h"..h"..i#..h"..i"..h"..k#..h"..l#..h"..m#..h"..h#..h"..`#..h"..."..h"..j#..h"Rich..h"........PE..d...M..j..........",.................................................................`....`A........................................`%.......&..........8....................... ...0...T...............................................x............................text...0........................... ..`.rdata..............................@..@.data... :...@.......&..............@....pdata...............@..............@..@.rsrc...8............R..............@..@.reloc.. ............X..............@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-wab-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2591
                              Entropy (8bit):5.2176675526349365
                              Encrypted:false
                              SSDEEP:48:22e8SFAJ8PvMu0AJhH7PvJ8+9gUKKlpAbMUIgXuss6S26vJwSuNwso0IlNJvf/:22C88PvMu0AXPvJPblp4kuSFRwSAVoX7
                              MD5:4A0A5243DC557CE9A52E866C7100911D
                              SHA1:D692C003FCE3DD50620391E28363A236EF8505F1
                              SHA-256:43B9C2FA276484F8CBC5C1F75EE305830E9AC25DB1BC4DEC3847A0E5A50A369D
                              SHA-512:34EDE2CF29A967812B4EE7CDC94F7DF5DF941BCE53DEB28BC5347979DC7872A09F5880C97E44799C0A12EC5033CF5F8368DACEE6327073B535A0DDD842369A05
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="joecast; danstrut".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-16T14:43:17.4178581-07:00".. description="Downlevel manifest for Windows Address book migration of WAB files".. displayName="Windows Address Book Downlevel Manifest".. lastUpdateTimeStamp="2004-10-12T18:25:46.3522392-07:00".. manifestVersion="1.0".. owners="joecast".. supportInformation="".. testers="kfour".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-WAB-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Up

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-wcfcorecomp-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4869
                              Entropy (8bit):5.134290638334355
                              Encrypted:false
                              SSDEEP:96:tM7238PvMu0WrPvJ2r86e4UbQFj1bOe4UbQFj1JrNe4U3:tUU6TkITzUTzUBrUz3
                              MD5:B9FA2535E99BFA47F4E727760F130998
                              SHA1:4BF1B238BBD4280B0CEC2C2CCB7B487F80A70B70
                              SHA-256:BF11A9D8F5B20D26CD5C6476FA3267B8ADD6674C00717877D06EBFB3FBD58E7A
                              SHA-512:13EC6B0672E5B9ED2753F04D8B888753998A7F9B66BB6F98D3CC85640C769DEF942D7066A596A721B8288C6C372019D8CBCD741089047260F10DE7C3E51F7851
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.... Downlevel manifest for component Microsoft-Windows-WCFCoreComp --><assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="wdong".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2006-07-27T12:29:38.8364502Z".. description="Windows Communication Foundation Downlevel".. displayName="Windows Communication Foundation Downlevel".. lastUpdateTimeStamp="2006-07-27T12:29:38.8364502Z".. manifestVersion="1.0".. owners="".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-WCFCoreComp-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionSc

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-winsock-core-infrastructure-upgrade\wsupgrade.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):205824
                              Entropy (8bit):6.073768162557206
                              Encrypted:false
                              SSDEEP:3072:a66G+x5ZGY1oXGPiNRXwree+PcxVeaNQbmORfCR6x2fx2R6X7:a66G8HExwombORX2M6
                              MD5:7DFAE97E3C0639F6C759B269F9A8AA02
                              SHA1:3C95B55CA4FF7E265568AE0E47D569B610E7F5B9
                              SHA-256:0EB133CA5B08AF400B69605253DCE9C3914060AED3252FD884055B9C29C5D032
                              SHA-512:D1D8A7BB1A217A266E2FB1EFEC82A51519FA3A0996F6F6EDB674F5C16D562A043BFF2ADEE5738D1AC93BB88AA9ED6AA8637328EB41AC16A3327FFF40D1CEA298
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U..N....................V.............................................l...........Rich...........PE..d....@...........",.........>......................................................w.....`A................................................8...l....`.......@...............p..........T...........................p7...............8...............................text... ........................... ..`.rdata..F...........................@..@.data...."..........................@....pdata.......@......................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft-windows-wmi-core\wmimigrationplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):682296
                              Entropy (8bit):4.366392389874569
                              Encrypted:false
                              SSDEEP:6144:Ntg1WNaOUtrAwUqHWYv3hOdXUbGkFp4ge1lu5h:Ntg1WNaOUhWYpoEB4gB5h
                              MD5:E3AE28FD1DB4E5CF02D246EEB8CE80D0
                              SHA1:84124DFA28E50624CD23C0514ADF4350A7845043
                              SHA-256:87AA6B8DA0CA4940E06124F9A10F9E71B82E5D8D97727E4893D5E7BDA4B3E00C
                              SHA-512:81A35B08E4910B082B3CD83A0007EF24AF789679E1DD835BD57C74A87BEAB6C02C22233A317AD304027716576E664E84505D99B3CEDEAA5DEB51E7DF8CC11ED5
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{.(.(.(...(..(..).(..).(.(e..(..).(..)...(..).(..).(..b(.(..).(Rich.(................PE..d....4...........",................p........................................ ......'.....`A................................................p...........X............H..8!......h$......T............................*.....................8........................text............................... ..`.rdata..N.... ......................@..@.data...`.... ......................@....pdata..............................@..@.didat..8...........................@....rsrc...X...........................@..@.reloc..h$.......&..."..............@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\microsoft.windows.com.base-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1806
                              Entropy (8bit):5.065069248575996
                              Encrypted:false
                              SSDEEP:48:22e8a8PvMu0w+5nC+FwgftIh0M2XITFB/WJmgtiv2b/:22G8PvMu0w+J1FRIyX2JaB
                              MD5:B8735A197BBFC18CE64D7BE6B5D436E5
                              SHA1:858CFC549CE7D724CAA6A929F579224EA1764A0B
                              SHA-256:29AE5F4E0597F8A8CC38FAE1C3B8AFFB8472E4C3DD80DB567D5DC8546A745056
                              SHA-512:B8122BC1495F47789253B3B426AA358D138B73B30CADCBB9F4C51BBFAD6EF079E5ACCF1C50BEEBDFAD1646C96F197EEDFB562B356FF5FCCB5EB5DBE78DDD6598
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="johnfran".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2006-02-15T20:15:23.9993750-07:00".. description="Downlevel manifest for migration of OLE ComBase Keys".. displayName="Downlevel manifest for OLE".. estimatedSize="".. lastUpdateTimeStamp="2006-02-15T20:15:23.9993750-07:00".. manifestVersion="1.0".. owners="johnfran".. supportInformation="".. testers="stb".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-COM-Base-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. Check as this manifest is only valid for down level OS < Windows Vista -->.. <detects>..

                              \Device\CdRom0\sources\dlmanifests\microsoft.windows.com.complus.setup.dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2383
                              Entropy (8bit):5.107091021115019
                              Encrypted:false
                              SSDEEP:48:22e8a8PvMu0t5F5YuC+FYgftdMrdFhAIgSf6fKE/eYJJmgV9ewlIg6eYJJuv2b/:22G8PvMu0tb5H1FpSFSeoKa1yAI1P
                              MD5:FAAF9C57CB44BE02EDE1E8FEE86C9890
                              SHA1:6A28E752C2146C591AFA8F480D03C6F5546B93AA
                              SHA-256:B91980327461903621852D3504940B339EF24D4449651061DA613649BF19385B
                              SHA-512:CD93B37F03A7C82F8FBA4CC4CD041682E6326E239D36CE8D9B5A0D221BEF1F9132FC01667619ED75295F2EB088A11E092CF33F8CCB8673D74F03C14BD50151FD
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="johnfran".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-08T23:15:23.9993750-07:00".. description="Downlevel manifest for COM+ Services".. displayName="COM+ Downlevel Manifest".. estimatedSize="".. lastUpdateTimeStamp="2003-07-08T23:15:23.9993750-07:00".. manifestVersion="1.0".. owners="johnfran".. supportInformation="".. testers="stb".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-COM-ComPlus-Setup-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade">.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.*")</condition>.. </dete

                              \Device\CdRom0\sources\dlmanifests\msmq-dcom-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1697
                              Entropy (8bit):5.197793509149113
                              Encrypted:false
                              SSDEEP:48:22e8M8PvMu0X0cOpfPvJ8+bgUKx4W+Eo3MNX:22I8PvMu0kcQfPvJPwbF
                              MD5:E09D02846ED62AED53A788457D4161FA
                              SHA1:618B564D9C378281403D3990AD464E4D38974532
                              SHA-256:A827BA5D3A37A845D624CE735E9DF6D1ADA640A3A18BD475A4ED5BCD9E582361
                              SHA-512:F5814ED64FB54CC603ED516725A93B7EBB7770B56FBA8F9368E010C48988128CDAA7D0384B7D559739460E18F69241A292316E52461BAE726B96CDB155FD7799
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="SanjibS".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2006-06-16T16:37:03.6090709-07:00".. description="Downleve manifest for MSMQ DCOM Proxy component".. displayName="Downleve manifest for MSMQ DCOM Proxy component".. lastUpdateTimeStamp="2006-06-12T23:01:42.1450255-08:00".. manifestVersion="1.0".. owners="MikeDice;AnandRaj".. supportInformation="".. testers="AshishW".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-msmq-DCOM-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <regis

                              \Device\CdRom0\sources\dlmanifests\msmq-domain-ic-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1546
                              Entropy (8bit):5.242300924860252
                              Encrypted:false
                              SSDEEP:48:22e8t8PvMu0T0XNyfPvJ2j+y0gUKxwoSMNX:22p8PvMu0wXkfPvJ2qUVd
                              MD5:483258D6AE166303C9267FA7EEEA3B9A
                              SHA1:F3D1B9A178C5F1C86197D13011AA7B91CDEB6110
                              SHA-256:5007816FB022A385E71A70410BA3BB8356AAE6D1AE61DD0F6257B4E82BE733C6
                              SHA-512:A15B6FC7A32AA07B722AB287DC20749D887EC843287EFF93AE361A6A32EC8DBF0C3EB839433F6C6C4C93BA7224BFFD33E97D86C726DB7B87C6433977789009DA
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="mikedice".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-21T16:37:03.6090709-07:00".. description="Downlevel manifest for MSMQ active directory integration".. displayName="Downlevel manifest for MSMQ active directory integration".. lastUpdateTimeStamp="2004-11-11T23:01:42.1450255-08:00".. manifestVersion="1.0".. owners="MikeDice;AnandRaj".. supportInformation="".. testers="AshishW".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-msmq-domain-ic-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS"..

                              \Device\CdRom0\sources\dlmanifests\msmq-http-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2282
                              Entropy (8bit):5.142213420386685
                              Encrypted:false
                              SSDEEP:48:22e8t8PvMu0T09zyfPvJ2j+ugUKxooAbVXM+fG9BFMKIgNJuX:22p8PvMu0w9mfPvJ2qzsVFfuLdQ
                              MD5:AC25FF58CF8CA863905AF0E4B4A80180
                              SHA1:570D7724B44EE3AC52E302D06B1EF5CC2346BA70
                              SHA-256:C6FBE0278F8221794E56AAFE83F046CAADD28736030C2D6C42F9C7318E94EEA7
                              SHA-512:AC55C4798D1EA96D8FCDC019E47E861884B2911F589084239F0B3543A7D2B2A8981CAAB8448DC5878A755586247A9CE2B500A306B19ACB4C4DC248ECB266CFDA
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="mikedice".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-21T16:37:03.6090709-07:00".. description="Downleve manifest for MSMQ HTTP component".. displayName="Downleve manifest for MSMQ HTTP component".. lastUpdateTimeStamp="2004-11-11T23:01:42.1450255-08:00".. manifestVersion="1.0".. owners="MikeDice;AnandRaj".. supportInformation="".. testers="AshishW".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-msmq-http-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <regis

                              \Device\CdRom0\sources\dlmanifests\msmq-messagingcoreservice-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6789
                              Entropy (8bit):5.057482305430431
                              Encrypted:false
                              SSDEEP:96:22p8PvMu0wxIfPvJ2qlgLfmZ2SkDDJfW1JruJYJTBJPcJGJqM+Nkv79fAfcfUGgu:CUsxOk6cmZ2VWBu6XegEBfu
                              MD5:BBA831796BDD75370C0476FB05C6217D
                              SHA1:89C3F0A6A9652746D5D5DCBBB5C093C290BB6B22
                              SHA-256:A8DE253069DCB5356CB4A135C494AC6263D5FC88DCF14C1E07F17475FEF3A27A
                              SHA-512:745F2F7654D1EF580C0FB5B52950189FD87E23C0025D1CE7066A37731FE95220A5B097E619FB3F6CF1ECEAF5DC29DE1E8C33BA9166414663A39183954486C0DF
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="mikedice".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-21T16:37:03.6090709-07:00".. description="Downlevel manifest for MSMQ core messaging.".. displayName="Downlevel manifest for MSMQ core messaging".. lastUpdateTimeStamp="2004-11-11T23:01:42.1450255-08:00".. manifestVersion="1.0".. owners="MikeDice;AnandRaj".. supportInformation="".. testers="AshishW".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-msmq-messagingcoreservice-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <mig

                              \Device\CdRom0\sources\dlmanifests\msmq-multicast-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1544
                              Entropy (8bit):5.218868531722297
                              Encrypted:false
                              SSDEEP:48:22e8M8PvMu0n00c0OpfPvJ8+t4DgUKx3okMNX:22I8PvMu00BJfPvJPthYv
                              MD5:1F73EB5D4B6E8A35D0B05975CE2D4AAF
                              SHA1:E5317F4044DEEB54403362FAA4592BCCBD5D21A8
                              SHA-256:0D44074D400FFE8A607E6E0F3E5DA1987710A5C8C8E1DBA4197765AE611FFF42
                              SHA-512:96190128221E5DE219D1C902AD5D5ADC671EFCF598C2C60C2D57CE82BC9AF5759F22FDB548291BF897A767484F6E2FF781D406BFC0EFB8C838FB3B4772255535
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="SanjibS".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2006-05-04T16:37:03.6090709-07:00".. description="Downleve manifest for MSMQ Multicast component".. displayName="Downleve manifest for MSMQ Multicast component".. lastUpdateTimeStamp="2006-05-04T23:01:42.1450255-08:00".. manifestVersion="1.0".. owners="MikeDice;AnandRaj".. supportInformation="".. testers="AshishW".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-msmq-multicast-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <re

                              \Device\CdRom0\sources\dlmanifests\msmq-routing-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1451
                              Entropy (8bit):5.241414222981417
                              Encrypted:false
                              SSDEEP:24:p/o2e8GA8PvMu02A0TjP7pgxFFPvJ2YS+4Tg0Lmj3ByFsAtXMPFhUK:22e8t8PvMu0T0TjTpyfPvJ2j+mgUKxyK
                              MD5:4F57A0AADB408D9A5CC580F0F05FF754
                              SHA1:BDB4030EE966C64F8E1784EDC9ADA423DAB33585
                              SHA-256:B820C80ABCA87AA09EB49BC84A328235085A3E09C40ECF4ED2C9BC15DE6D4D26
                              SHA-512:21C3958549126407ED66AE3FDD694F6511189353BB136DE934AA82E321839CB28BC04DBF1E768A011A1DD123E4442D4D9834E36184F235082E47590A8982DC0E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="mikedice".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-21T16:37:03.6090709-07:00".. description="Downlevel manifest for MSMQ routing component".. displayName="Downlevel manifest for MSMQ routing component".. lastUpdateTimeStamp="2004-11-11T23:01:42.1450255-08:00".. manifestVersion="1.0".. owners="MikeDice;AnandRaj".. supportInformation="".. testers="AshishW".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-msmq-routing-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.

                              \Device\CdRom0\sources\dlmanifests\msmq-triggers-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1749
                              Entropy (8bit):5.199455904594263
                              Encrypted:false
                              SSDEEP:48:22e8t8PvMu0T0KMyfPvJ2j+P/gUKxRkbo2MKIgffJuX:22p8PvMu0wKNfPvJ2qsasuRhQ
                              MD5:B8069FD011CBF122B2371B0DE1FFEE50
                              SHA1:444B13413C66AEA6CE31A5480FB1FCFAF354B4C4
                              SHA-256:B3963F614BCD03CEAA8E1E9FD9D06423BA367B81650C9A9F0A89AB305D8402EE
                              SHA-512:0E83B4CB0C01185857843A1566D5ED81E25358EB7B51878F4649FCDBB0AC55FE9EE980D6632416090B0544282F78DCFC5E993750D7E416AFAABC8A9024786E84
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="mikedice".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-21T16:37:03.6090709-07:00".. description="Downlevel manifest for MSMQ triggers component".. displayName="Downlevel manifest for MSMQ triggers component".. lastUpdateTimeStamp="2004-11-11T23:01:42.1450255-08:00".. manifestVersion="1.0".. owners="MikeDice;AnandRaj".. supportInformation="".. testers="AshishW".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-msmq-triggers-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migratio

                              \Device\CdRom0\sources\dlmanifests\mup-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1533
                              Entropy (8bit):5.000778441902031
                              Encrypted:false
                              SSDEEP:24:p/o2e8Gb8PvMuDkD2r7CWZR+Fg0cjoySzc1OcqEdwwODlBAZXxFCUK:22e8e8PvMuDkDS7CWv+FgfoBzTcqowD9
                              MD5:F055853ECECBAEC25D9E6046C3C20FA8
                              SHA1:DEC15186A201B8C0968CAD9C1D05D31CD83BED8A
                              SHA-256:9A7D1AF4E60F0C27ED89C7F3F44193C1B12D6CE5DE6E176A3AC38AB592D1FEC4
                              SHA-512:E99ADD43BC7A9FC2E3BDED2912A497611CFFFD93F19B763492D4F1D5DAB86069C3FC8FD8C2005F3CF19735E2DF62D0012280971D05D5FA707502ED8E8A9EB80B
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="dfsdev".. buildFilter="".. company="Microsoft Corp".. copyright="Microsoft".. creationTimeStamp="2003-07-24T13:56:28.257695-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2005-05-09T18:53:42.942604Z".. manifestVersion="1.0".. owners="dfsdev".. supportInformation="dfsdev".. testers="dfsntest".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Mup-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. Begin migration to Vista from non-Vista Client OS -->.. <machineSpecific>.. <migXml xmlns="">.. Ruleset for migrating Windows XP or Win2K3-->.. <de

                              \Device\CdRom0\sources\dlmanifests\netfx-wcf-http-activation-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1215
                              Entropy (8bit):5.127866153568117
                              Encrypted:false
                              SSDEEP:24:p/VLnKg0cj3NmZNSTQ8ys0W2FPaPsHSJ0cYcPtYcPMPFhUK:2gfdISTgs1r4cYCYqMNX
                              MD5:4FF4C2B9D91532AC0697C43DEFDDDFBB
                              SHA1:9EC8588ACDF1F5650DF34AE2312339DB4F347AA1
                              SHA-256:E59C29D3DBEDE2B71281C62D1E69F6B9990531037BFCACD015BB5D579901372E
                              SHA-512:F5F87D3E88A642314FFB8ADC1E33D669C1334619297FCC19DC5939BB9EF5125133C68397592FF564F01891CAC786107B910BD0163C2221718866A023FF1FED07
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="NetFx-WCF-HTTP-Activation-45-DL".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. Declare for which Longhorn equivalent OC this manifest corresponds too -->.. <registerSDF name="WCF-HTTP-Activation45"/>.. <migXml xmlns="">.. On a down-level system, we detect the presence of WWW by -->.. looking for the W3SVC service. We base this on the -->.. registry key for the service declaration. -->.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\System\CurrentControlSet\Services\W3SVC [ImagePath]")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full [Install]")</condition>.. <condition>M

                              \Device\CdRom0\sources\dlmanifests\netfx-wcf-msmqactivation-registration-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1621
                              Entropy (8bit):5.0668827871801225
                              Encrypted:false
                              SSDEEP:24:p/VFPvRP+og0Ldej3BK8UENgwOuNwOuzlElJXkgwOuNwOuzlElz9e+teMMPFhUK:NPv5gUUx4IgiLlJ0giLlxxbMNX
                              MD5:F69389CCD764E21156E07A34A2A08E80
                              SHA1:390CBD181D9ADCC87A433933B4E2884500BBB71A
                              SHA-256:3B33F16B61F96AD651A85995F12FBEA6F1CDFEA812DE177E8D4067783AF04AB0
                              SHA-512:A8A41DBA4DE639C4BC09396BBC5ACEDCBB92BF4AE2ECCEB2B49DE84972EF3401A80DCCD86873ABB85FD39B1AA8154F4CD3B025D4375B6264CE447A8F148BBB96
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. buildFilter="".. language="*".. name="NetFx-WCF-MsmqActivation-Registration-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <registerSDF name="WCF-MSMQ-Activation45"/>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetMsmqActivator [Start]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetMsmqActivator [FailureActions]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.SourcePriority()">.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetMsmqActivator [Start]</pattern>.. <p

                              \Device\CdRom0\sources\dlmanifests\netfx-wcf-pipeactivation-registration-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1627
                              Entropy (8bit):5.0352095111624475
                              Encrypted:false
                              SSDEEP:24:p/VFPvRPtqog0Ldej3BEh8UENgwOHoNwOHozlElJXkgwOHoNwOHozlElz9e+teMK:NPvXDgUUxEZIg9i9LlJ0g9i9LlxxbMtX
                              MD5:889C8B050978AEAF42EF3AE4AFC521C0
                              SHA1:ECCCB13E3C354696E5C2FD66E76312C42A473B34
                              SHA-256:A78857813719BFF7DAF94F1A72687B25281792E0FA012BBC94ED227B763EF8FD
                              SHA-512:6B280B752872E64BBD7890329E72638839835C02561547E8143F1F399DC2E40245DE9D22D8AC66C658F35FC837892B3B71363C6F6919DFCC4318FA3F30EBAD19
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. buildFilter="".. language="*".. name="NetFx-WCF-PipeActivation-Registration-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <registerSDF name="WCF-Pipe-Activation45"/>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetPipeActivator [Start]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetPipeActivator [FailureActions]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.SourcePriority()">.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetPipeActivator [Start]</pattern>.. <p

                              \Device\CdRom0\sources\dlmanifests\netfx-wcf-tcpactivation-registration-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1615
                              Entropy (8bit):5.0529548846032135
                              Encrypted:false
                              SSDEEP:24:p/VFPvRPDog0Ldej3B38UENgwO2GhNwO2GhzlElJXkgwO2GhNwO2GhzlElz9e+t+:NPvqgUUxLIg3f38lJ0g3f38lxxbMNX
                              MD5:A00D47E7E645A12E216197EF9F437C05
                              SHA1:83A196243EB7E141EE83823DF0DBFE8AF3A12C53
                              SHA-256:B8E87760E619A86865D3FDC58474D6D4DCE451E632095DC277260CD41999787F
                              SHA-512:328DBC57E37E315DF33739477A410D9181DC2D56B7802C52DE5A26D05508042D9A3A78F396E0A79C2CF57FB232350CAB48A2DD34A8BE520427053192640BB4E3
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. buildFilter="".. language="*".. name="NetFx-WCF-TcpActivation-Registration-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <registerSDF name="WCF-TCP-Activation45"/>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetTcpActivator [Start]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetTcpActivator [FailureActions]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.SourcePriority()">.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetTcpActivator [Start]</pattern>.. <patter

                              \Device\CdRom0\sources\dlmanifests\netfx-wcf-tcpportsharing-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1151
                              Entropy (8bit):4.890674394881669
                              Encrypted:false
                              SSDEEP:24:p/VFPvRPzg0Ldej3TENgwO2ejpwO2eelJXkgwO2ejpwO2eelziFhUK:NPv5gUUjIgfjpfelJ0gfjpfelQX
                              MD5:22540298959CA799D65E75A668F02FD0
                              SHA1:E1DB6A81FEA1B36ADB5ED7F3CFC4B28D4C9F2F0A
                              SHA-256:843C1402FF9BA0691EDE98396E4EB1A7B77FB7202688BE3886265D2A62C68F73
                              SHA-512:C2EDE8025717CCF56AEF2EE4D40C1C435653654FB6A24F7187554F55BC625BC1C7F027ACEC4309A36F83E0AA53BA4D81D07B387EF938F274AB9DA5176C167C51
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. buildFilter="".. language="*".. name="NetFx-WCF-TcpPortSharing-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetTcpPortSharing [Start]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetTcpPortSharing [FailureActions]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.SourcePriority()">.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\NetTcpPortSharing [Start]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Servic

                              \Device\CdRom0\sources\dlmanifests\netfx3-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (466), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1423
                              Entropy (8bit):5.428999232146735
                              Encrypted:false
                              SSDEEP:24:2dcB5og8+KbuTnfWJfd6KbMAVHujsgPrYREVw/0Gt02cKMPFhUK:ccMg8lbuqtFHysgPrkES/5blMNX
                              MD5:A8B6BF1E6E2CF9AE522B0C4AED649310
                              SHA1:6977C06943BDB529DE9DFDDB07A548D84B87ECC0
                              SHA-256:4BC6DA7F42466AF8EA273AB4E2E566AF639DE2851F8050DF2652B1A1D6BF573E
                              SHA-512:068A0A3B4C72FB1822B36F9EE2FAE8D61573D218E2158B54EC26C40C2D9D79B17A76A726DD308C8BEF8531ACE855DF6A7B10DACFA68C9F67C508ED9726C23C39
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="utf-8"?>.... Downlevel manifest for enabling OC NetFX3 -->..<assembly xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" manifestVersion="1.0" description=".NET Framework 3.0 Downlevel" displayName=".NET Framework 3.0 Downlevel" company="Microsoft" copyright="" supportInformation="" creationTimeStamp="2007-11-14T12:05:23.8364502Z" lastUpdateTimeStamp="2007-11-14T12:05:23.8364502Z" authors="dglick" owners="" testers="" buildFilter="" xmlns="urn:schemas-microsoft-com:asm.v3">.. <assemblyIdentity name="NetFX3-DL" version="0.0.0.0" processorArchitecture="*" language="*" type="" publicKeyToken="$(Build.WindowsPublicKeyToken)" buildType="$(build.buildType)" versionScope="nonSxS" buildFilter=""/>.. <migration>.. <registerSDF name="NetFx3"></registerSDF>.... <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry","HKLM\SOFTWARE\Microsoft\NET Frame

                              \Device\CdRom0\sources\dlmanifests\netfx4-wcf-client-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1550
                              Entropy (8bit):5.120052092412143
                              Encrypted:false
                              SSDEEP:24:p/f32e8GFFPvRQg0Ldej3cIhpWcCEFwM3Mxwunwu9BX0F/RUK:t32e8WPvWgUUMI/WcCYwM3Mx9nB2/H
                              MD5:4B43CDBB3DDF5595BCCFFD6ED2187B41
                              SHA1:CC4243F7F902C2C4082785CBF71D47AA75C39FD3
                              SHA-256:5A4D0805E6EA159C6707E8778F517F68F58C0ED8B4840CFB3D1AA74E77A1E099
                              SHA-512:39970A381E5116BBD25316ACF93B8BEC1FCB04990EC764238AEF95DDE5FD69972031DF8E889B9EF8EAE76E3F58A4B323720D0E7ED9CD791BB5CD7F7B53CF83AB
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.... Downlevel manifest for component NetFx4-WCF-CLIENT --><assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="phenning".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildFilter="".. language="*".. name="NETFX4-WCF-CLIENT-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <machineSpecific>.. <migXml>.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\Microsoft.NET\Framework\v4.0.30319 [SMSvcHost.exe.co

                              \Device\CdRom0\sources\dlmanifests\netfx4-wcf-extended-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1466
                              Entropy (8bit):5.1118142179916015
                              Encrypted:false
                              SSDEEP:24:p/ft2e8GFFPvR+g0Ldej3cIhpWcCEFwMZmInMnmInwuiBX0F/RUK:tt2e8WPvYgUUMI/WcCYwMZmuMnmuwB2f
                              MD5:14C747AFF9E92C522BE62AA0ED548B45
                              SHA1:5C98043BAF6445641D5074345C3D33FC4B257127
                              SHA-256:6FDC92D37CAE3E239F1FB69D597B0B6ADEAB23C78CEAD05A19DB41452065D1A7
                              SHA-512:0C8BD6BB3E11A1120278D374CADE865BDC65689766E9380599E94E6E7B10649B11F66988EB99DCA11EAC716E54F3C5A083D5E29DD87D9834EFC46AFD66F57AC3
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.... Downlevel manifest for component NetFx4-WCF-EXTENDED --><assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="phenning".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildFilter="".. language="*".. name="NETFX4-WCF-EXTENDED-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <machineSpecific>.. <migXml>.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\Microsoft.NET\Framework\v4.0.30319 [Microsoft.Wo

                              \Device\CdRom0\sources\dlmanifests\netfx4clientcorecomp-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):15848
                              Entropy (8bit):5.327585154015275
                              Encrypted:false
                              SSDEEP:96:2248PvMu0bbRNPvJ2J4+K1r6gtSVqL/LATKVz0qLUob5k/l+antnJFhFBxG02I4t:JUfbR9kJ4+uCEuGytg7xobiuD6TPF
                              MD5:80C7831BFBE366178D2816EE04866C7F
                              SHA1:A47375FA43FF88B6A755E906F340905F966B973A
                              SHA-256:54B5C89B7786384EC24D8561E9029FF850ADAF96147EA62E61D3EA15565F3341
                              SHA-512:0421D2AA097C3BBB7E601A17B2480D7C8357B6593C9A062E06C28B49F6171A151DA37C2C58789184DC804646AF9B788AC3C0FB85A3F90830A45D8FAF51A98760
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="wewu".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2011-04-20T15:53:55.2793307Z".. description=".NET Framework 45 component".. displayName=".NET Framework 45 NETFX4CLIENTCoreComp".. lastUpdateTimeStamp="2011-04-20T15:53:55.2793307Z".. manifestVersion="1.0".. owners="".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="NETFX4CLIENTCoreComp-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration xmlns="">.. <machineSpecific>.. <migXml>.. <detect

                              \Device\CdRom0\sources\dlmanifests\netlogon-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2053
                              Entropy (8bit):5.051781160490076
                              Encrypted:false
                              SSDEEP:48:22e8s8Pv8382PvJ8+VagUKMccCY4WimkodM/MjMfB2A:2248Pv83fPvJPA0Vb
                              MD5:CF518EDE4A6151C43E575107B87A3F1F
                              SHA1:A027D6DB694B59B14A73DD09B66CB2D482DF9959
                              SHA-256:863E08F20B049A1D0436D9F9E1B925894F10BF12D8A42D9F30C7E6279D307A3C
                              SHA-512:3E4C3F29776F0EAEC4F94ACAE2B6A5190DB7B2AA0B463823D53D9CE389CCE1AEE65BB2903484CAAABC7C66B6FC6754642F75B0CFB91B77948FEC5E7EB269C7F0
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="noskov".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2003-07-31T16:53:06.3611682-07:00".. description="Downlevel manifest for netlogon".. displayName="Downlevel manifest for netlogon".. lastUpdateTimeStamp="2003-07-31T16:53:06.3611682-07:00".. manifestVersion="1.0".. owners="noskov".. supportInformation="".. testers="divyan".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Security-Netlogon-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">..

                              \Device\CdRom0\sources\dlmanifests\networking-mpssvc-svc\icfupgd.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):117048
                              Entropy (8bit):5.949553683116865
                              Encrypted:false
                              SSDEEP:3072:YysQCJypn59E5j06aANws+VVR7rioCHrTDoWb:YysQCJyD9E5jfdeRS5Hrj
                              MD5:985A491A75205A6E663662DFBC5B55FD
                              SHA1:0F39379328D8B500CF48E947108A51038EC19110
                              SHA-256:E978FD1C4C5AEA260A740D79C34292D40FA9F322A6096D61F18EAF23796E4247
                              SHA-512:3012A6CB06258D6EEEFBD2F3DC5C6C77E4A15FD65E66DAF8CB1797320CF48F534F37816ED24B4F6AD0406A8953AE98A51FC08EE71C2D1E6B583548D0F7B8E0D2
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J......L...L...L..9L...L...M...L...M...L...L...L...M...L...M...L...M...L...M...L..UL...L...M...LRich...L........................PE..d...\.n...........",................................................................$.....`A............................................................(...............8!...........b..T............................*...............1..@............................text.../........................... ..`.rdata...x... ...z..................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...(...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

                              \Device\CdRom0\sources\dlmanifests\ntfs-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2637
                              Entropy (8bit):5.066829235545201
                              Encrypted:false
                              SSDEEP:48:22e8I8PvMuCD3BS7cftPvJ2j+mgUKBecKzastYmfGhpAmymWKqGB2i:22s8PvMuCD3BSoftPvJ2qpKz1oh1X
                              MD5:288D02D4C48B0C199002EC0C17787421
                              SHA1:3C62EF141BFCE8A8494020BD1B976642C3505E2F
                              SHA-256:CE0F07408E7661785C0CA529F737F03A61168D817A2A65A154902265817A7D0B
                              SHA-512:29E0041CE5859767627773ED4552D7ED2847C17C6472E35C0BEA48D6D2FF94248E02871F8EB0EDFEB2B6D1FCA2659764F54230E08510E23E2A210804E8350A19
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="ntfsdev".. buildFilter="".. company="Microsoft".. copyright="Microsoft Corporation 2006".. creationTimeStamp="2006-03-13T10:22:45.7383532-08:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2006-03-13T10:22:45.7383532-08:00".. manifestVersion="1.0".. owners="ntfsdev".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-NTFS-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. Begin migration to Vis

                              \Device\CdRom0\sources\dlmanifests\ntoskrnl-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8035
                              Entropy (8bit):4.770087963266978
                              Encrypted:false
                              SSDEEP:48:22e8c+fgSSMKIgnpldvzETkZULLAAJmgiLaRkvKr155L1EQuasOV8m57oLl7lz/b:22rap/YFUJ
                              MD5:1E75A87D293C2F47CF40D532DEA66319
                              SHA1:1C53AAB4A7AA53AD7AE2C553609C8EA2FA4CF8CF
                              SHA-256:2461E94C360C00B4A6AF0B0D54AFDB522FAC4396A782DA0AB06F86760B8658AA
                              SHA-512:76A973D34085747489D8F6B846974106E09416035F6D3C5CA2C050BD3CBE8C8CF59F4450D38D8B1A8C02491D534D9D98159EF0B2E81C3F15A74C6D8325F5E08D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-OS-Kernel-DL".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT","6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\Session Manager\ [CriticalSectionTimeout]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\Session Manager\ [HeapSegmentReserve]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Contro

                              \Device\CdRom0\sources\dlmanifests\odbc32dll-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4820
                              Entropy (8bit):5.171367017147307
                              Encrypted:false
                              SSDEEP:96:22w8PvMuDqD1LtPvJPCx+LqWJ/KvdjTFaT5cPq:RUF1RjxcdHFseS
                              MD5:8B11362DE1D1F328045A3D9DD2FE6705
                              SHA1:65AA748C2B10D595B607EE726C588CFCC575B5FE
                              SHA-256:8F83D5B1F5190DCF37963DF1394BE05F4F8964CF365EF1E056CDC45327AEB226
                              SHA-512:6E1CD08012D2F58AB871905085F7BD17C4BD769D72A5504A8178E3AB420ED94197C49AB6BF6C4A685642EDB201112AD58F1EDFB77BD9ABC66510F265D79C73F6
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. buildFilter="".. company="Microsoft Corporation".. copyright="".. creationTimeStamp="2003-11-18T11:27:15.1013997-08:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2003-11-24T09:58:55.6473150-08:00".. manifestVersion="1.0".. supportInformation="http://support.microsoft.com".. >.. This is a downlevel manifest to simulate the manifest for WinXP and Srv03, which is not a componentization OS. -->.. This will only support the gather phrase, since USMT does not support migrate to WinXP or Srv03 -->.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Microsoft-Data-Access-Components-(M

                              \Device\CdRom0\sources\dlmanifests\partmgr-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1045
                              Entropy (8bit):4.922352845408908
                              Encrypted:false
                              SSDEEP:24:JdtE2e8Zg+OjVg0LTwKstEF4wuFYBX0FCUK:3m2e8G+SVgUTxstY4XYB2A
                              MD5:A9766998455A2CD85B0EDAF48B90A9B1
                              SHA1:01984126AE4086841B0EF08C61957560DB4FCF5B
                              SHA-256:A496D1174D7E78D72D3811187A76A3A6ECA4FF7100EBC1FEE7F5EA1F651A36AD
                              SHA-512:E28C542210095B836D32F7D382F9C4A8DFE7B5628BAF8C5E0F41F8ED3DF3D8D3EA2F51693BAB3EA0949B5A87ADC3A7E19732429768C7DFCB91A89070F6D0CB60
                              Malicious:false
                              Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-PartitionManager-DL".. version="0.0.0.0".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. language="neutral".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\mountmgr [NoAutoMount]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </ma

                              \Device\CdRom0\sources\dlmanifests\printing-spooler-core-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2598
                              Entropy (8bit):5.141713275318681
                              Encrypted:false
                              SSDEEP:48:22e8x8PvMu0OIJ9wcPvJ8+bgUUL0ZW2MKIgaKaWaFaea7atfjJ5Ig6bxJuvy/:2298PvMu05PzPvJP80guM/LYz+195IPN
                              MD5:51C79EF9598C8605BF429702A1594F6C
                              SHA1:E7508C3C6BB5BD7AB38AD5E7A3E35331E13E7D5B
                              SHA-256:F1C1B25278F649BC30D8F2AF1313D0896B867BEE00A7F51DFE2B06B24F83AC89
                              SHA-512:795ABA6DB5951ACD21341B49E905F98EED79F8C14DBAAFC3D9081BF73D9DFAF13DD844CF7E299CE7153F8D2E96E087A448A040A5E65838F3C32CE23F1492BB1C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="mingliu".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2004-09-25T00:07:41.4997793-07:00".. description="$(resourceString.description0)".. displayName="$(resourceString.displayName0)".. lastUpdateTimeStamp="2005-02-11T22:47:20.5251085-08:00".. manifestVersion="1.0".. owners="mingliu".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Printing-Spooler-Core-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns="".. scope="Upgrad

                              \Device\CdRom0\sources\dlmanifests\printing-spooler-networkclient-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2290
                              Entropy (8bit):5.007778130324483
                              Encrypted:false
                              SSDEEP:48:22e89B8PvMu0IM8ajPvJ8+LgUUL0ZW2MKIgaGyK/JJ5I4U50JJuvy/:22/8PvMu0INePvJPs0guMPa5pN
                              MD5:411E597A99D014E5CD83282C77C76EDA
                              SHA1:8092DBB2265615E2FEE9610F9E5ED2450504191E
                              SHA-256:153287FE36A5718812290DABDE6DA3513B9A7E6CBD7ABA7FCB9F2EFBD28E50E9
                              SHA-512:A168E0225673EE503286EE7727C052C4D93CDA2CFC64754F93B2484EEF945DA6FF0EE5FFBEDAD496C0AF09BEDBD5835BDC782F5623958F1DF2485A36E152DC69
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="cmuser".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-16T15:16:31.1697380-07:00".. description="$(resourceString.description10)".. displayName="$(resourceString.displayName9)".. lastUpdateTimeStamp="2005-02-14T00:02:35.0559845-08:00".. manifestVersion="1.0".. owners="cmuser".. supportInformation="".. testers="alanmo".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Printing-Spooler-Networkclient-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns=""..

                              \Device\CdRom0\sources\dlmanifests\rights-management-client-v1-api-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3288
                              Entropy (8bit):5.210016438551802
                              Encrypted:false
                              SSDEEP:48:22e8P8Pv82ZQA+hgftDlddYM0Ig6X4XlueilueSlueJJbIgfXfFjXjFfuePfueNi:2278Pv82Ze0QII0smybRPBzM5hZQNVLA
                              MD5:961487081004406869929FF071D97A18
                              SHA1:344613265E56D1717FDC5D294B89D20199738098
                              SHA-256:E8511B3D5334B92203283766D66D7BD5EB2F8EC0D0703EB9866F6630E1BF1D98
                              SHA-512:79D53DF0CA62B5489D4E5949189017A7E6900D855BB8F947E8B68523F9308DD9C2EB377B371337DE348BEEAE1EE6D9D6CD5673FD0E92745658DE323AB84B4001
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="cagatayk".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2005-05-17T21:14:37.8714436Z".. description="".. displayName="".. lastUpdateTimeStamp="2005-05-27T01:56:13.2144305Z".. manifestVersion="1.0".. owners="cagatayk".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Rights-Management-Client-v1-API-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. <detects>.. <detect>.. This manifest will apply to machines that has msdrm.dll-->.. <condition>MigXmlHelper.DoesObjectExist("File", "%windir%\system32\[msdrm.dll

                              \Device\CdRom0\sources\dlmanifests\rights-management-services-server-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3265
                              Entropy (8bit):4.9976500307966685
                              Encrypted:false
                              SSDEEP:48:22e8P8Pv8qZQY+3gfpISTXt9OMCMu1qcDlkIgfoJTIgjNJmgjOCgjOCgjqCgj5iX:2278Pv8qZGm3T99tO1zlkRUTVfHqqWi
                              MD5:978E54DF0AB92DEA809518977ED9D7AC
                              SHA1:9A18D4C2B37B4331978C14A8B94611B21CC96E87
                              SHA-256:2380DC1BC92A402B7415701C460F5B94222476C4694C0D4877DB805886C43049
                              SHA-512:B0E83C2BF8AC90E68713C4EF2AB2E15CBB2077821EC7E5FAD8411FD57363F5267AE0D6FDB46E24024C517CA5B6EEB0B89A2996BC8B57CA2699261DD3FD8895C0
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="cagatayk".. buildFilter="".. company="MS".. copyright="".. creationTimeStamp="2006-05-25T21:14:37.8714436Z".. description="".. displayName="".. lastUpdateTimeStamp="2006-05-25T01:56:13.2144305Z".. manifestVersion="1.0".. owners="cagatayk".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Rights-Management-Services-Server-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration xmlns="">.. Declare for which Longhorn equivalent OC this manifest corresponds too -->.. <registerSDF name="RightsManagementServices"/>.. <migXml>.. This detects part will ensure RMS to be installed on LH if installed on win2k3 -->

                              \Device\CdRom0\sources\dlmanifests\rpc-http-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1682
                              Entropy (8bit):5.159935705760971
                              Encrypted:false
                              SSDEEP:48:22e8B8PvMu0wN2nmPvJ8+oUgUKKIh0MKITFB/f1MJuv2b/:22t8PvMu0wN0mPvJPoaI+2J2P
                              MD5:204F0F55EFB459560C0A7A2E9488448A
                              SHA1:E4AE2E7B11EE10957999D55D68F18357ED7576D9
                              SHA-256:3C9973A7BDA5882E5668D8148F08250605963B61DAB44331E6FED84741E2CC52
                              SHA-512:B85CFAB4C39C6A41371E6A7451A96B46580CBBDEEDE382A524C18941C09458586A15E6FC51FD64ED686DD8E46E3D33BF5046FBFA3B0BAAD5BCB242C06BBE5E02
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="tassb".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2006-02-15T20:15:23.9993750-07:00".. description="Downlevel manifest support for RPC over HTTP".. displayName="Downlevel manifest for RPC over HTTP".. estimatedSize="".. lastUpdateTimeStamp="2006-02-15T20:15:23.9993750-07:00".. manifestVersion="1.0".. owners="tassb".. supportInformation="".. testers="tassb".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-RPC-HTTP-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Upgrade,MigWiz

                              \Device\CdRom0\sources\dlmanifests\rpc-http_proxy-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1429
                              Entropy (8bit):5.111237712662662
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF8+o7g0Lmj36D5XFuoRK8f/MKENTFBwQfyJXMFv2dlJUK:22e8z8+o7gUKKtXh08f/MKITFB/fyJuS
                              MD5:1A40FD4F542CA04694F5BE986D6E0E9C
                              SHA1:E4CC518B491B611563766AA835146DB439C3522F
                              SHA-256:43E42E20A98C695B4529909EB24BF8F47618E04F61B8B3ECD9634EE23DC6B3D6
                              SHA-512:95FDFBD42E0F430E5D7E24FDE086B7464937206352EA69CAD87BB89E167CEDCA35B693F8F026719DE4F8AF04CD32EC98E79FBCA17C5689D294D182035652246C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-RPC-HTTP_Proxy-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <registerSDF name="RPC-HTTP_Proxy"/>.. <migXml xmlns="">.. Check as this manifest is only valid for down level OS < Windows Vista -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\Software\Microsoft\Rpc\RpcProxy")</condition>..

                              \Device\CdRom0\sources\dlmanifests\rpc-local-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1859
                              Entropy (8bit):5.127639156493723
                              Encrypted:false
                              SSDEEP:48:22e8B8PvMu0wEIDnmPvJ8+oxgSKIh0MKITFB/fdJ/fU/fPJuv2b/:22t8PvMu0wEymPvJPoMI+2J1RypP
                              MD5:8FBA5F6BBCB12A15D3C5138F59A77307
                              SHA1:3FD79588614832F4E3A960259675EEB1CA519FAC
                              SHA-256:B190AB315E42843CD26511AD392F8A428B6F4E6E2D0F754A44909CA7A67B7D80
                              SHA-512:AD7F7074425534E34EFF70EB05D80ABB2D0030638888C273749E9C2042EB1F4895649A28E9E8E18F6E7663CF3C05DB63CA3CD7F825D0B06554ADCEF55B210906
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="tassb".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2006-02-15T20:15:23.9993750-07:00".. description="Downlevel manifest support for local RPC over LPC and Named Pipes".. displayName="Downlevel manifest for Local RPC support".. estimatedSize="".. lastUpdateTimeStamp="2006-02-15T20:15:23.9993750-07:00".. manifestVersion="1.0".. owners="tassb".. supportInformation="".. testers="tassb".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-RPC-Local-DL".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Upgrade,MigWiz,USM

                              \Device\CdRom0\sources\dlmanifests\rpc-remote-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1973
                              Entropy (8bit):5.119843519500104
                              Encrypted:false
                              SSDEEP:48:22e8B8PvMu0wEDDnmPvJ8+oSgSKIh0MKITFBP/fW/fb3i/fgJuv2b/:22t8PvMu0wEnmPvJPovI+2ZMkkP
                              MD5:075B9EF1AF64201CFD786386B887E15F
                              SHA1:C8A08DDBE5B65D84C7C2D704A7EBF443CCD33C65
                              SHA-256:46D54FE38D4A8AFBA0BEE14D0C005AA98CA16CD3C15A56AF845B355C01382B1E
                              SHA-512:99945C230E989629A1FCC46A6475E4CB6E1EAA72605BAB80515A831270E2B5861BB87205E26CB4A1530F22E9307B928439E2A0834FD6AF1830E5ECA11E21CFF8
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="tassb".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2006-02-15T20:15:23.9993750-07:00".. description="Downlevel manifest support for remote RPC over TCP/IP".. displayName="Downlevel manifest for Remote RPC support".. estimatedSize="".. lastUpdateTimeStamp="2006-02-15T20:15:23.9993750-07:00".. manifestVersion="1.0".. owners="tassb".. supportInformation="".. testers="tassb".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-RPC-Remote-DL".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <

                              \Device\CdRom0\sources\dlmanifests\schannel-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1461
                              Entropy (8bit):4.995740778339918
                              Encrypted:false
                              SSDEEP:24:p/Vd8+V8g0cj4lQu/0KMKENgwwhoOHwwho8Gwwhod6wwhoAwwhom3wwhoEJXMFhZ:a+V8gf4lx9MKIgthxth+thHthZth53ts
                              MD5:EB19FF373C9986C8377609D97770FFFC
                              SHA1:977729D694B1F5E870EF4FC6BEB15FB946F62092
                              SHA-256:21E42B579C00347FB15F80D778E42D9D237F87CD39EA28789E26FAFD21F77A48
                              SHA-512:6119BBBF8AAEE516B9909A08838A1C42FEF7891C1671396E3A28FB6A89D6922C20DDF94923BB8AEF138BC95A169CD7A0C632AF9E9EF2D8AB7466C5770D722293
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Security-Schannel-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\* [*]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\* [*]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites\* [*]</pattern>.. <pattern type="Registry">

                              \Device\CdRom0\sources\dlmanifests\schedsvc-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1923
                              Entropy (8bit):5.048791351153793
                              Encrypted:false
                              SSDEEP:48:22e8GK8PvNUWs7B+7gUKls4JetY4Z/RBu4UWmAs4A:22aK8PvNUZkys4JA7T5w
                              MD5:8CF4ADA54803A273264F0A384DC7A963
                              SHA1:CE64FB9F7DE0B45145B9A767DD6CF45444C8983A
                              SHA-256:EA011EC6D443A2B756313DA35D421840388986387D8DE441235FEB5242D244EE
                              SHA-512:16E3FFD9DD17730A84A9CD464E985569CB6EE2611F67C669F0F924FB9FBC52D1183DF5DA53A64C0CCDB57DEE6CDAAD2CE32846CC66E35A66282D78BC47B87927
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="zinap; erikhe; shbrown".. buildFilter="".. company="MICROSOFT".. copyright="".. creationTimeStamp="2003-07-29T16:10:46.6864982-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2005-02-22T07:14:18.1645118-08:00".. manifestVersion="1.0".. owners="vasilep".. supportInformation="".. testers="yinghany".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TaskScheduler-Service-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. <environment context="System">.. <variabl

                              \Device\CdRom0\sources\dlmanifests\security-digest-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):803
                              Entropy (8bit):4.875672572739874
                              Encrypted:false
                              SSDEEP:24:p/Vd8+VWzg0cj4lQu/0KMKENgwQkJXMFhUK:a+VWzgf4lx9MKIgNkJuX
                              MD5:96A1EA47C23147B0857999CD049CED2E
                              SHA1:666023049BB198C84FDAC513BCAD98D6C7C63020
                              SHA-256:C5A1518C66BFE2A5D52416D55D150060FDF8BDE8345B037596D8BA83EB6F24C9
                              SHA-512:6767A36665532265F8F2F048B430C25B8B8305004B6329EBB45F75BB1BF6903622A32C22796E8C59295249BE9F9090645884BFE2B90C9540D29897D882C5430B
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Security-Digest-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\dlmanifests\security-kerberos-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):803
                              Entropy (8bit):4.872380719250879
                              Encrypted:false
                              SSDEEP:24:p/Vd8+VBg0cj4lQu/0KMKENgwT7JXMFhUK:a+VBgf4lx9MKIg47JuX
                              MD5:C580489B33EBC3988FDBCC38070DDC72
                              SHA1:276DF02E7705D340D36EAD58A133D16EB9ED1D1B
                              SHA-256:9ADAF74E5CCE892BC6D701ECF741FF78F9327EB04B43045A3A5D2B9E19B98C6F
                              SHA-512:BF518BA37622837D49EED8299090ABB229D6D6825ABFF57C1E11BDFCBC65C16C75369FDD2A1BD6BA786640DE22E99A24F2CDBB80DBE673050E3B3091165BBD8C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Security-Kerberos-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\dlmanifests\security-ntlm-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1458
                              Entropy (8bit):5.035245161398061
                              Encrypted:false
                              SSDEEP:24:p/Vd8+Vjvhg0cj4lQu/0KMKENgwUw/PJw/yR2w/pw/Pw/Iw/23wJXMFhUK:a+V7hgf4lx9MKIgf66QYLd3wJuX
                              MD5:CDF723CC361E061608949DC23572CCE7
                              SHA1:C82C9374B5609BF7294003B8B0B4610EB71EEA9F
                              SHA-256:5C4F256261D8157B043768101176CF5BBA9D833A33D484A10FE61A8921495BE0
                              SHA-512:397AC33859016AEDF8C6B0C3E62B47655D2E2AD4C6FEA83A4D0A1BB66943BE5C303027FD95194345D179D7C162E8A0DC5D5E0843A03568A6827FFB351A9AD340
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Security-NTLM-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Msv1_0\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Lsa [UseMachineId]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Lsa [DisallowMsvChapv2]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Lsa [LimitBlankPasswordUse]<

                              \Device\CdRom0\sources\dlmanifests\security-ntlm-lmc.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1079
                              Entropy (8bit):4.962721126399527
                              Encrypted:false
                              SSDEEP:24:p/50bJAd8+VjvfDg0cj4lQu/0KZ+PJyMKENgw/PJBJXMFhUK:8JX+V7fDgf4lx9KJyMKIgiJBJuX
                              MD5:94F4F93D40A7F6D3D2EDAF029215C65C
                              SHA1:F6771D757B41C78B46E582940DF9C49BB82F6FDA
                              SHA-256:A6C312C322F0963453D96E561ED800F2BE9F3C0E998A63520CC3299A358D45B7
                              SHA-512:82A057BAE639D7B1E6C79EF3F2F5E625C171F068E0484C347FBE538ED020A0E517911A77898FDF9729F9E387A20FE0F882F56701B54828D4EF405BD03A2ACE73
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.. Special migration logic for the LmCompatibilityLevel setting -->..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Security-NTLM-LMC".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista ? -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. <detect>.. <condition negation=.yes.>MigXmlHelper.DoesStringContentEqual("Registry"," HKLM\SYSTEM\CurrentControlSet\Control\Lsa [LmCompatibilityLevel]", "2")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Lsa [LmCompatibilityLevel]</pattern>.. </objectSet>..

                              \Device\CdRom0\sources\dlmanifests\shutdown-event-tracker-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1288
                              Entropy (8bit):5.130991941002454
                              Encrypted:false
                              SSDEEP:24:p/o2e8Gj8PvMu0M7l1rd8+Vjg0cj/KMKENgwQVPpCJXMFhUK:22e8Y8PvMu0M7l12+VjgfSMKIg/5gJuX
                              MD5:2FD7B2F6A997E4A8F62294B230DCD6AF
                              SHA1:7DA5C93515C9C742031DD065D60CCF010F9FC820
                              SHA-256:4E43B4E2CC6120CF590CEB838B21D36CC89D26AA7EDFEB80A1AAB4A12BC091C1
                              SHA-512:4276AC77184AC35B94B0ABB3845FEAF7D11C76CCBC5F5A88D526E71399AAB55D46B1DD311B7260DFB9AD7E0CD4370651ECD6B529074FA7B55B3B6194E78983FD
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="ianserv".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2004-03-15T11:23:18.3461300-08:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2005-04-26T15:46:05.3890578-07:00".. manifestVersion="1.0".. owners="ianserv".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Shutdown-Event-Tracker-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT","6.0.0.0")</condition>.. </detect>.. </detects>.. <rules co

                              \Device\CdRom0\sources\dlmanifests\smartcardsubsystem-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3757
                              Entropy (8bit):4.9594086319107635
                              Encrypted:false
                              SSDEEP:48:22e808PvMu0v7u5PvJ8+VDgUKJMKIgfp0VaRmJecaZIp0vp00c7dvAN0PvopPvBO:22I8PvMu0vC5PvJP8Re2mciU0PvCPvr8
                              MD5:8EC0988E8CECE83445D613F84EAC0BD0
                              SHA1:4BFAF62DDEBF37461C14F69DC15E417EF89BBDEB
                              SHA-256:3CF319F5F9B2B96762F844FF8BF34F8C317DC620FB04D43FC9728C6E80E0C784
                              SHA-512:8586663539E2BB59AC99ABE150F74D504B0B82B3CC7404BEF080F51583B86E6A39585D1A15D40C4CC5C29EEDB9AF2572059F253688ADE598D9E9D690CEF5A31C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="eirikh".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-18T10:54:12.1286250-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2004-08-10T21:55:12.7031250+00:00".. manifestVersion="1.0".. owners="eirikh".. supportInformation="".. testers="rajesr".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-SmartCardSubsystem-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <d

                              \Device\CdRom0\sources\dlmanifests\smbserver-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):13993
                              Entropy (8bit):4.765053924682927
                              Encrypted:false
                              SSDEEP:96:22X2qDKuQc5BUqynGpZ+q1sLsT+4tCqRX:mgKuBAGpZdF+4tV
                              MD5:46EC9442F8F233DF5A97AEEC8DC46770
                              SHA1:34119FB46E07B3D49D69320506565A4C85021A91
                              SHA-256:6FCC2FE6FD6A4FF6959EF0C201023BE3BD41BC9787C021D440920ECC6BC38EE6
                              SHA-512:F368A8C5683029A43BD48AC0B19FC89F354E6D628DFE9AE1D5D7A628AA379F5FF67DD15DF7A55DD79223D73D457D84FE6D257D46EABF9E59711B918E1998C371
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-SMBServer-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. Begin migration from Vista. This is the build-to-build upgrade or pc-to-pc case... Everything else comes from the -DL manifest. -->.. In-place section. Declarations here will not be migrated pc-to-pc. -->.. <machineSpecific>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSLaterThan("NT", "5.0")</condition>.. </detect>.. <detect>..

                              \Device\CdRom0\sources\dlmanifests\smss-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1694
                              Entropy (8bit):4.874990206219257
                              Encrypted:false
                              SSDEEP:48:22e8c+VfgSlIcCY4apdfqQoInmBu4qQIqQlyA:22rbQAb/naw
                              MD5:CA55400F9390CC89BC20AE11F1D8652D
                              SHA1:C5BF6AD0CF401DC6EBE4E1666787BD925BCCF02D
                              SHA-256:6784A4A47D2CE84DE493CDB398D8A4954373F8C02391C680614B794B5CA4E107
                              SHA-512:09DB2822CA005011DCAD1BBCCE339BD66D426CCD1DD70A6B41766B6DAD86D413B4927D0725853AF6A59A0A1EDEFBA2A3EAF47F8B08AC589F514D476B7BE69923
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Smss-DL".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT","6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\Session Manager [ObjectDirectories]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management [PagingFiles]</pattern>.. <pattern type="

                              \Device\CdRom0\sources\dlmanifests\smtpsvc-admin-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1164
                              Entropy (8bit):5.145309505141428
                              Encrypted:false
                              SSDEEP:24:p/o2e8GY8PvMu0RVKP81Ud8+VJg0cjAo6WtMPFhUK:22e8h8PvMu03QK+VJgfApWtMNX
                              MD5:4C0591E7232E932CA02B87B8CE9C11B9
                              SHA1:B384943801816C340C31B58045BE1F38416AEED9
                              SHA-256:7E9655C09966307993F031806E3FC4DBF9B5F9011426105159E82787BD99E578
                              SHA-512:F3F1CD274E6708E9EF2097FC452E101D6E9FBDA90B80815838D1E9511250204C29EF48245CC3D69E8E94D6CEBBAFE3EAAE1F4BD83CA0ABA4D42B7927B2D2D9DF
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="gpulla".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-01-19T19:08:25.6031914-08:00".. description="".. displayName="".. lastUpdateTimeStamp="2005-02-22T17:26:55.9643023-08:00".. manifestVersion="1.0".. owners="gpulla".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Smtpsvc-Admin-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <registerSDF name="Smtpsvc-Admin-Update-Name"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.

                              \Device\CdRom0\sources\dlmanifests\smtpsvc-service-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1180
                              Entropy (8bit):5.1624632559762516
                              Encrypted:false
                              SSDEEP:24:p/o2e8Gf8PvMu0RIKPVR5Dd8+V5g0cjA6/6adMPFhUK:22e8i8PvMu0yQ9e+V5gfA6ywMNX
                              MD5:D6D48B8900AE3941164E6D6A5FC97364
                              SHA1:A873C4D8FA84B3E6537256BA4835221A75BFB24A
                              SHA-256:0AFAF1112381DAAF69C91EAD1A7520C7C6003F72132AAC40BCF62DDB72713234
                              SHA-512:E4102F0ED658143BF539D73ABAF7824C8BC11A9656E8E0476B67AC7539963927F960CF17CB8D9B8AB06ACBB4A539D479E3F5CDC6589F5D35664E87A79833A0B3
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="a-jvuren".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-01-19T19:08:10.4118034-08:00".. description="".. displayName="".. lastUpdateTimeStamp="2005-03-08T21:52:00.9984889-08:00".. manifestVersion="1.0".. owners="a-jvuren".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Smtpsvc-Service-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <registerSDF name="Smtpsvc-Service-Update-Name"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0")</condition>.. </detect>.. <detect>.. <condition>MigXm

                              \Device\CdRom0\sources\dlmanifests\speechcommon-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2858
                              Entropy (8bit):5.0072143192941745
                              Encrypted:false
                              SSDEEP:48:22e8v+VygLBqg5SKtVMKIg/oRDo/J5Ig6Be6LY6LGH6IS6F6n66SPdu5lu3Jmg6G:22CDZ/LxO45IBtL7LGaus6aa5WFDr8
                              MD5:8371ED7C18F168DF004649D839084C11
                              SHA1:D9404EFD4558427C10FEC433F049D044109DAAA9
                              SHA-256:998147832BF98CF74440FD64C1B51AE7A94A0C07AC671491ABEF7AAA23C5BA7F
                              SHA-512:D9B5ECF49A6A300048FF2EC279064C339AE226CF3CD406E790C23DCF6963C014E52AF8D3B614E08977BDF56BE56CAA37A1E37CC5D2ECCF8848FFDCDEA03F0085
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-SpeechCommon-DL".. processorArchitecture="$(build.processorArchitecture)".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Speech\Voices\TokenEnums\* [*]</pattern>.. <pattern type="Registry">HKLM\Software\WOW6432Node\Microsoft\Speech\Voices\TokenEnums\

                              \Device\CdRom0\sources\dlmanifests\tabletpc-tabbtn-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1737
                              Entropy (8bit):4.888084989930429
                              Encrypted:false
                              SSDEEP:48:22e8v8PvMu0XQqM+5cgflxstY4hYBustY45B2A:22D8PvMu0Xd5lw0Bpb
                              MD5:B0B102BB74B6BFE983914667963F3B44
                              SHA1:427A123944F3262FC4300702862145C293D65B44
                              SHA-256:BECAEC5F6EEC2B8397CAD5EDC48B23B08E1AD9139A611956321B5B8B0A488586
                              SHA-512:D99E3C95D0C2AE32D61B3C0BF3E95AC801C2B6E15A7F53888D769D786D604F11611BBA934A5AF38A662F017248AFFB74EAD6243D770231C2752511145875B40C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="daperry".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2004-12-09T22:37:41.9596795-08:00".. description="Downlevel manifest for TabletPC Buttons".. displayName="".. lastUpdateTimeStamp="2005-06-22T00:32:03.7264198Z".. manifestVersion="1.0".. owners="daperry".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TabletPC-Tabbtn-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>..

                              \Device\CdRom0\sources\dlmanifests\tabletpcinputpanel-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1429
                              Entropy (8bit):5.176189577199329
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZFPvJ2YS+5bg0Lmj36DUDq1BOpcVENgw5aiJXMFvD0klJUK:22e8zPvJ2j+5bgUKKyqepcVIg6lJuvp/
                              MD5:6544906812FB734E4688EB15FEE92131
                              SHA1:0B6CA2321F0692E2DA2EFC62215FDE1ADBB3BD6F
                              SHA-256:D926ADF3A34859215AD3A1CBCD4561EC34BB2444B4193DEE9E95E49A8A63F0FF
                              SHA-512:149017F0565F0B24EA20E8DABBA6A62B6C07DE2933D9E61B01CE3F731CC61E5CE485676C99B6990AB33905F1A08551DDBCE085B74BAA2BAFBE80EE4C4DAAE697
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-TabletPC-InputPanel-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. <rules context="User">.. <detects>.. We only support WinXP -->.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT","5.1.*")</condition>.. </detect>.. With TabletPC bits installed -->.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\Software\Class

                              \Device\CdRom0\sources\dlmanifests\tabletpcjournal-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8752
                              Entropy (8bit):4.9968105900150865
                              Encrypted:false
                              SSDEEP:96:22xo8PvMu0ZYgH53xMI7taNVQMjFqz2SUAUUznMzKB330+lslFlitE1vNzWKNDUK:x5UBoq0vC0N
                              MD5:C39F8BBC97C7F60EA8B250A1177DDF6C
                              SHA1:0E9F97415C568188D955EE083D7D0887687F1C8F
                              SHA-256:9C97D46DB71E1E55D23541306B8FD478CF77668C3767B5E08F945815BC043D39
                              SHA-512:B02D2080D054CEA9CFB19055CFC2743E945CDB467463D94545CA37394F7D7323F0171479785C2287E94742726F0C94B8D27D9AA4D34C68FF7444A14B901918FD
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="robjarr".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2006-02-09T22:59:43.4054402-08:00".. lastUpdateTimeStamp="2006-02-09T23:01:03.7264198Z".. manifestVersion="1.0".. owners="robjarr".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TabletPC-Journal-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. <rules context="User">.. <detects>.. We only perform Windows Journal upgrade when TabletPC bits are installed -->.. <detect>.. <condition>M

                              \Device\CdRom0\sources\dlmanifests\tabletpcplatforminput-core-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1131
                              Entropy (8bit):5.28273544545699
                              Encrypted:false
                              SSDEEP:24:p/o2e8Ga8PvMuCD9Wu7jKd8+50ejg0cjtDjYVS2N9+FCkY0HlJUK:22e8/8PvMuCD9Wu7jx+50ggftP6S2N9m
                              MD5:E34D3845F8CAE9B344C0BD9BA6236EBB
                              SHA1:C5724F99CFBC8DDCFF1783160FD31BBBA89EAA15
                              SHA-256:7F8D0134AC59480BE2BCC3D2DD8269FA41E4F27CB3EAD8278C253C7E440987B4
                              SHA-512:98368EE33B895F30F2A8E8B4CDFDA10E2A022E825A229D035FC0236B16E948D364F0006FC4E16DC5D902B62D6127487F47B736920C479DE8D1F3EA85D7AEEF35
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="ssheehan".. buildFilter="".. company="Microsoft".. copyright="Microsoft Corporation".. creationTimeStamp="2004-06-09T17:39:55.7433860-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2005-02-25T01:08:57.4517493-08:00".. manifestVersion="1.0".. owners="sdodge".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TabletPC-Platform-Input-Core-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. declare for which Vista OC the downlevel OC corresponds to -->.. <registerSDF name="Microsoft-Windows-Client-Features-Upda

                              \Device\CdRom0\sources\dlmanifests\terminalservices-appserver-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1573
                              Entropy (8bit):5.0396443495784355
                              Encrypted:false
                              SSDEEP:48:22e8+8PvMuAH+ZUgfA3CFTMKIgExE3JuX:22K8PvMuAeC3MtQ
                              MD5:8C6AAFB8407882C3869B548CE90C45C3
                              SHA1:EDE98649B3EDD416758F33748E9B07C528FE17C3
                              SHA-256:A22E5B9DB816852923636492F40DA0999458927F15CE507ADE4F2BCC1A607B68
                              SHA-512:6EAF04D630BAF15E857F770B4DC67B6473A97EB67D127A16D9D9549343A49B22AB4F40CD3B2164894C0AD67BD03AC66E9DB14E8E70EE9D4A202DDCFC02097E66
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="jiazou".. buildFilter="".. company="Microsoft".. copyright="".. description="$(resourceString.description1)".. displayName="$(resourceString.displayName0)".. manifestVersion="1.0".. owners="jiazou".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TerminalServices-AppServer-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <registerSDF name="AppServer"/>.. <registerSDF name="AppServer-UI"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesStringContentEq

                              \Device\CdRom0\sources\dlmanifests\terminalservices-appserver-licensing-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1305
                              Entropy (8bit):5.004336853512265
                              Encrypted:false
                              SSDEEP:24:p/o2e8Gz8PvMuVKFd8+Ztg0cjD1IAmMKENgwuENrJXMFhUK:22e8E8PvMuA4+ZtgfD1IRMKIg+NJuX
                              MD5:5169D09C79B91100F484F3998A0DFB61
                              SHA1:68CAA3BB65F434ABBD8EA851F1A151D8656FB394
                              SHA-256:9D3C7F02A71220BAA88E12553CAE30FA65C96D1279D472CDEE6FD0A4FC2E3781
                              SHA-512:6FC9B70C505D7E7F3538093A1BD7CD496850CA832FF2F101667BFB87B34BB010D5791359BEC3B06894DC52EDAB7D27A65DE7B8CC4287DEF52E89B8F3AF546C2F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="ranjanr".. buildFilter="".. company="Microsoft".. copyright="".. description="$(resourceString.description1)".. displayName="$(resourceString.displayName0)".. manifestVersion="1.0".. owners="ranjanar".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TerminalServices-AppServer-Licensing-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. We support only W2k3 to Win7 in using this downlevel upgrades-->.. <migration>.. <registerSDF name="SpecifiedLicenseServer"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT", "5.*.*")</condition>.. </detect>.. </detects>..

                              \Device\CdRom0\sources\dlmanifests\terminalservices-drivers-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1164
                              Entropy (8bit):5.057626266327765
                              Encrypted:false
                              SSDEEP:24:p/o2e8G318PvMu0zlNKJJPrd8+Z7g0cj/6MKENAJXMFhUK:22e8q8PvMu0R4JJO+Z7gfyMKIAJuX
                              MD5:DC3BC69B1E247563722C3D73E10DB9AE
                              SHA1:5D65E58BAABE2C4BDF9D5B53EDC6D80DCBC27953
                              SHA-256:9E3DA11A67628A6C5913F542325F6A9FA2EA4B3A2BBCB7F8200F5BAD64AEA004
                              SHA-512:30D9682A43A6E39CCD893E2FC6AAD80E815439CF7EF144AEE7CB1023BEBEA19B351D827791EE65FE937CDFD7C29787111CCA0576FB8F37060317783E978E1990
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="maheshl".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-01-19T23:09:09.7164046-08:00".. description="$(resourceString.description1)".. displayName="$(resourceString.displayName0)".. lastUpdateTimeStamp="2005-02-03T00:33:01.6861768-08:00".. manifestVersion="1.0".. owners="maheshl".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TerminalServices-Drivers-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0")</condition>.. </detect>.. </detects>.. <rules c

                              \Device\CdRom0\sources\dlmanifests\terminalservices-licenseserver-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2232
                              Entropy (8bit):5.246356203491253
                              Encrypted:false
                              SSDEEP:48:22e8R8PvMu0R4JJ/+ZwgfDMGL/9ZZA1hoMKIgjavjaV/+RuD1/e/BJuX:22V8PvMu0iy1LVgU1Y6xD9sbQ
                              MD5:8B16B53A69A5202A0EB2E96754C87CD2
                              SHA1:8F973EBB59D1D0F0CFDDE60AF880A71E360C94CC
                              SHA-256:01CE0CD021049B230BCE0903C4B4433327300FBE7C27A59803FE6C37FC034882
                              SHA-512:5F4BCC02A65CF3A155C2582DBF48CC99F1AD0920F6F38E60DDD1247EE42BE4E6943713597607F28B23C29C14834467950E41B1FE1DDA52DE259459C937BA3240
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="ajayku".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-01-19T23:09:09.7164046-08:00".. description="$(resourceString.description1)".. displayName="$(resourceString.displayName0)".. lastUpdateTimeStamp="2005-02-03T00:33:01.6861768-08:00".. manifestVersion="1.0".. owners="ajayku".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TerminalServices-LicenseServer-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. We support only W2k3 to LH+upgrades-->.. <migration>.. <registerSDF name="Licensing"/>.. <registerSDF name="Licensing-UI"/>.. <migXml xmlns="">.. <plugin.. classId="

                              \Device\CdRom0\sources\dlmanifests\terminalservices-localsessionmanager-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1438
                              Entropy (8bit):4.949117020394633
                              Encrypted:false
                              SSDEEP:24:p/o2N318PvMuB6rd8+ZIg0cj/6MKENgwxTDW8apaLwxTDWzTewxTDWbQ4QwxTDWH:2278PvMuBJ+ZIgfyMKIgkUpaLkUTek1/
                              MD5:5A2BA1DFBF70F93FC91B8C4DE0D35ED3
                              SHA1:1B05F6708B1EAA34C27FB5D5CF4D7F497916649B
                              SHA-256:FB693A56C34B0AC7C12FD4EA579F55C12F46527A1DE8001638979D5136E3C505
                              SHA-512:CD837602013E347C68CD05099E45C82B03DB716DCE5A9C6C78B6476925FBE753577F1FDDF07B42554E44B03C0D352A8D6D4E2F80A73210CCFD8E8863EF511EE4
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. authors="maheshl".. buildFilter="".. company="Microsoft corporation".. copyright="".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. manifestVersion="1.0".. owners="maheshl".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TerminalServices-LocalSessionManager-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server [fDenyTSConnections]</pattern>.. <pattern typ

                              \Device\CdRom0\sources\dlmanifests\terminalservices-rdp-winstationextensions-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):20863
                              Entropy (8bit):4.955583543705403
                              Encrypted:false
                              SSDEEP:96:22j8PvMu0FkLhNJaGnN9VGUT6qKaaseYNMWQv++PMc5TLX:AUmtNJaWN9V76qK3sVeWQvV3X
                              MD5:B61F5D5331BCDB91A01FD718C9AED83B
                              SHA1:AB8EDF7FA67D7DC41605571FE049441067B78E75
                              SHA-256:B56F32416F3C3443E828401E1BD9DBC786BBCB34D4EAD4D3C194683F3BC44A13
                              SHA-512:86B5E892A4B457D029BCC6B67850DC4FC7636091CC1C94B880801865F2C16C22B77E4B37132B982144046AB01C2B58161FA3F193970182584AE1C1AAA0D9C213
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="chenyz".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-30T11:55:42.8136439-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2005-04-08T21:34:43.7818928-07:00".. manifestVersion="1.0".. owners="chenyz".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0")</condition>.. </detect>.. </detects>..

                              \Device\CdRom0\sources\dlmanifests\terminalservices-remoteconnectionmanager-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1438
                              Entropy (8bit):5.0243034909528586
                              Encrypted:false
                              SSDEEP:24:p/o2e8G318PvMun6fNd8+Za0g0cj/6MKENgwxTDW4wxTDW2wxTDW8JJXMFhUK:22e8q8PvMunCw+ZBgfyMKIgklkFkDJuX
                              MD5:30EDA5D79E91982C35DB4F24EF032CA0
                              SHA1:774BA988303C34E14DB39658611B7E70EF914337
                              SHA-256:72C3AFAC9B138622226AE9FC450ACBE677521102672F37EB3BD86191AD7814A3
                              SHA-512:B48DB5C40F4302DE49E7CCC06DB12EC1ABE97A854D04AE4D3F56BFA0FCF8BB048E2B2DEBAD9E7722C09F8E173AC52D670C6DCC2FFBB864470E6E3F877DD633D3
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="maheshl".. buildFilter="".. company="Microsoft".. copyright="".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. manifestVersion="1.0".. owners="maheshl".. supportInformation="".. testers="vishalm".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TerminalServices-RemoteConnectionManager-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HK

                              \Device\CdRom0\sources\dlmanifests\terminalservices-sessiondirectory-client-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2240
                              Entropy (8bit):5.104349316303394
                              Encrypted:false
                              SSDEEP:48:22e8q8PvMu0c7Ik+ZFgfyFTMKIgk8k/fQk94pkakYkOxJuX:22G8PvMu0csnhq9AQ
                              MD5:F79CC050D67F4F93CC97E86B63D56121
                              SHA1:854F0A027311B99869ADCD79218E34B1F08AD247
                              SHA-256:89FFFEE9E4B56B7D922A22241D32F1427B5848A5C23D06C927F16F09ED521621
                              SHA-512:5EC9DE22FBB0C47923C1859157038797A211A161C7903FC1AAAF85F9C279D1ADEB463A791FE6C9E5A7494855B35DF28CBD7C6E29195B14AAB13F4CD52DA2EA9C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="maheshl".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2004-05-21T14:26:02.0157474-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2004-10-01T21:40:40.9701248-07:00".. manifestVersion="1.0".. owners="madhann".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TerminalServices-SessionDirectory-Client-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0")</condition>.. </detect>.. <detect>..

                              \Device\CdRom0\sources\dlmanifests\terminalservices-sessiondirectory-server-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2453
                              Entropy (8bit):5.14342781777938
                              Encrypted:false
                              SSDEEP:48:22e8q8PvMu0c7I3+ZJgfAa4sMKIgDbfBc4+cJuX:22G8PvMu0csuta/ZbQ
                              MD5:1A214BF3B53B5DDEDA6D35679E05C169
                              SHA1:8B47D9AFC5A9A1A5938AF09E356A8D7607E93750
                              SHA-256:E5557CAFCA3C01FE861AF8462393C741EC46D5DFBCA36BC814B991A013DD75BC
                              SHA-512:6AB3E28F65178CC8692DD9604372F91A1CD9182E019B19620D6ED1434F3086FA69816B0A7BF9E0FDE1851CFF3E6E10DB366D1D1D1417D6DDFA30C88C3F9EC7A3
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="maheshl".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2004-05-21T14:26:02.0157474-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2004-10-01T21:40:40.9701248-07:00".. manifestVersion="1.0".. owners="maheshl".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TerminalServices-SessionDirectory-Server-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <registerSDF name="SessionDirectory"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesStringContentEqual("Registry","

                              \Device\CdRom0\sources\dlmanifests\terminalservices-terminalservicesclient-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1919
                              Entropy (8bit):4.973318807159233
                              Encrypted:false
                              SSDEEP:48:22e8X8PvMu0G7Ux+ZGNGgfyMKIg/5iJJmg/5NlIg65iJJmg65NiX:22j8PvMu0GpgSx4DjZI4DWw
                              MD5:6CAD5FF3C0879EBEE29F787BC16CD094
                              SHA1:138EE2ACD88D5F7A49AFDB7CB28C555375BB996E
                              SHA-256:2DE558DAC4E455F19D2ECB03A0807A510FBC877BA9D83B719022F17702674254
                              SHA-512:DDBE3F6FE1746E379F9FC7D1E579CCCF79EB963837FB082C1DF430FC32EA6CB5BDE697615D7536B5EB053791B17156942727C0CADAD72209E6E6D52EA0FCB7C8
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="chenyz".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-31T19:17:13.3882905-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2004-10-07T00:02:19.1021250-07:00".. manifestVersion="1.0".. owners="eltons".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-TerminalServices-TerminalServicesClient-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0")</condition>.. </detect>.. </detects>..

                              \Device\CdRom0\sources\dlmanifests\textservicesframework-migration-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2841
                              Entropy (8bit):5.066379938789705
                              Encrypted:false
                              SSDEEP:48:22e8z2I+YOgUUKplx0MIQK0iKAYZ2lxMcVIw6i6u6xpXub68656Jm16MbivWR8:22X2rrplUQ1A9lhiZdSmn5mj48
                              MD5:6473282D1EA670D89DFE11B549A18645
                              SHA1:AAD8AF79846619F9A502B339227C9F090EA6A5A6
                              SHA-256:8B9C2DF94477D861AA124EE09CCAD18D8D990218F7B54010E3B1502AE97041D0
                              SHA-512:37A04091AE97C87DBB996D3B8989620D59664A64866564BEBF9ACF87F9E8DA56B76CE3B47F3978C3840E0DD44C04D7EB326E9651895ED7260C9051022291FB79
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-TextServicesFramework-Migration-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. Check as this is only valid for down-level OS < than Windows Vista -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. Plug-in setting for msctfmig.dll -->.. <plugin.. classId="{0b23c863-4410-4153-8733-a60c9b1990fb}"..

                              \Device\CdRom0\sources\dlmanifests\video-tvvideocontrol-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2038
                              Entropy (8bit):4.855658952563297
                              Encrypted:false
                              SSDEEP:48:22e8v+ngLBqg5SKKxc++NRhCeeUgpTIgjgJTIg/gJuvobNw98:22CaZYJuRhG7pTVsTxsPw98
                              MD5:83D84414FF761B198A5AD8CD7A0BE634
                              SHA1:0908B69733074381B6E95E80DC8FC9D67DABF704
                              SHA-256:84ECD7F921FCEE1D7777EA121E597E01E458D7302CB26439078CF61170312DBD
                              SHA-512:98A3EF4D8D07CFC8A97754163100DFD31C90632B8D409E1C852A7984C848B16067CFF394750B301B7DA5EE785E6BB1C4CB19A1F3B05D61286BD865FBF3EF239A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Video-TVVideoControl-DL".. processorArchitecture="$(build.processorArchitecture)".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Upgrade,USMT">.. <migXml xmlns="">.. <rules context="System">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. .. we're doing something a little cheesy here. we depending on the fact that the tuning spaces are either.. in wow6432(xpsp2 x64 pro) or not(everything else). so, we'r

                              \Device\CdRom0\sources\dlmanifests\volsnap-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1040
                              Entropy (8bit):4.9171593745049105
                              Encrypted:false
                              SSDEEP:24:2dtE2e8Zg+ejVg0LTwKstEF4wubkBX0FCUK:cm2e8G+iVgUTxstY4GB2A
                              MD5:16CC4BE1A4F3DB8E1E02B65FC6EFD604
                              SHA1:917A9E0C1F1686158006303C98CA917E4C8080B1
                              SHA-256:E42D7765D702271CA6E81B880E99291DBA426E2F097FFAE4540D6F55FAA0086A
                              SHA-512:AAB48D2E67ED320CB61548320468EBF17DD85ACC36B3EDFDD823877AD41722FB9AAA20A584A5C5FA4EAB8CB1E8A8EB99603BC347174247ACDC043381EB54D912
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Volsnap-DL".. version="0.0.0.0".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. language="neutral".. />.. <migration>.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\volsnap [MinDiffAreaFileSize]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machine

                              \Device\CdRom0\sources\dlmanifests\wcf-http-activation-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2018
                              Entropy (8bit):5.182918345555346
                              Encrypted:false
                              SSDEEP:48:tF2e8L8PvMu01clO0PvJ2kgUUdISTvs1r6acjMNX:tF238PvMu02LPvJ2R3T01rIW
                              MD5:D2F9AFA9FB59BFFEBA6C439415E15BD9
                              SHA1:2AD33C8166BD32B0C999F9C31935836ECE8B6F1F
                              SHA-256:AA5DF381EE42E42147D20653B44C2514FBB2DF94177DC98BC959BA0CE2BE76DB
                              SHA-512:677EDBF2ED2F05E43DFDEDD77E2FEB3118DEB2C7A86D7931CEF5263D81214546D90E4A0B656478DD02AF0F5CA7F796264DD92F2B8E30B8154205A245F80A17A1
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.... Down Level Manifest For Component WCF-HTTP-Activation --><assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="wdong".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2006-07-27T12:29:38.8364502Z".. description="Windows Communication Foundation HTTP Activation Downlevel".. displayName="Windows Communication Foundation HTTP Activation Downlevel".. lastUpdateTimeStamp="2006-07-27T12:29:38.8364502Z".. manifestVersion="1.0".. owners="".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="WCF-HTTP-Activation-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. type="".. version="0.0.0.0"..

                              \Device\CdRom0\sources\dlmanifests\wcf-http-activation-postapply-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (548), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1452
                              Entropy (8bit):5.168012187504661
                              Encrypted:false
                              SSDEEP:24:2dcmUBGZ8+KxQ/9BnQ/9BBuTIl6KbMIWejsgPrYRwjEdcbKBbK8fFJUK:ccmN8lruk/7sgPrkGEdW8d/
                              MD5:3E4D820C1C84DEDEDE7C5CC11A41264E
                              SHA1:2EF3A3016CE731023DCAB2A10B8B665CAE336378
                              SHA-256:8B063DF749A13AB0542C0EF3CA7C6DA161933DDC31F9A23BE731BB24FE6E6BC3
                              SHA-512:81474E56373C714F950FE74AA18EF7274755585BFD8AE7D2383F90494B977FC3A6C86C70CDAB07A7DA41DBBFC8D785F33158AA470E12C5177E0242F12F9141C4
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="utf-8"?>.... Down Level Manifest to trigger post-apply step for Component WCF-HTTP-Activation -->..<assembly xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" manifestVersion="1.0" description="Windows Communication Foundation HTTP Activation Post-Apply Downlevel" displayName="Windows Communication Foundation HTTP Activation Post-Apply Downlevel" company="Microsoft" copyright="" supportInformation="" creationTimeStamp="2006-07-27T12:29:38.8364502Z" lastUpdateTimeStamp="2006-07-27T12:29:38.8364502Z" authors="dglick" owners="" testers="" buildFilter="" xmlns="urn:schemas-microsoft-com:asm.v3">.. <assemblyIdentity name="WCF-HTTP-Activation-PostApply-DL" version="0.0.0.0" processorArchitecture="*" language="*" type="" publicKeyToken="$(Build.WindowsPublicKeyToken)" buildType="$(build.buildType)" versionScope="nonSxS" buildFilter=""/>.. <migration>.. <migXml xmlns="">.. This is al

                              \Device\CdRom0\sources\dlmanifests\wcf-nonhttp-activation-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (534), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1403
                              Entropy (8bit):5.177777042367706
                              Encrypted:false
                              SSDEEP:24:2dcmUBZZ8+Kxu3v0u3vguTIl6KbMIJJjsgPrYRwjEdu3bKBbK8fFJUK:ccmy8l4/z/guk/fsgPrkGEdm8d/
                              MD5:7A4D59BB52D2542ABA2730CC42E28856
                              SHA1:DCB62B81E4E8DEF2E785B76E73A96D3EAA728D50
                              SHA-256:7CB173750767A67ECECA5832914C7FC2ABA4136E92C7654CCE48E4E138E4F096
                              SHA-512:AA37D15EBADA3C2054E6CCDBC6A85C6FC91C6D649E9EACA0A47407B678EDC6A3B2C6DF4E03387FFA73C2E0D4D3589AD76C32CCF5EBF898CC78FB347F4A38224A
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="utf-8"?>.... Down Level Manifest to trigger post-apply step for Component WCF-NonHTTP-Activation -->..<assembly xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" manifestVersion="1.0" description="Windows Communication Foundation Non-HTTP Activation Downlevel" displayName="Windows Communication Foundation Non-HTTP Activation Downlevel" company="Microsoft" copyright="" supportInformation="" creationTimeStamp="2006-07-27T12:29:38.8364502Z" lastUpdateTimeStamp="2006-07-27T12:29:38.8364502Z" authors="dglick" owners="" testers="" buildFilter="" xmlns="urn:schemas-microsoft-com:asm.v3">.. <assemblyIdentity name="WCF-NonHTTP-Activation-DL" version="0.0.0.0" processorArchitecture="*" language="*" type="" publicKeyToken="$(Build.WindowsPublicKeyToken)" buildType="$(build.buildType)" versionScope="nonSxS" buildFilter=""/>.. <migration>.. <migXml xmlns="">.. This is always true if we ar

                              \Device\CdRom0\sources\dlmanifests\web-services-for-management-core-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1914
                              Entropy (8bit):5.063913355640971
                              Encrypted:false
                              SSDEEP:48:22e8C8PvMu0DJl+PvN+9ugUKKtMKn03cg/MJuv2bN0PvO8:22W8PvMu0DqPvk+zn03tQ90PvO8
                              MD5:2A110F0D2AE009C4F5CC41CB754B3A93
                              SHA1:9639ECD1A8F14F9DA5295F41CA21FC35D0723A7F
                              SHA-256:036DE972E6A9A81B2B05BB3B1DADC5211E8BB0C2F409DE5722143BB00330AB59
                              SHA-512:99324E2479ACA8B0A8D77606A741B482F53CEB077EA19635D44F43F02B399E5943B5ABBD16CD87EFCA76866AA6A75F863D27F9A7C105DA65D6EB7E9FAF10D96A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="a-mworob".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2005-03-08T15:31:27.4610320-08:00".. description="".. displayName="$(resourceString.displayName0)".. lastUpdateTimeStamp="2005-04-26T18:08:08.6728963-07:00".. manifestVersion="1.0".. owners="Michael Worobec (a-mworob)".. supportInformation="".. testers="Steve Lee (slee)".. >.. <assemblyIdentity.. buildFilter="".. language="neutral".. name="Microsoft-Windows-Web-Services-for-Management-Core-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. <d

                              \Device\CdRom0\sources\dlmanifests\webenroll-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1676
                              Entropy (8bit):5.101235549147811
                              Encrypted:false
                              SSDEEP:48:22e8j8PvMuD2ldQyR7OPvJv+B60gSYOmocMKIgtuJuX:2238PvMuDqdQ0SPvJ2B6/OCeQ
                              MD5:536323AFCABE0AEAF3B4AB7E2C7C3CF6
                              SHA1:9D9E89890FE42763E563D7BE5E618B3BE3B20CB4
                              SHA-256:15CEA3AC12FFA821A7690D5081F6674E327DB738A142DC34D3429126C3CB4C3A
                              SHA-512:9CB428B9347545B6F7F316137CDABAE78F3B565991603CE0EFF8F0CAD29770F8460C1E4DCE5C96496A53E1A4C90653273E9E385B43D90920627E72A83FD6B261
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="duncanb".. buildFilter="".. company="Microsoft Corp.".. copyright="".. creationTimeStamp="2003-07-17T00:01:35.7869979-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2004-10-21T02:38:49.2965503-07:00".. manifestVersion="1.0".. owners="duncanb".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="*".. name="Microsoft-Windows-WebEnroll-DL".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration xmlns="">.. <registerSDF name="WebEnrollmentServices"/>.. <migXml xmlns="">.. <detec

                              \Device\CdRom0\sources\dlmanifests\win32k-settings-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):12503
                              Entropy (8bit):4.866977339257306
                              Encrypted:false
                              SSDEEP:96:doxlhiE9ahX8Rq18KjK3KTnREzwCa9nfjYYpsYYHE0lhELbec8qRWLUX9XNaoFyF:mhr2VmaH7YxYE1hyzHaoODH
                              MD5:8FA25423B75D2815F54522D2D4BA1419
                              SHA1:495640C9FEB0F3D6A92D4CA6EAD2CCF7450CFF0A
                              SHA-256:7AB77C934280E61A29BF2FDF3976B1F8346303EFB7B52A5BB5C36C5FCC82592B
                              SHA-512:A0405F2843C2700A301A0DFCE60EA2C35B36125327E7BDFA212427559D6D895C69DAC18EDF1F432BA56133D0E60C1134A38133B5F14729E8745887D16E92306C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Win32k-Settings-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. Gather the registry keys that need to be migrated -->.. <rules context="System">.. Check as this is only valid for down-level OS < than Windows Vista -->.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. <include>.. <objectSet>.. Current control set settings -->.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control [WaitToKillServiceTimeout]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control [ProcessTerminateTimeout]</pattern>.. <pattern type="Registry">HK

                              \Device\CdRom0\sources\dlmanifests\windowssearchengine-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5748
                              Entropy (8bit):5.074854434541972
                              Encrypted:false
                              SSDEEP:96:22w8PvMu0mADVA4MAxuKnaOWv/hvypjPcQHYCsS/hx0K1VMto+an7LEsAMaA+aO:RUvDy4Fea/KEho
                              MD5:119875F76AF9D11ED66D829094A2C965
                              SHA1:014D08964B07937DC0F6B989AAC008018FCE20E3
                              SHA-256:8563A5399FF9B58F2BB056242D90163C0A5A2C1215793D1C19A3CAF1B9FB7460
                              SHA-512:A50BBC5FCCC596EB5AACBAC4C8DC7AB8ECE805F10B7269454AA8FA1EB8EA20E843D72915A0C792754F1F15DFD666238D7A4504CBF66F86BF03BB05A22EAAF383
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2004-08-18T00:19:55.6902352-07:00".. description="Downlevel manifest for Windows Search Service".. displayName="Windows Search Service".. lastUpdateTimeStamp="2004-09-03T03:22:56.3350156-07:00".. manifestVersion="1.0".. owners="".. supportInformation="".. testers="".. >.. <assemblyIdentity.. language="*".. name="WindowsSearchEngine-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,MigWiz,USMT">.. <migXml xmlns="">.. <rules context="System">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT","5.1.*")</condition>.. <condition>MigXmlHelpe

                              \Device\CdRom0\sources\dlmanifests\winlogon-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2887
                              Entropy (8bit):4.995765904664658
                              Encrypted:false
                              SSDEEP:48:NPvJ8+9ogUKKlxnMKIg/p0TQ/p0H/p0jQ/p0w/p08/p0q/p0M/p02np/p0q/p0RN:NPvJPAlPxWGEkGtnH3THO2MrFPZ1eQ
                              MD5:45C088AD196A87299A0599F020E95179
                              SHA1:981E2282F9B6C8AE8DD4379B73A720918A2D672B
                              SHA-256:81C93B7753C3300AB368C0539940F92E1CB42DEBCA88771CC1BB1154D18A50D4
                              SHA-512:71B549327DDFDFBA5A9E81331E54F30B3C422512853B95EDD464DA57F7758B5D5A92471DF42092B7311114F20514587E756D58A14428DA36928B01B136F46135
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Winlogon-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration>.. <migXml xmlns="">.. <detects>.. Check as this is only valid for down-level OS < than Windows Vista -->.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT","6.0.0.0")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [ScreenSaverGracePeriod]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [LegalNoticeCaption]</pattern>.. <pattern type="R

                              \Device\CdRom0\sources\dlmanifests\wmi-core-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2372
                              Entropy (8bit):5.263550346895034
                              Encrypted:false
                              SSDEEP:48:22e8Y8PvMu0a7lpK+agUKbGHJIMqIg/q/Ll/wl/g/KDLlDwlDAJuX:22s8PvMu0a3t0HSx4LtwtW0LBwBMQ
                              MD5:79FDBD0387C81C0A80CA03E8C2F0A289
                              SHA1:E30E34D9777DCE19CCF80984E7B254514A92E8DC
                              SHA-256:919270E6DCFCE6C5A66F91389C1A62C50EFB3AF867F5EE2E98450409BF83E306
                              SHA-512:4CDEA57201B2035DD78CFE16F8E29D86DDBB67C03A24C3030AC8A14F475DC93E27038A8E6512E9BA59B6D421D7CC10B9A76C37DADF6FF0414D78806C3D6978F5
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="prasenni".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-28T11:51:38.2054652-07:00".. description="$(resourceString.description)".. displayName="$(resourceString.displayName)".. lastUpdateTimeStamp="2005-04-12T00:06:49.9963520-07:00".. manifestVersion="1.0".. owners="rajakhan".. supportInformation="".. testers="Kmathur".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-WMI-Core-DL".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <plugin.. classId="{401F8281-A9B6-49F9-9F71-8AEA167EEEFD}".. file="Microsoft-Windows-W

                              \Device\CdRom0\sources\dlmanifests\workstationservice-dl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1811
                              Entropy (8bit):5.092022834694158
                              Encrypted:false
                              SSDEEP:48:22e8a8PvMu0fJsmJer0+5gf/sMaqIgH8wdJuX:22u8PvMu0femOXI1Q
                              MD5:A8C54722A8F5186A18F74D29C7383F42
                              SHA1:D9CD9EAD3128D877186D2441950F4F89E999FB7F
                              SHA-256:10D6C03386E8F3F2CCB1895E254CC0B62226036837650C09C21F1FE3FD2181AB
                              SHA-512:11272AB787672D27C40F9A8AD0F72F3F7C83CC7DEBC7A129E1F5D9C270BF95F2F5A6AB2824E437F0656F6A5714F91768B82095BCE3E89439951271D906100BD4
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="mgeorge".. buildFilter="".. company="Microsoft".. copyright="".. creationTimeStamp="2003-07-30T16:58:37.5205889-07:00".. description="Down-level manifest for Workstation service".. displayName="Down-level manifest for Workstation service".. lastUpdateTimeStamp="2005-03-03T05:03:39.7541984Z".. manifestVersion="1.0".. owners="mgeorge".. supportInformation="".. testers="jacobb".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-WorkstationService-DL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSLaterThan("NT", "5.0")</condition>.. </detect>.. <dete

                              \Device\CdRom0\sources\du.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):155960
                              Entropy (8bit):6.046165697779111
                              Encrypted:false
                              SSDEEP:3072:MEMyzYTVFKfXu2b79eodLUmKh6tNtfL0DYayOTJIue/:MUeFKfe2XDmmKQweO9E/
                              MD5:53EB6FDB6EE7C2254B8FDF8A53CBCFD9
                              SHA1:8917802E3D4C97941BE95C776F97C56C55A1B3D2
                              SHA-256:F474AC2EFF26CD238C208B797F3F06F75F3DE2C918F3278FD4C369303D8E9E12
                              SHA-512:24116288942581D38E2A282342EED304DD34CE82C59A1DDBA3DAE250ECD126E7180302DA081FF22432A76B24C88862C73A5C8204181C4998E0EC5225FBC12822
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z.w..w..w...t...w...s..w..v...w...v..w...r..w...w..w......w.....w...u..w.Rich.w.................PE..d....Z.`.........." .....Z..........PO...............................................`....`A.........................................................p.......P..p....@..8!.......... ...T............................s...............t..0...@...@....................text....Y.......Z.................. ..`.rdata..v....p.......^..............@..@.data........0......................@....pdata..p....P.......,..............@..@.didat.......`.......8..............@....rsrc........p.......:..............@..@.reloc...............>..............@..B........................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\acres.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):323072
                              Entropy (8bit):3.509862227316295
                              Encrypted:false
                              SSDEEP:3072:A/mgGIubUHxcNtB7ZOhOhEibIn8TNyj4Tc1dMWObUiibA5z:+G7Uq4dRDuT
                              MD5:3512284BC6D76DEFBC14A70E20AC94EF
                              SHA1:7617C2506D442E7B087838F96DF3EC5D880AF150
                              SHA-256:80EA41E993918DBFAF8CA3D8D3540D4D4039612597E3ECF8F93E742485850B31
                              SHA-512:194B4564962B864DB2C94F0EC9EF0456C9C9F90F47119349CC5BE25334D0087DCC5B649C917B161A5D012E80B4E4755CEA8BE3B2A891B7FD6E642A6F94DC157C
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!......................................................................@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....L..;........T...8...8.......L..;........$...................8....rdata..8...x....rdata$zzzdbg.... ..@....rsrc$01....@<.......rsrc$02.... ...lz.R.EO...j)...=W"..v....L..;........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\actionqueue.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3584
                              Entropy (8bit):3.70184488796074
                              Encrypted:false
                              SSDEEP:48:yPlhbiCqjQgJ6u7l7luZjlweZW6Mn/uhCK5WwHgn:unaQgJT7pEWBcRWwQ
                              MD5:4D36A2C48B308E5533EB375AA98FA435
                              SHA1:04AB1FDD08C5D6ACF9658995AA0A6E8299882EA9
                              SHA-256:683FCF977EF31AA5D9C7B5590E64CCBAB4B5FE15E668B84517D8C99D5046BED9
                              SHA-512:BCEAB32AF2705B2A5C349B40939602E91141D1B82F851B7DC8D0F72A20E6716B42E8EDDCEC0D74C4122F09E13A34693E81EC9D53D739B10F04220DC87005C814
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0...........@.......................................... ..x...............................8............................................................................rdata..............................@..@.rsrc........ ......................@..@................T...8...8...................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...{m.^+[.-;..F...e."...3_...%............................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\appraiser.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3584
                              Entropy (8bit):3.5285936555994337
                              Encrypted:false
                              SSDEEP:48:y8/BMWGLlG6+SWN6SV9SVi6SVRxMkqZWsu+uZCK5WwHgK:xHmSkS0ZWFRWwx
                              MD5:90D1EF9F79B48AE7923CE5F491F4F86F
                              SHA1:BBEB1A3A8AB39F1015EDF9C1CC79EAF9DDF79C01
                              SHA-256:8BF8F3F211E3678915B2350F969FFAEB325E4172EB2F0358A1A2EA656A633594
                              SHA-512:BFD900259A0A641EDC9618D713D4F353084F9D13A85C42CBF522B41C35F0AA9E8CEB0E6BB942EF09ED2214D8E9CB6A33653E26A24700520228843FB3A21C19B3
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0......%.....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....S<.N........T...8...8.......S<.N........$...................8....rdata..8...x....rdata$zzzdbg.... ..@....rsrc$01....@!.......rsrc$02.... ......[...!(z@W...Q..e.z..m.2..S<.N........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\appraiserwc.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3584
                              Entropy (8bit):3.532273261914155
                              Encrypted:false
                              SSDEEP:48:y55XWGLlG6+SWN6SV9SVi6SVRxMsfZWsu+ulOK5WwHgt:OsmSkS0iW5NWwC
                              MD5:82323199E25D7F95B3F153FB613495DD
                              SHA1:DA3EDBD5414E800380465AFCF9A2CCE8CF1FF98E
                              SHA-256:E9FE4B310164CF1F90F75E1732780104E2DFE316C26AAD0D571CDEECA9E26DA2
                              SHA-512:E747CBB16EB54151BE656DBA59CA3FA67593B99A95B8A9158F1D8CC9CA204766984F00BC6F9196822B131F85186909EA99D73F505C8960F5B8B456A966C5108C
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....(t..........T...8...8.......(t..........$...................8....rdata..8...x....rdata$zzzdbg.... ..@....rsrc$01....@!.......rsrc$02.... ...*s.f.l.:..{#G=..@........p(t..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\arunres.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):5632
                              Entropy (8bit):3.5080867106323153
                              Encrypted:false
                              SSDEEP:96:iFCagk+ejVs17vI9rwYRWF/aiNpMWw6Wwb:iQaXJwPMWw6Wc
                              MD5:2BC9E78696421B4900C168C58F70F52C
                              SHA1:A7A1CF0D5031FCF59921961661612077A1F51FDE
                              SHA-256:3F8F80AF948F9B65A797081FBD3BD6D4C76D2D21CC0DE06703E03CCEE8E017A9
                              SHA-512:79D832DF74EC37ABA6F0FF65AFA6A7373CFA749678C7C51D609142334E56F0AD5D0B7A052999F27B5B3A343DB33A2361AB204834D33B4127C05FE6E4AEA5C2CD
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................@......M?....@.......................................... ..T...............................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@......(.........T...8...8.........(.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... .....D.S..X..ew..{u.(.22E.u..<..(.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\cmisetup.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):4608
                              Entropy (8bit):3.6363835162494773
                              Encrypted:false
                              SSDEEP:96:bFVr10HNZ/iRJqzgDN9xNyxpcCEPJEWbmWw8:bFZ1MNKnSdDWbmWr
                              MD5:686798FCAF2754D1690868B914D24A65
                              SHA1:08C9A8F43CA7FEC92FAC3D2F0135482D7D9193BA
                              SHA-256:F98A8D19D77C42C25B2E088A4499949ED8B0E16339EA69A6EE7A4FCDE1CBDE73
                              SHA-512:FAFD227F999FDFB043C9B6EDE4B00781BB05697A80ABD24FEE395F07F0D3AF04E7DF4E6C613733AF8D5294892D946AC98007F4E84A909B2FA5F66AEB7FEE61B0
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@...............T...8...8..................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..@....rsrc$02.... ...+. ...Km.T.^.3....5..pL!...........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\compatctrl.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):3.624443657542714
                              Encrypted:false
                              SSDEEP:96:9JvvMKVwTaujKWLF+0XiWAmhza2Ty+NCwbWaqubWLk+jWwO:vUZTjj7Lw0yW1hG2O+MwiaTbWo+jWR
                              MD5:EC237B2127E4AA7FCC6045C1C9CD7DF8
                              SHA1:7F8FE3605EA76A49CFAD745390B96E27DAB87405
                              SHA-256:847B89BBC7429F372DCC5B89BA047F3CBAF38616CD235F6558EAA5BD5E5E933F
                              SHA-512:FFAB01AC0B0A9BE30C5F278ED1491200D65D3E7A2C68CF025E3C8B5517B4895619737447E4397C2BE2FF10B2DD01B3359DF911C317A1493976A6E7815EDBE21C
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................@............@.......................................... ..(...............................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@......ve........T...8...8.........ve........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..P....rsrc$02.... ...... ..L.^.$.,.$..zD.....S....ve........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\compatresources.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):30720
                              Entropy (8bit):4.897690726234987
                              Encrypted:false
                              SSDEEP:384:InIa6FGu2ZWRTWMqPIloBPsg5dJdIMXSIWJaJdke:InmPoPIlMUg5dJd9ke
                              MD5:AC074FE0C4548ACE76069D3468F94D50
                              SHA1:3BE8998D56D9B44568C65587389E461921B2A9AD
                              SHA-256:9836A6D206DC115F28D366896F375731E20D217AFC5D7CED0740995728D32CCB
                              SHA-512:B31F05044501B9F888690AB5C3EE94B3759E0B30625F7CAFB64C543DC752A7C016D10F0215D82F9A769DC0B71C1A7979409F939FF46CA745DA3D74F54D08896E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........v............................................................@.......................................... ...s..............................8............................................................................rdata..............................@..@.rsrc........ ...t..................@..@....U...........T...8...8.......U...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#..(o...rsrc$02.... ... V..O..(q}..=...%...#.#~.*xU...........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\compres.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):30720
                              Entropy (8bit):3.4470812708932814
                              Encrypted:false
                              SSDEEP:384:ikCUk9HcYa8xEm0WR1WPftYDyD+DyDuCoDyDdCSHIuBxrku4cjX8CW9rW7:PwuXrk+js5w
                              MD5:D5056BA616E5904D29B334E7E20B945F
                              SHA1:E492B78DFBA854E15BED047E04643A1520A27804
                              SHA-256:DA180BB726716F373C7FA9C77E6E689625FBAC22B011A1B3EED4E761A6B9CB52
                              SHA-512:9699F88C8C73A266D307F36D1429C476B5C2BC0AB9F75E4A615F1D76F2BCDF7761273DC39B82A74D70D4FA07EB3E888A7FD883AEF6B5CDDD18A17436C90BA5FE
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........v......................................................".....@.......................................... ..|r..............................8............................................................................rdata..............................@..@.rsrc........ ...t..................@..@..../I..........T...8...8......./I..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#...n...rsrc$02.... ....N.~..E.0@.R....9..4...../I..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\credits.rtf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                              Category:dropped
                              Size (bytes):727249
                              Entropy (8bit):5.280530815430888
                              Encrypted:false
                              SSDEEP:6144:HMgRS450MZ1cMa0C6byUnw1ZD63iT/r7Dd0ypdUSKi8Sl:HMgs4CMZ1cMa0C6B2DY0T7Ddd/USKi86
                              MD5:05B931430FD173BD22900DBAA8BBFF10
                              SHA1:AF5176EE28DBA4777E4BA3BD9351E5ACB402B9F3
                              SHA-256:3CE703C36DFC6282C22991519309B921AE8F5B2653561FF3F9C1617DC2D6674E
                              SHA-512:E3FBECB7637BDCBF6045140DFD3359529D223E42FF8B03C1883B8011D9DDE307F36E7CF1A4B56BAA76E052314BAF89A03E1F6036E9A443160DB394DDD45FE55E
                              Malicious:false
                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}{\f39\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}..{\f40\fbidi \fswiss\fcharset0\fprq2{\*\panose 00000000000000000000}Segoe UI;}{\f41\fbidi \fnil\fcharset0\fprq2{\*\panose 00000000000000000000}SegoeUI{\*\falt Segoe UI};}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fhimajor\f31502\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f

                              \Device\CdRom0\sources\en-gb\dism.exe.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):30208
                              Entropy (8bit):3.5538505009750234
                              Encrypted:false
                              SSDEEP:384:9HlQ0Om/fAja23qdkiekSX2+V4fAcsHv8qqt4Lap4SoT+jlBmErV7m91U0jW15WJ:9+623qdkiek0L4fAcKmfXtrmWU
                              MD5:305730487A5AE7A4A7AAD8A8CBC92547
                              SHA1:109D4A17DFB3FFB87B6E8C295CFEF041CF7F13E3
                              SHA-256:48C128FABDBF81DF7AEE2D847FC790C6666A30858B4252A74A17AB5EBE13467A
                              SHA-512:8156FA90E812FF24A758264C8DCA48D03D80EB03FC3AC6077B114134F5955076A0C273002745463DFACA79F028431E0ED2FED1CCAAA2DF7745C02D253B59A345
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........t............................................................@.......................................... ..Lp..............................8............................................................................rdata..............................@..@.rsrc........ ...r..................@..@....}U..........T...8...8.......}U..........$...................8....rdata..8...x....rdata$zzzdbg.... ..`....rsrc$01....`"...n...rsrc$02.... ...|.OhlV...8...UqJ.R..e,I.e..}U..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\dismapi.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):4608
                              Entropy (8bit):3.3720530178019543
                              Encrypted:false
                              SSDEEP:96:+k/dD3RnWSIpzSadr0r4diG8y/kWSXn7hWw6:XdLy4ezcWSXlWl
                              MD5:E584F92AD25E6D6944C1DF9395D5265A
                              SHA1:F0433C65D341626D1579FD51B7350CBB4E276AA7
                              SHA-256:4289F6B9CF98235DCEE392BA7376EDE0377EFC3A228EF9CAC08C146729ED1324
                              SHA-512:062911184D35C4D12F79DB6323D0579337035FCF292C032761F4F0E9C141CE2EED38FCA3E85E2D4D90843172593C77DA4D8EDDA780C32EEAEA8BF557CA93AB6D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0......\I....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@..../$A.........T...8...8......./$A.........$...................8....rdata..8...x....rdata$zzzdbg.... ..@....rsrc$01....@!.......rsrc$02.... ....F.D.D...<..V..Hez..z.q..+.-/$A.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\dismcore.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7680
                              Entropy (8bit):3.6521646674256134
                              Encrypted:false
                              SSDEEP:96:FzaiiiWwdwCg/PCpQcBK8Cq9ovnFWDOWwc:dpaFWDOWL
                              MD5:98441579CB7495F3547DDD5BF8A06AE9
                              SHA1:D72C47D3919D7233F4D86C3D49F6C83CB54E3B46
                              SHA-256:84F7CA5A5A926F2946D5CCFBF55CF4161C9844195EECD6FDB03B8D4000F3EF1C
                              SHA-512:1ECE817E86DCFC41475B7B014FBD435DAA28678456DF9112290C329183AE2858D2E14D5D82993A6FFE442CC386CCEA1C54B79D5700B9FAAA5282750E95D16EFB
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................@.......P....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....X?L.........T...8...8.......X?L.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..@....rsrc$02.... ...../...R...j.....y..j.+..I>@X?L.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\dismprov.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):2560
                              Entropy (8bit):3.3186508186194574
                              Encrypted:false
                              SSDEEP:24:eH1GSAE6df7nCAufRDZJZW0LCYNuUFjc35WWdPPYPNyL:y9z1nZW4Cmu0jy5WwHg6
                              MD5:F626D00538BB9844A897F10A0C04B38F
                              SHA1:888810BB6C7BECB61A66F310C1D7D18B61BC49BE
                              SHA-256:CC1856B62E8665D59CFD23C9ADFCBC066244F10CD50738447E557F2759912343
                              SHA-512:72E460BD5CE8A423675B791D0F48EE7ADB53467BB5E20B3598FD9C05FE59D02BA0BC6E6ECBF7A7015450B8CCD4A6BE266EC2614F00E034799BFA42F8EBE372DA
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0......SH....@.......................................... ..d...............................8............................................................................rdata..............................@..@.rsrc........ ......................@..@......$.........T...8...8.........$.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ........).Q2..JF.'.L..Z...O..E)..$.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\erofflps.txt

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):276
                              Entropy (8bit):5.038776947877281
                              Encrypted:false
                              SSDEEP:6:zJX2qYRoteJX2qYRVNbYeDPOCdiwrDS2O3c3Q7C14rPJsY65IF:zQqYRIeQqYRVVDDPOByDSv3+kJyWF
                              MD5:06C4E325A7C5109B90FF772D411398AC
                              SHA1:C6FC3C7C0173C982FF2B8CD22F6D55C450343988
                              SHA-256:A40076C5EEDF308922719FD9B878B3633E474479EF8A326863CFA9B5FDE80D75
                              SHA-512:356F93A49F2226EF4A148C2EB978BDC2BB14D3CA4A6EE02BDBFAC08C310AAC60DBBC4FDF71C87F32008EBB345691175A5332C535C4DAE2B50DD05403370F8454
                              Malicious:false
                              Preview:Microsoft Privacy Statement ..The Microsoft Privacy Statement can be viewed here: https://go.microsoft.com/fwlink/?LinkId=521839....You can review linked terms by pasting the forward link into your browser window once the software is running.....EULAID:RS3_RP_1_PR-ERR_en-GB..

                              \Device\CdRom0\sources\en-gb\folderprovider.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):2560
                              Entropy (8bit):3.2683401756304016
                              Encrypted:false
                              SSDEEP:24:eH1GSAxG0JtCM5HXyWtMRZW0ibbNuB33qc35WWdPPYPNyC:yFPUyaiZWxtuB3qy5WwHg7
                              MD5:23F66D5B7FA5BE1E692F70C4ED54270F
                              SHA1:98D1CF2F0CEBFCA5CE7152C8D4449C8E87880DD8
                              SHA-256:42EB5C84744EEA26E0C3506E8DA6623031A03FA2462C1ED79DA34514A92DADC7
                              SHA-512:23F5F95CB060E90F5B56B476D1CD03619CE0532217F906588638C0C978106B627B95D815DEFC3A65B043278E2957EABB34E0807EA16A05F030632873501393EC
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@...... {........T...8...8......... {........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... .....n&...[...pw._Ely+....R.w.. {........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\imagingprovider.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):18432
                              Entropy (8bit):3.6156516918026087
                              Encrypted:false
                              SSDEEP:384:KEPs6ATPNW8mc8jRd9kPQ/ih6uXJeEoWblWw:KEPs6MFW8l8jr9L/ihcENN
                              MD5:2BEA63204611E34E077F771649C51253
                              SHA1:5A48ABD4150007440A5CDA6DCC97997395CAFA42
                              SHA-256:E75BD2548549B62B0A59124C2BD84A0A4CEDC5346A05015590EA9A0C7B2EDD4D
                              SHA-512:3979F9CBE8966E9725C4F557FDC2EBD617C7E56DC3DC83CD98D68CBD2CAD85D65B43689CF838339F806B46F6CEF399150E1242F22D47A47E7C14F96F3D0CA01A
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........F...............................................p............@.......................................... ...B..............................8............................................................................rdata..............................@..@.rsrc....P... ...D..................@..@................T...8...8...................$...................8....rdata..8...x....rdata$zzzdbg.... .. ....rsrc$01.... #...?...rsrc$02.... ......J...w].W..d..o..q..G+..............................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\input.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):25088
                              Entropy (8bit):3.6913410990308733
                              Encrypted:false
                              SSDEEP:768:DTN8VuXR/Qqnxm7/BsXxxc3/1cW9OnU4g4o4FF:D9uoUYF
                              MD5:05044184F4422348C9C4C46AE229EEE3
                              SHA1:CBB91D9C023A349C79B40EE1668A104B83512148
                              SHA-256:669C352E43752C127268617EC4D7ACE0C18366443047DDDE05254614DE21A260
                              SHA-512:E10CF3ADD725C5D67452AD0029A81D1C9C7BEA1CD4B45D1ECA07AE075A1E4E80CC39F8816E3829374F159FA514B256908E856156F8A1F2B3A6071A1F91BB6C56
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........`............................................................@.......................................... ...\..............................8............................................................................rdata..............................@..@.rsrc....`... ...^..................@..@....|...........T...8...8.......|...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....(..xT...rsrc$02.... ...<....fa.a.Mg*m....t....]Q.!|...........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\logprovider.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):3.5602548504697356
                              Encrypted:false
                              SSDEEP:96:RXM6czix6RXToVSHvoXBD3LXnvoJnoN6yvG8vIJWNrWwL:hMniIh0IHAXB7DnAJoN6yO8wJWNrWs
                              MD5:04D2C6D8B1D201ED70EEBDA508682B91
                              SHA1:FCCFDF5A6916A1EFB29C82F447F76BC8B9103C05
                              SHA-256:9643AEED08649E28ABD281407660053D264162055182B262CC09A18C6EF8A9A2
                              SHA-512:CFCB162FA40BE01A233C9D16BA85FBBB6075136C4B910D2B3066A24814150235132256B940FF3D6104A95504ACDD5D11CEEE76D38F31EB50EF721CD664F2006C
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................@......oM....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....S.?........T...8...8.......S.?........$...................8....rdata..8...x....rdata$zzzdbg.... ..@....rsrc$01....@!.......rsrc$02.... ....]R.?a.5V.yCy.8M.....A.T..}S.?........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\mediasetupuimgr.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):53248
                              Entropy (8bit):3.549142479519298
                              Encrypted:false
                              SSDEEP:768:B1mjRwpGV4RiEW5DmUx59CogujobrmjW7Ib4HLtT/:B1mjmCDlx59BeGWJ/
                              MD5:80B1510EC2506CBD23370F51BA0BFE75
                              SHA1:BE921381AD01C096879A6A7FA8B5A374C5A23C38
                              SHA-256:B1C3BF3B9ECC8758C8F844E24B7A1548617BC4B1EAB621013A7C06FE0F503ACF
                              SHA-512:225BA23A15A3953588105211FBFFF813A30F212FD1B5BC5661E9E6FF9AE8C6BA268905D933002E500F4A6F23C96820E6D8386C0771E8BA20FDD84A0337A35F7E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.................................................................+....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....,..........T...8...8........,..........$...................8....rdata..8...x....rdata$zzzdbg.... ..p....rsrc$01....p8..`d...rsrc$02.... ....#.....!.,..'..O...SK?.'.>'.,..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\migres.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7680
                              Entropy (8bit):3.4359808780816627
                              Encrypted:false
                              SSDEEP:96:LzxdXgGDMp7cRYu1wRnCQID71LyIl++ApdjKbqJzCaQM4ECZFGLCICBC0MCva8RL:P7XgSEe8FInWSqmPW0shWf
                              MD5:99ECC6AF8C959C1C9CBEB75DC1A1D661
                              SHA1:F25C2DF5E33A4A1D3B327597822AE37BCC5EAF50
                              SHA-256:35C9E6E1E023A451CFC4E31F765036E7D2F21BFD04D58C182BE0027F8B00FB66
                              SHA-512:B6B26EE35F796E8A6A48F2044005135DFF96919E4F5DB83F1C075459F260BA16CD9801BB73217BEFCF49973B2C6289175E75254AC014E209C6931DB98C7197CF
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................@............@.......................................... ..8...............................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....o.mz........T...8...8.......o.mz........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....$.......rsrc$02.... ...Hz.d,:.&.z...5@E.O..z.......o.mz........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\nlsbres.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):64000
                              Entropy (8bit):3.7372108333569387
                              Encrypted:false
                              SSDEEP:768:btgyJn9MaUJOrT03uO9fE+T/C3M6oq3YTt2g1/f1Y32OWF0Z3BDg7tzwrNWd5g6y:eJETkuhc2KH1Y3HfkMGANUyGIe3AmWn
                              MD5:C61B6552A635358B4BB994E16AED7BC1
                              SHA1:48CFE9DBC1C57A089A323E9745DC89CEE39A38AF
                              SHA-256:6E5AAA38E8DAADBD91747527EA82ACD51EDBC0B89F4213EF696F39144FA64A81
                              SHA-512:63CD4A84F9EC4B11AAF79AE25BF43E8641E28E9C2A1CD0A554A706B980A82BE5E4DB941CCEAA6CC031B63CBF9D48BB9253E1417E184CF734309E142E6FE9DE25
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!......................................................... .......u....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....(I..........T...8...8.......(I..........$...................8....rdata..8...x....rdata$zzzdbg.... .. ....rsrc$01.... 3.......rsrc$02.... ....:}.\..&........xb.cJ.|...(I..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\oobe_help_opt_in_details.rtf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Rich Text Format data, version 1, ANSI, code page 1250, default language ID 1045
                              Category:dropped
                              Size (bytes):25823
                              Entropy (8bit):4.8128763458482755
                              Encrypted:false
                              SSDEEP:768:HsU7vniqyGMBJE9cF4JrNOtKlkARdNGvbr6zAkAYctPgmw:HfPiqXMbErLRdNw6lctK
                              MD5:E47C99389AC9CFBD6004504067E06C13
                              SHA1:18A3F803D4DC71CB16772496A525066D2E5515FF
                              SHA-256:60DF7D1C6579AC1F1B3F01FA416220AE4DE3FFF73130A70DD0F79FABEC9E101A
                              SHA-512:F4DF6B55159080608F8E464679B7F4869367E409059676E03F2F9C9EBBEBD63B7D48A11FAC56DED42C1D597D31200D5643D972C64A8CFE08835C27ED681A46E4
                              Malicious:false
                              Preview:{\rtf1\ansi\ansicpg1250\deff0\nouicompat\deflang1045\deflangfe1045{\fonttbl{\f0\fswiss\fprq2\fcharset238 Segoe UI;}{\f1\fswiss\fprq2\fcharset238 Calibri;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;\red0\green0\blue0;}..{\*\generator Riched20 10.0.17763}{\*\mmathPr\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\nowidctlpar\qj\b\f0\fs22\lang2057 Intro\par....\pard\nowidctlpar\b0 When you set up Windows, we ask that you choose settings relating to your privacy. \b You can update your settings at any time by going to Start > Settings\b0 . \par....\pard\nowidctlpar\qj\par....\pard\widctlpar The information below explains what data we collect and how it is used, depending on the settings you choose. Please make sure that you review the full Microsoft Privacy Statement for more information on the personal data we collect and how it is used when you use Windows (type <a class="privacyLink" href="{{\field{\*\fldinst{HYPERLINK https://go.microsoft.com/fwlink/p/?linkid=850

                              \Device\CdRom0\sources\en-gb\pnpibs.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):5120
                              Entropy (8bit):3.5848656541675306
                              Encrypted:false
                              SSDEEP:48:yn77NohXNm0S9Xh1Ga980PEa9KtBXGkxXwoX+a8qCo9HZW9wu+dy5WwHgI:1hXNpS9X1lPKrXNXvX3p7WWQWwP
                              MD5:2F4461FC2B6448D4D60C9D7817F0365D
                              SHA1:F689F7E2EB4A6EA26A164E218439966DC1E70FE1
                              SHA-256:271CD9E2AE053B7E4A5BA0393EAC8418932896DF5A72378B72E6808E355FAEFB
                              SHA-512:4A5B86723187DF8F5CCFB131855D3A577554C484B7EAE2890E051E9ED6E5C2CA2C18AECC2A32A0FDC250F8F13698878C5EE1F6F6A2B220DFA9C6274BCC5102E3
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@......M.........T...8...8.........M.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....DX.PH-....8....... ..mP..K..M.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\privacy.rtf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Rich Text Format data, version 1, ANSI, code page 936, default language ID 1033
                              Category:dropped
                              Size (bytes):830
                              Entropy (8bit):5.292028700134603
                              Encrypted:false
                              SSDEEP:24:kouLL6+hGd/DiLdo1V2jdQGDJ+eGrk6Tj+TdmDXSU+vhWQ2:vun6iGd/DiLdoz2jdQKJ+ee1n+BmDXSI
                              MD5:8BBD7976B2B86E1746494C98425E7830
                              SHA1:E7E8DE9D97C3ABDE1001F8035929F9360FA7F394
                              SHA-256:C4B5D1F16FB495DD60A0131A4EAEF1DE294870B4F061C0D3B48A7503BE3217F6
                              SHA-512:E1F761959FF0914CCD76252BA7BAE374B903546AF518AF88CB75CFA18CFD1DBC3E21F714018027EBC2F85AAF5B12067BB16B9FAAAB5F6A615C0D3A7134B89196
                              Malicious:false
                              Preview:{\rtf1\ansi\ansicpg936\deff0\nouicompat\deflang1033\deflangfe2052\deftab360{\fonttbl{\f0\fswiss\fprq2\fcharset0 Segoe UI;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}}..{\*\generator Riched20 6.3.9600}{\*\mmathPr\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\keepn\nowidctlpar\s1\sa240\f0\fs22\lang2057 Microsoft Privacy Statement \par....\pard\nowidctlpar The Microsoft Privacy Statement can be viewed here: {{\field{\*\fldinst{HYPERLINK https://go.microsoft.com/fwlink/?LinkId=521839 }}{\fldrslt{https://go.microsoft.com/fwlink/?LinkId=521839\ul0\cf0}}}}\f0\fs22 \par....\pard\nowidctlpar\sa120 You can review linked terms by pasting the forward link into your browser window once the software is running.\par....\pard\nowidctlpar\sb120\sa120\fs20 EULAID:RS3_RP_1_PR-R_en-GB\par..\par..}...

                              \Device\CdRom0\sources\en-gb\reagent.adml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (483), with CRLF line terminators
                              Category:dropped
                              Size (bytes):1817
                              Entropy (8bit):4.807685062167235
                              Encrypted:false
                              SSDEEP:48:cgeD5x8gmclqzPa520pns19F9K0SppRPRDdamFV:LeD5pmnvI3R9FV
                              MD5:74A0325268266B2CDE0E3F5F1597F203
                              SHA1:088E690A896920238445D6605ACBE4F40498742F
                              SHA-256:11AB21A9F9176CBC644DBDC5020FA4791086234FB126A5F0885315EFD299BB35
                              SHA-512:D79952DFB16CF46EF6D91DC4031CDAD7F7D060E92E16E18CECA3CA5B69F017C895FD54655F05F6CEE08C027CC3981BDA16F798726C69A39C95FF923D763B72F0
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <displayName>Recovery</displayName>.. <description>Recovery</description>.. <resources>.. <stringTable>.. <string id="WinRE">Recovery</string>.. <string id="ConfigureWinRESetup">Allow restore of system to default state</string>.. <string id="ConfigureWinRESetup_help"> Requirements: Windows 7.. Description: This policy setting controls whether users can access the options in Recovery (in Control Panel) to restore the computer to the original state or from a user-created system image..... If you enable or do not configure this policy setting, the items "Use a system image you created earlier to recover your computer" and "Reinstall Windows" (

                              \Device\CdRom0\sources\en-gb\reagent.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):10752
                              Entropy (8bit):3.572837668338511
                              Encrypted:false
                              SSDEEP:192:66BqBhctDP0NUb5CaaAmX0sLGkeL0Vm4dTVwSXWDTAW+:JOhctDP0NUb5CaanX0sLGkeLkm4dyiW0
                              MD5:17B643039D72E419379C7DCC945D4FFE
                              SHA1:CAEA5432B2C3A39A6642F32B3E896D8F97E66793
                              SHA-256:C5F42E2794619813CD9F69D4E256E51998B2B465BC4DEEA91CE8480DA0A4BC2B
                              SHA-512:12BAD87820A77DECDCB4E088807A2C5752D60A8045415CBE333A183B23A7C7D84CD0F11BB56775C0061E430E8BAC04A541AC1F4267FAFF23436815F59DF3CEB1
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........(...............................................P......&:....@.......................................... ...$..............................8............................................................................rdata..............................@..@.rsrc....0... ...&..................@..@.....'.........T...8...8........'.........$...................8....rdata..8...x....rdata$zzzdbg.... ..@....rsrc$01....@!..`#...rsrc$02.... ....../?>..s.?q...t.u..k...1...'.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\rollback.exe.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):4608
                              Entropy (8bit):3.439433669202765
                              Encrypted:false
                              SSDEEP:48:yIGlhXIQQ/j32iogXXdXDMD+XXziogXX9YXXeLQsbS4WR8RqPZWWpDcuuReuEy52:fGflY5M6fYtAqbSAMWNZeu7WwC
                              MD5:5D02BA8F389BADBFF8C08C15DE3C3757
                              SHA1:2902108FBF944213EFB93A395D295C9ECC045E5E
                              SHA-256:36AA10413A03D8FFAB040DE97DFF655E10B75C252830A07ED1A95A9E203AF1F8
                              SHA-512:DFCA27485693D9B06F2A98F5812503F49DE382C63607A612ADFA49B2B4158140A564342397F5E69B7A9E2199910E81E84867214266C50DCBFD6AD94FC67549C1
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....a.........T...8...8........a.........$...................8....rdata..8...x....rdata$zzzdbg.... .. ....rsrc$01.... !.......rsrc$02.... ......qG.259...3_..2.\..U$..i..a.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\setup.exe.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):18432
                              Entropy (8bit):3.535412061118279
                              Encrypted:false
                              SSDEEP:192:AcWL3k/Z1oUOuojifT61g1FuRFt6tReB2C1QoXNzIRWiFWD:q4oU4GfTigzuRXwS2Ceo5IRWiFWD
                              MD5:2895FD722F60380CF9CBB1915BBD5EE5
                              SHA1:21CB2DC4CF70A4EF9EA9E5932EF252E0081E4AB5
                              SHA-256:658C2BFFD8340DBDEDE7E92E16A282C6480C28B1972752DE0B4A4ACBBAE19069
                              SHA-512:D2B810CE6EDA98E718ED9FF102A7B7633D3279406E4F3CE4F2E6ECC46FCB5E14FC0EA31F63595CD2FED5E1FAA00F42EB70855DB0A6725F77DD6FD43C50810497
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........F...............................................p............@.......................................... ...C..............................8............................................................................rdata..............................@..@.rsrc....P... ...D..................@..@.....]..........T...8...8........]..........$...................8....rdata..8...x....rdata$zzzdbg.... ..`....rsrc$01....`"...A...rsrc$02.... ....$+.[{..._...^..*...fD..z..]..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\setup_help_upgrade_or_custom.rtf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Rich Text Format data, version 1, ANSI, code page 1250, default middle east language ID 1025
                              Category:dropped
                              Size (bytes):54997
                              Entropy (8bit):5.08602854452799
                              Encrypted:false
                              SSDEEP:768:jtswjRRI8jYiiuejCk4O6CGCk4O6CAKE8WC2kkUshAZq7/:jt7RD/4/
                              MD5:CE0FA37537D191F11EBD684CFCCB1A6A
                              SHA1:94A376AC99728E3017D2C1DA34D25CE7317219D0
                              SHA-256:113D49D3CC4DF9B510F1AA2F47DB87213CF52B5A6E5F0D4BB1ED6A7588810FE9
                              SHA-512:988C097587E6B0286AD7A56B419435130DD727C3A3132C1077B171BD6CB4586DE88F7A65DD1F3C8C1F8B84FCBB175ECB7C223A1A6F3D2505B495C3FC7FB2C1F5
                              Malicious:false
                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1250\uc1\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1029\deflangfe1029\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset238\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}..{\f2\fbidi \fmodern\fcharset238\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Bookshelf Symbol 3};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f34\fbidi \froman\fcharset238\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f37\fbidi \fswiss\fcharset238\fprq2{\*\panose 020f0502020204030204}Calibri{\*\falt Calibri};}..{\f39\fbidi \fswiss\fcharset238\fprq2{\*\panose 020b0502040204020203}Segoe UI{\*\falt Century Gothic};}{\f41\fbidi \fswiss\fcharse

                              \Device\CdRom0\sources\en-gb\setup_help_whattokeep.rtf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Rich Text Format data, version 1, ANSI, code page 1250, default middle east language ID 1025
                              Category:dropped
                              Size (bytes):59876
                              Entropy (8bit):5.056027788929849
                              Encrypted:false
                              SSDEEP:768:W+y5N2LpG5dGMAUMBOyE6+frxcQuRP8DioNXIHyBHYKHy5HQ2N38f9Z7phAZqFl:WFN51dyOl
                              MD5:43ABE1A9634D078661CDA6E814C39E5A
                              SHA1:D8AF7E5AC6768B2E48047B81A69049AB5D810E32
                              SHA-256:D298D8859610D21EF3CB062FA9EC8D5458458D9DFC47ACFCD23F6D9A8CC6EB27
                              SHA-512:076291781EED66CEDD2559182947C0585C7CF67E256E3BD6396BE9EA01001F08A015080A5F4BE6309906A69F86B7EA2A5F62CD8419391AA55CFB267DC512DB0B
                              Malicious:false
                              Preview:{\rtf1\adeflang1025\ansi\ansicpg1250\uc1\adeff0\deff0\stshfdbch11\stshfloch37\stshfhich37\stshfbi0\deflang1029\deflangfe1029\themelang1029\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset238\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset238\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset238\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt \'82\'6c\'82\'72 \'96\'be\'92\'a9};}{\f34\fbidi \froman\fcharset238\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f37\fbidi \fswiss\fcharset238\fprq2{\*\panose 020f0502020204030204}Calibri;}{\f39\fbidi \fswiss\fcharset238\fprq2{\*\panose 020b0604030504040204}Tahoma;}{\f40\fbidi \fswiss\fcharset238\fprq2{\*\panose 020b070204020402020

                              \Device\CdRom0\sources\en-gb\setupcompat.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3072
                              Entropy (8bit):3.4971366247158837
                              Encrypted:false
                              SSDEEP:24:eH1GSAtEH7C3dHhs308iMj6uz7uJo1FZW0AgENufZEl47EvU35WWdPPYPNy/:yk3dhkFiMj6y7bHZWDRuB77KK5WwHgG
                              MD5:C7AA8E530BDF0091D24D0B60EC49AEDD
                              SHA1:20E3603C86BF11EB24C790BBAD8A39B0563E007D
                              SHA-256:886CE9B4C77F03BC9C61874A0E9384D26CC2FEDD289F5FA58FB867A66864EB9C
                              SHA-512:CF463F90B2642C87A83EBA9D8659FDA736DB5F773F8CCC6E30DC21038CB95728C5584F6236714C9EC678BB870A75365DF9BBB0F4387D2A6068F884A213ACFDF4
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0......Y.....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@......L.........T...8...8.........L.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..(....rsrc$02.... ...a.......}......}$..(..\Lc.:...L.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\setupcore.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):15360
                              Entropy (8bit):3.455887508681218
                              Encrypted:false
                              SSDEEP:384:gR0Q/S/z/U/b/Y8T/D/PfVz/I/Y22N2CRkSUOzxe1bu6/mnF5YznoMfTgHYs3T67:IzJer
                              MD5:55927717F9124B24AA8B1C3946090EB9
                              SHA1:BCE6AB4062E01E4521755E3CFC6E36E5980A7C88
                              SHA-256:7925D8C2F5E5A63D66084BBA2AC350C83AA306AA7C30FC37A4B4A6FDB96022D2
                              SHA-512:9F4B5A8FA1C86AB4B8F3654DFCF008CFC4A6CB4111731E63A3EE5632B1FAECBBFD2981F7CF3656426CEDCFF49DCA71952E4A6B0F021E02FFA5220A3858D69F62
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........:...............................................`......AP....@.......................................... ...6..............................8............................................................................rdata..............................@..@.rsrc....@... ...8..................@..@...._.^.........T...8...8......._.^.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ...6...rsrc$02.... .....;[_.WL...BO@..}.iRi..X%..._.^.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\setuperror.exe.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3584
                              Entropy (8bit):3.6367937674239643
                              Encrypted:false
                              SSDEEP:48:yKqtIo7uTQszKAwAyVBB1HZWSM2u3GK5WwHg9:VmAwAytWSKFWwy
                              MD5:E3FF62D8EF878DAE26FBD895CF8B8B02
                              SHA1:2FAFB94ABA3B6624FBFC73971A4FD4821A3260E5
                              SHA-256:F8054101BC1B8013289D7F18C11551716D004ABB4F0D0FAC1D5229B12460C7A3
                              SHA-512:1A36789711C3860E690CD850E47236F6028C37E98789A23BA0EE3979B63B9C8C115B64B8AE9767AA1AF8E3355EB67A5FA4395A2DF53832C3870AF440DBBE7FB2
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....8..........T...8...8.......8..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... .......r...8.8%,W.............8..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\setupplatform.exe.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):13328
                              Entropy (8bit):6.531844823891437
                              Encrypted:false
                              SSDEEP:192:OZkgWf3StWx8SWfvD1S8f4DBQABJJfRVJbW2D8KN3qnajV2MVor:OZkT/cWx8SW3D1IDBRJJfHJqt2lxnor
                              MD5:7AC372DE6E2574C0FF0C01AC7504EFB8
                              SHA1:2B22F7B47A7CA4474E7A87CBB573E1229FB3DC8F
                              SHA-256:74EF5909347988DEBA9EB535B9F2F03E0CFDB38510988ACF2FEA00D6BDA33981
                              SHA-512:340B4C6763574B91F735322FAEB2E28FB9AF760D8AB7E1785CDEB5485D58E7DFB2B008B1D5FA911241DA6861077CFD9DC988D416DF85019F0802FC637E6A9F7C
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0.......I....@.......................................... ..................."..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....8j..........T...8...8.......8j..........$...................8....rdata..8...x....rdata$zzzdbg.... ..P....rsrc$01....P!.......rsrc$02.... ...[6.x...R....r2z1..nDdO..WZ..8j..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\setupprep.exe.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):26112
                              Entropy (8bit):3.2033921973083954
                              Encrypted:false
                              SSDEEP:192:xkxisVMO80Q2uMD87anNiM5miI3651ZMOs9GLeE9dsUKW1aWT:6+MrIqOOPtsRW1aWT
                              MD5:658774E601E48AC8BBC849CA56AB4520
                              SHA1:4F660ECE9EC60E016277D3AAEED0A1DD3F6DF34C
                              SHA-256:5EE8F92F82DA5096C39B93BF4BB24146D89986F5A6C70E2EB4C1B07B160DF900
                              SHA-512:E7247312585CA365867535A55F9420756DF7CD308BF3F921BA6EBF8867EBB85D3D8894869511D0147EF0C16D5552DA5850CBE8320F0F2D44C953671AD56947A2
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........d.......................................................e....@.......................................... ...a..............................8............................................................................rdata..............................@..@.rsrc....p... ...b..................@..@.....$..........T...8...8........$..........$...................8....rdata..8...x....rdata$zzzdbg.... ..P....rsrc$01....P#...^...rsrc$02.... ....-.W..Bt.<.v...9j.......}.5.$..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\smiengine.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):12288
                              Entropy (8bit):3.5535482113840655
                              Encrypted:false
                              SSDEEP:96:yToNznyDRnhZmAO6CIN67bpAzZlCTXXGagEkR991kd1N8/A3qc3UsMBdIRr7NcuQ:yYyVFNmbuWmaD1Bd1Mc1lVE+7GWT/W9
                              MD5:05F9841954C4B6EA14A8BF120D656FDB
                              SHA1:9843F3ECC5D41839FE881FD6561F2B64BC30230F
                              SHA-256:766EF9433A0DDA5AB2E187B4842BA29F3D6A8581AA3CC393B5A19257A24DFA4E
                              SHA-512:0353DDADD395CAD907CAC3CC627059FFA255301C27C8C32B7B4BE162ACEC9EDC0214A63E767614001C7A5ADE922B8431DCB71425527041B804D44BCC97C39DB9
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................P............@.......................................... ...*..............................8............................................................................rdata..............................@..@.rsrc....0... ...,..................@..@....3.u.........T...8...8.......3.u.........$...................8....rdata..8...x....rdata$zzzdbg.... ..p....rsrc$01....p"...(...rsrc$02.... ...Ya#.Pw.i.T.@.V(..a%......o.3.u.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\spwizres.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):8192
                              Entropy (8bit):3.577631297229755
                              Encrypted:false
                              SSDEEP:96:0Pm4IhV2VG1Lh52HcDzy+6NL0BZnSCIfsQ6sqtsc8sJWnZhH5ozp3FucWNW1Ww3Q:0PmdhVUGZhjHLq0L6ukDGzycWNW1WgtG
                              MD5:D3AF6463C5E05139C10B7C1EC8B911DE
                              SHA1:69A2A4B23D38E761BCEDFD208E5AA39DA0B745EA
                              SHA-256:904FFBAF281BEFD146928D8BE6E19104AFE49523DBCE46C109A5A08EB9B19E6D
                              SHA-512:0D5E8FFCBE927711527DE64EBB37219FE4F0B4A813945E7CF86D88B248141938DC5F3A6A78541114C7766AB4E28C6305C10D926C2483E5803B9A03C91209BFC7
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................@............@.......................................... ..8...............................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@......Q.........T...8...8.........Q.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#.......rsrc$02.... .....r...5.]ZWi...$ S.7h..=.,..Q.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\upgloader.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):4608
                              Entropy (8bit):3.5058652471894933
                              Encrypted:false
                              SSDEEP:48:y80eXg6PpNuyzIcuSXpYtO22lAM9xwn7fZWxFNuNeK5WwHgM:i0pNuyzIdS5YnCj9xwn9Wju9WwP
                              MD5:782FFEFD8F3715DF82A2F3C76F5AD0D2
                              SHA1:650BA4F806F2373AC65E744DA9C4D03BE52A783B
                              SHA-256:CCAACCCE8ED2D668B74D47BFD4E9481BE7866E871759D2201ED9A6BCB76E0520
                              SHA-512:F95BC2EF88FE8AF565481D05166DBAEE1A289E327EBC933401A609EFF77583378605435FFE70EC83D07F5896AB6DBAF9A9144EE1CDA7377A4705079C4CB7AB7D
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0.......9....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@................T...8...8...................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ...>...m. .5+..}..&...g.bqB.{.{............................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\uxlibres.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3072
                              Entropy (8bit):3.3950896189695254
                              Encrypted:false
                              SSDEEP:48:yHBOgE7E5uIiYVIixIi55o+IZ2p3VnZWUTBupsC8y5WwHg+:cz4E5z5oB2p3zW2usCzWw9
                              MD5:71E8CD93831C9E4DE7F9C90C97676C8C
                              SHA1:EE7763774225303F76FDE8D9DA9A4171CF1EA4A6
                              SHA-256:5EBF62359568825915A4793CE79CFD09B1CF5A0FA4D4FB1627C580F83F33E50C
                              SHA-512:BA963A295298923432299C95FDE13D9ACF6B96E7B145E72B2F6DFBFD8C424A95E925ACE09B815BB4E356A97610B49452B0ED9931FA2770F0EDE6D1A7BE847BAE
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....[.W.........T...8...8.......[.W.........$...................8....rdata..8...x....rdata$zzzdbg.... .. ....rsrc$01.... !.......rsrc$02.... .......;...0..&.h}}...Ya".G.^[.W.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\vhdprovider.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7168
                              Entropy (8bit):3.4177805930651504
                              Encrypted:false
                              SSDEEP:96:DW2oKwO8hZOE5LzpJeaAUMNwnWu/ELv4+B/YRjI6ejWvtWw6:DW25XocEXJePUMGP/MB/YRjOjWvtW5
                              MD5:2805B9865C651139D42B5DC88D9F19D8
                              SHA1:CCA864B2F74171BD20C4DF543AA70246E829C64B
                              SHA-256:E807BB47804E0203FF4D8D5C7205234F51DA13AF22B0684D0BF70EC7D1D843E0
                              SHA-512:8D326E7828F88BFA399B76BBA7DCF7DBCB51D1A73F00D670EFBAA1933B9E044135AB7BD58FE2EBBF5F686FE4737FBC44ACA9D0F4280B8C072461226B42453609
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................@.......w....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@......kE........T...8...8.........kE........$...................8....rdata..8...x....rdata$zzzdbg.... ..@....rsrc$01....@!.......rsrc$02.... ...!UE....^".b.T.2.a.u>CA.{..%..kE........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\vofflps.rtf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Rich Text Format data, version 1, ANSI, code page 936, default language ID 1033
                              Category:dropped
                              Size (bytes):828
                              Entropy (8bit):5.285033948884775
                              Encrypted:false
                              SSDEEP:24:kouLL6+hGd/DiLdo1V2jdQGDJ+eGrk6Tj+TdmDXSU+vhm2:vun6iGd/DiLdoz2jdQKJ+ee1n+BmDXS9
                              MD5:490159B71A5EF583291176690EA82B0B
                              SHA1:CDD3894CCD2F6A7696925912E1986B0457AF0B2F
                              SHA-256:0552B0C5C91FA2FC54ED20934F74B1B7DB8C54FF6E22634BEEB2706018610256
                              SHA-512:30C46057981E4DFAE26475DBABF3B427D1E9D52138AADE43A8003EA68491D1AF0DE6D1639E5889A679E8CB3EC9BD70550F2141610B0E4306156DC2BF62F2BB5D
                              Malicious:false
                              Preview:{\rtf1\ansi\ansicpg936\deff0\nouicompat\deflang1033\deflangfe2052\deftab360{\fonttbl{\f0\fswiss\fprq2\fcharset0 Segoe UI;}}..{\colortbl ;\red0\green0\blue255;}..{\stylesheet{ Normal;}{\s1 heading 1;}}..{\*\generator Riched20 6.3.9600}{\*\mmathPr\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\keepn\nowidctlpar\s1\sa240\f0\fs22\lang2057 Microsoft Privacy Statement \par....\pard\nowidctlpar The Microsoft Privacy Statement can be viewed here: {{\field{\*\fldinst{HYPERLINK https://go.microsoft.com/fwlink/?LinkId=521839 }}{\fldrslt{https://go.microsoft.com/fwlink/?LinkId=521839\ul0\cf0}}}}\f0\fs22 \par....\pard\nowidctlpar\sa120 You can review linked terms by pasting the forward link into your browser window once the software is running.\par....\pard\nowidctlpar\sb120\sa120\fs20 EULAID:RS3_RP_1_PR_en-GB\par..\par..}...

                              \Device\CdRom0\sources\en-gb\w32uires.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):203776
                              Entropy (8bit):5.145441531102891
                              Encrypted:false
                              SSDEEP:1536:ZonyEc52azzOMdAV8yEyePaauLXLbfm2Xp0jcM2qKMtzgeO971d:ZAyv52azzOMSLnKuwUey
                              MD5:EAF5BB5A6478A4BFB602DA6537FDE4D6
                              SHA1:080D1EAD824F811A422D12CFEAFEEBFBEFE79E6E
                              SHA-256:0C434E0146871A51914F1DF32F331C3465AC662EC9EA42BC73DEA413EB16F02F
                              SHA-512:A345342C5B48BDE265D9923F48D3868FF29C38940447091F215E8FE0C34458D6978D30D71C653BE3581B504E17B14FBB6F2F8212F6F21DB46D84B2614F7524C0
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................@......S.....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@....*...........T...8...8.......*...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....-.......rsrc$02.... ....y....ix_|.4..8..S%.j...N.L*...........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\wdsclient.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7680
                              Entropy (8bit):3.4379665808552047
                              Encrypted:false
                              SSDEEP:96:JYeUY2lYOcXtcgv/NOwn//KLzI7QEYh0igAbY74UrQ6Y9xWxwHWww:dU/lGbVl3h47WCHWr
                              MD5:6A6DCDB2DB346E3F20583E436595BAD7
                              SHA1:6A818203F7FD84182BB7CA78B1FE04A48E381279
                              SHA-256:8407994DD2B15F7889925384D21C0844E63C54584508A1343071B6DDBAD13BC3
                              SHA-512:E9A1055D12EC261430326C5CAEC984BAD2951B09D6200ADCF3A93D1D72EEE9A1A35A4DB53BF6473B7AAD5A846D11E22FF2E10440C37691C3070C82C640F8066A
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................@............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@.....a.C........T...8...8........a.C........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .. ....rsrc$02.... ...s+D2A.Q.U0....l.L......z...a.C........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\wdsimage.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):3.609307809106606
                              Encrypted:false
                              SSDEEP:96:047wb8vpRzps4/tGlFqdbCXYRgcnKnkHogz3pwWK97Y2Ww/:048b83y4/tGXEbCKRqkHos3pwWoZW4
                              MD5:95E1525AF3D5C70E9F38A6D21B687458
                              SHA1:02036EEA96E70E1E0BD1DCE0A5687BDB70E2649D
                              SHA-256:2BF6110B0E9C1E2ECB82A55E921344B303BF5C4927A79AC42FF727D90F467434
                              SHA-512:55585CC1D754B4D6B302BF993209829C354A3DC361F48C1ED014F4AEB27D876C1C870BA24EA06327A2CC35A2A4C9AE644B34678CFC82992ED432C506A6041967
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................@......Eu....@.......................................... ..t...............................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@.....?$.........T...8...8........?$.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...p..l....z...WK...e.....2.....?$.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\wimprovider.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):27648
                              Entropy (8bit):3.526664455429331
                              Encrypted:false
                              SSDEEP:384:MwEQsHE3IuApdiWQB46zDteyERtet3kLA5XJoH0sJnWWsMW1:9EQsk4uADiWQTzDEyEret3kL/q/
                              MD5:E1B6D9403DEBDFA12C37400E65903EC3
                              SHA1:58F1354E110DEDAA67D54C191AA1EBCFB31C1203
                              SHA-256:7631C86228DC9F630267BD27EAE3B26A56737B0DC754CC113BAC07BDFD5DCF10
                              SHA-512:5E980BCD044C4B550FF4DCA81B2D1FF2590B4C31B2D62406F80A430B27759042BD1D65968A064079950D644850D23B0ECC76C0BC45285C7D0AC11F3340ED1246
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........j............................................................@.......................................... ..Hg..............................8............................................................................rdata..............................@..@.rsrc....p... ...h..................@..@......=.........T...8...8.........=.........$...................8....rdata..8...x....rdata$zzzdbg.... .. ....rsrc$01.... #..Pd...rsrc$02.... ...*@......e.s....I*c)f;..]om.`..=.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\windlp.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):5632
                              Entropy (8bit):3.557427047211566
                              Encrypted:false
                              SSDEEP:96:rYGcm4aThCEiHY7N1kJXZLfP77umGJMGJNjjpnmef4WekWWwp:rN+8hCEiY7NgZ7/umVG9nmef4WpWWm
                              MD5:8F88DA36DAE9DA6ABB5A6DAA30FB845A
                              SHA1:19F58E1DE0CD83B8D58111C59425D3C4187C3743
                              SHA-256:B9B84AE6B663B303179B9124CE3D8EE99903884987EC64087C5487BEA5935657
                              SHA-512:57F4FBC8FBBBEF225F58F2DF6AC6CDA16FE25B577F18A30BD1D6C5AA2B69AD8151DCF637D6E2E69D45A4005410622F16E65E9F1A46181DB85DED2B9EB1DA3037
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................@......`J....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc.... ... ......................@..@......`)........T...8...8.........`)........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..(....rsrc$02.... ...@cXV...>R..I..e.0...n.XO....`)........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\en-gb\winsetup.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):53248
                              Entropy (8bit):3.391761987024728
                              Encrypted:false
                              SSDEEP:768:tsDKSWMW7KvBjM42Hib89Z108OCBVzvwM7teobPGnwrte+qdDdRTXkRacX/smDKv:/PBzanTRSlP3rjI
                              MD5:7995CE0F3A98E6500B47B4330EF3CD62
                              SHA1:406EE8124017AA49A25B40E9146EA0C71A2DE55D
                              SHA-256:74D5FC63260F0257430248E9440646870D48AADD1C5386D16F748EAB2B90499F
                              SHA-512:8326A2B7A19DCEB7C348EB5EC95B776C2FDADD9EDBED384095032C9DD8826D40DEAB4095434117FAA0C23AD53A637FCD93544C474F2B7004D70F8CF0BF5FEE5B
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!......................................................................@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@................T...8...8...................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... ..(....rsrc$02.... ....?.).2...../.@G........Z.k............................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\etwproviders\actionqueueetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):13256
                              Entropy (8bit):6.395615561040665
                              Encrypted:false
                              SSDEEP:192:XsICWIgWYqVsAZ9uQfKaWSawTyihVWQ4eW1RQl3pPqs7IwdY+kqnajHaqxgmvW:eWIgWYwlKRHwGybzIwS+klTxi
                              MD5:1236C4BEDDBF00128FD55E66AE143432
                              SHA1:4DC5D9E25ADBA447F4D8513D8982714CA67CE8FD
                              SHA-256:471BC02617C13FDB32054D07D85C0E5179D4ADA6CFCA02B36F844A814BB9F5B9
                              SHA-512:97F6664192AB167CFD82AC3209A7E09B7067673033A870B4489E55CDDBD7BD2CD99911409AB39DA9A24E0058E96CC66C4A3E57E395820AC2B79C2F63472F14FD
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....0..........." .........................................................0......Z-....`.......................................................... ...................!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@......0.........T...8...8.........0.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ...!`......;...V~..L._..n.......0.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\etwproviders\auditetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):14488
                              Entropy (8bit):6.237435508499148
                              Encrypted:false
                              SSDEEP:384:yWiSWnVV/so/Nd8gGwGyg7u+a6JlvCz8rghk:ep469qrgh
                              MD5:91E22F17906D094AB8F67EFDCC13CED2
                              SHA1:F13127E4B6164D17776D010C314D86148B769686
                              SHA-256:CEB248D5C0467055689BE107AE9C70CA1DB39D5F668616D63516D4B866ABB21F
                              SHA-512:DF1FA5995709EEE9715422B9838B1CF9FA25203AC281B45EF234E62F5EB934881B472CC8A22B6BF8828CE0AF1F4ED3E133935F79E00AC8B4C8D185C57111C84A
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...Z............." .........................................................@......D.....`.......................................................... .. ................"..............8............................................................................rdata..............................@..@.rsrc... .... ......................@..@....Z...........T...8...8.......Z...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....P.]..N.v>.... .......Q.R-Z...........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\etwproviders\cmisetupetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):14480
                              Entropy (8bit):6.299830734364341
                              Encrypted:false
                              SSDEEP:192:U0W2fWaNKnSdsL0pbkyYWSawTyihVWQ4SWh1usUDR0qnajVXj9bgb:U0W2fWa0SuQZwGyY1uQlxzBgb
                              MD5:B8BC37A9B131DB2A246F80BB5E8DAC11
                              SHA1:FC0444D9DECD11AEFB8B1C78333773BA757F6090
                              SHA-256:900DDC7E979F59C9F3A210112CC3ED1B91E2C40EAE544620A833A4280E33AEC7
                              SHA-512:6DBEDC56480C5AE6CB2D688A1D081DEA019ABA99E00F611E3849195D6B1F53F60C1DE6853862C1C56A0C33373DDE2A1AA1BBE139096A0092AD64C25C43C0776B
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d..../............" .........................................................@............`.......................................................... ..................."..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@...../..........T...8...8......../..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....My...:)/'S...^RRP...?.[..../..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\etwproviders\en-gb\actionqueueetw.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3584
                              Entropy (8bit):3.6958624173591867
                              Encrypted:false
                              SSDEEP:48:yl7ncjQgJ6u7l7luZjlofZWyXgun3Yy5WwHgc:Gr4QgJT7pXW8/Ww/
                              MD5:C4E168BAA1666243EA3B3D16C4042AE5
                              SHA1:5920A3CC13ADE94FC273A41084FBFFAEF240FAA0
                              SHA-256:7BE21526023BE44794B5CAFA184F92AC72265CAA7BB356586BBF8622B9042743
                              SHA-512:368E8D5439819416832C3E8CF38A4EEF49647E834553D48297DB50FA068BB534114D4B6D1D5FA0E08F28967A9F98FF7B66622A8829611C8EDD62ADF52D404241
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0......(O....@.......................................... ..p...............................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....IWM.........T...8...8.......IWM.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....n...-...^KU...".E.k.I..v..IWM.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\etwproviders\etwproviderinstall.vbs

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6868
                              Entropy (8bit):4.88243271415529
                              Encrypted:false
                              SSDEEP:192:IFoOIXXztb+ih7zIRU605MNd611/mqv0c9K40/zI1A4HSjG2UcNG2hATuluzS5M:IfiXzk8nodXqe3G2Ul2WCluzS5M
                              MD5:46E876C55F0B4A5EAC1DD6F36B10156D
                              SHA1:D9B0877FD91F6BD28987915B417E90FD4DF8F323
                              SHA-256:1AB7AE96D9588E7ED6C3A44AFA67F02A01CA3360967C4333F23F73DBAD273860
                              SHA-512:577B969D5B1B36E0A00686B1627CBD2628CCAEF0BF15AEF4605A7CF1202BA299D8F15071570502E14AA119828B06BC1A2539C580D2B98E496F8C6E8A138DF3B6
                              Malicious:false
                              Preview:Option Explicit....' Globals..'..Dim ObjShell, ObjFS....Dim manual,targetDir....Set ObjShell = CreateObject ("WScript.Shell")..Set ObjFS = CreateObject ("Scripting.FileSystemObject")....' Regular Expressions..'..Dim RegExFolderPart, RegExExtensionPart, RegExIsManifest....Set RegExFolderPart = New RegExp..RegExFolderPart.Pattern = "^.*\\"..RegExFolderPart.Global = True..RegExFolderPart.IgnoreCase = True..RegExFolderPart.MultiLine = False....Set RegExExtensionPart = New RegExp..RegExExtensionPart.Pattern = "\.[^.\\]+$"..RegExExtensionPart.Global = True..RegExExtensionPart.IgnoreCase = True..RegExExtensionPart.MultiLine = False....Set RegExIsManifest = New RegExp..RegExIsManifest.Pattern = ".+\.man$"..RegExIsManifest.Global = True..RegExIsManifest.IgnoreCase = True..RegExIsManifest.MultiLine = False....' There is no convenient way to check whether WScript is defined...' This code captures the possible undefined error to perform the check...' ..On Error Resume Next..manual =

                              \Device\CdRom0\sources\etwproviders\oobeldretw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):14792
                              Entropy (8bit):6.1784981889303054
                              Encrypted:false
                              SSDEEP:192:MI7WTQCWNNa+UuqjIzCp7GWSawTyihVWQ4eWRIuj5uE7MqnajcT16Rd:n7WTQCWNNar0CPwGyD8uOMlAJe
                              MD5:77AD1932F8FA154A4EFC1EBB03598F7C
                              SHA1:4D681852FCBABF38E1F2C6F6288ABF1055067241
                              SHA-256:E47C9BE63F653940E1C451D0BD3CE77A0FB176DC9303CFC00834349F9F47FB06
                              SHA-512:7245BFAA46F88F01F85C6E0167D8B02F1B318B0592B629BAA289576AF62062523A14A2469B7D45FD5CDC79E84732F7AAD1CF667651FBE82EEB234994D4E05647
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....n..........." .........................................................@......M.....`.......................................................... ...................!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@......n.........T...8...8.........n.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!..x....rsrc$02.... ......:.s2P0.e.V...bq...a........n.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\etwproviders\setupcletw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):18888
                              Entropy (8bit):5.73791976191991
                              Encrypted:false
                              SSDEEP:384:nWK7PPWAPgrpp1icTnA6lLSW4iwGyH/4JeRlF:XL6luS0Q
                              MD5:4CC1BB5BF80B9BED347EDC8DBF87CF18
                              SHA1:A2C3012A2428667554CDBB29547BE5680175B4E8
                              SHA-256:1FE97031AA09535690D93607F5D5C3295ADCFB9CAA07F73D1BEDF8E853844313
                              SHA-512:16386DC3F4641F8109C2F57590E953A204D0E933B83B51A631D867062943F75827F4FA636577CA60AF2725C7F5CABD7D6B943998088D83344944629FA9B9BBAD
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....mK.........." .........&...............................................P......MI....`.......................................................... .. "...........(...!..............8............................................................................rdata..............................@..@.rsrc... "... ...$..................@..@......mK........T...8...8.........mK........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!...!...rsrc$02.... .......j.#H.....{5..=..k8#.gS..mK........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\etwproviders\setupetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):20792
                              Entropy (8bit):5.7067640943088
                              Encrypted:false
                              SSDEEP:384:jWgj4WNxP9LxCyMasQijiA/QxfkD1IDBRJty+lIo:pDxZlSI1PsU
                              MD5:99558027C48FF6D551D48221D2EB0D32
                              SHA1:6D199BEAB7D249103D80EE09DCD74389AA050B60
                              SHA-256:384829CDA5C9985E2E8538EA53C5D986CED4456937251DB4DC7C562541F1D8A6
                              SHA-512:0704F868974446936853FB54F123DC18499F5F2140D723CCBEED99546D33D5CDC85395ADC7C06274572E1E656BED85328FAED106FCCC7471CAFABD8F29E5697B
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....Dg.........." .........................................................P............`.......................................................... ..`+...........0..8!..............8............................................................................rdata..............................@..@.rsrc...`+... ...,..................@..@......Dg........T...8...8.........Dg........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!..P*...rsrc$02.... ......K=..H..&E..JM...v.>..1....Dg........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\etwproviders\setupugcetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):13768
                              Entropy (8bit):6.381500215951071
                              Encrypted:false
                              SSDEEP:384:k7QWMrpW/l9vF1wOVsfXS6IxXHwGymuOMlA:k70uG8HZ
                              MD5:484C555804F6841BAB8BBEE4A7C56D34
                              SHA1:1BAD74A53BC088F45F95F9BD8D5F0F9E98FBBEBC
                              SHA-256:69876E6714BDEB0F04F9BCBE46FA2D7B9973C586E975B0E8133156B818F6C870
                              SHA-512:FFC8940C4E25719572F2859A7C920BAFE2AFB4F16A1D54D26418A888671C97B9ED4DF6546F3018DF2345041C4EFF695C188CA390466D1C036282E1C8E61C34FC
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d................" .........................................................0............`.......................................................... ...................!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@...............T...8...8..................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... .....x.!.0.....(....b...0...X.............................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\etwproviders\sysprepetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):18376
                              Entropy (8bit):5.876333076190196
                              Encrypted:false
                              SSDEEP:192:l5W+XRhWm4m7xKI0E1TWiR41wkw2GoK+d9Bz5CS1WSawTyihVWQ4eWUl5uE7Mqnu:l5WuRhWm1LP2Z5c1wGy3uOMlASR
                              MD5:244993BEFDF278CA1706F622A1605838
                              SHA1:270FC70D8CD367C23FD79D730D2EABD206427BA8
                              SHA-256:8901E2046B5B30E3AA13408DDC852E2E629FEA26FC7CCB673924DDA246297EC9
                              SHA-512:0D571C1595699A8874AAFF4E4B73057EDCB76607AD633FA29823D43FBAA404EE872671AA3F4894E7ED59E117A6801E7C81479268D51FB0DDB4E9CFE162042680
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....C.o.........." .........$...............................................P.......F....`.......................................................... ... ...........&...!..............8............................................................................rdata..............................@..@.rsrc.... ... ..."..................@..@.....C.o........T...8...8........C.o........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....bw.L.\}ztB.N.@...W.W...O.p..C.o........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\etwproviders\windeployetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):14280
                              Entropy (8bit):6.303975618684298
                              Encrypted:false
                              SSDEEP:192:qbWOkWON1Ae84gUGNHSXTFZ0WSawTyihVWQ4eWUEZr5uE7MqnajcRLO4:mWOkWOXAe84p+SrtwGyVEZduOMlARC
                              MD5:6630F7D420B39AD09D837282A40767E3
                              SHA1:295FE35C24E47CCF94E80A42EDDC5E439D857BF5
                              SHA-256:49959B4FDE4BE2B33055C366E3C7A4275F92137DE8D24C1780D309C31F271E46
                              SHA-512:E9515E0BF168AA2A803508FD6DC9529CFD97D28A177B3752FBFDB6E10AC6FE5CB8494D50DA1A3CD91542A30FC6520A76B8AE00B3C2A3C4A97486A3673AFE4D55
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...Y..(.........." .........................................................@......i.....`.......................................................... ...................!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....Y..(........T...8...8.......Y..(........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ...#.^*..t..f....Ey...[....E.]Y..(........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\etwproviders\winsetupetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):66704
                              Entropy (8bit):4.264591614898761
                              Encrypted:false
                              SSDEEP:768:+hsDaSWMW7KvBjM42Hib89Z108OCJVwvwM7pEoYPWnwbE+qdDdRTbk1acX/smDKP:+JPhDanTqLlqjH/oxuV
                              MD5:9A5E6181568170920F2D2ACB594CA755
                              SHA1:E7AF31A82E9F6260A42D89E7F039E74391806BE9
                              SHA-256:B64262644CF0E1C55C586EEE26D682AB26BBFFEA43216839F3614E83CE9A4760
                              SHA-512:014EAD3D3FEF401693EED9A94012E3E088CD45D9139C88B8B5C4D635C2C08E153EA8EE8C6E49167127BD1D2C93EA7BD8FC29CB61902180F88175D21CBB8E6934
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....D#..........." .................................................................{....`.......................................................... ..................."..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....D#.........T...8...8........D#.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....gA.)...u{Q>2.D.........._..D#.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\facilitator.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1023832
                              Entropy (8bit):6.3270626336041405
                              Encrypted:false
                              SSDEEP:24576:j9j6wYHfZMT7TQBVc9ndJSGearZ2faJ3RPu6YBxM3/:j9vYHETQBVInbJ92faJ3RPu6YBxMv
                              MD5:2F815C80C2F7CC1DBAFF021748E7F086
                              SHA1:F191F0FE512098E6BB123B2D69AFF22E75D19507
                              SHA-256:EB04AF812432FF7987736B7AED3399A9B7B00026696D7E9A3702A116139EB4EF
                              SHA-512:A77CD007C3536F68A0F441BFAF0B07BD06587D6E36D8DF3112AFBB207789861FA2629CCA165335F4567A7E8B51118E37F59AD41A015DF2079164CDC1790388B6
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..9...9...9...0.d.7...-...:...-...(...9...O...-...6...-...3...-...8...-...h...-...8...-...8...Rich9...........PE..d...B.Mb..........",................p....................................................`A........................................p...t....................P..<B...z..X%...........m..p....................,..(....*..............0,..p............................text............................... ..`.rdata..v'.......(..................@..@.data........0......................@....pdata..<B...P...D...&..............@..@.rsrc................j..............@..@.reloc...............p..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\folderprovider.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):61448
                              Entropy (8bit):5.802449156900727
                              Encrypted:false
                              SSDEEP:1536:tPHL0+1PWLLrngN2OXUCPAuvGQZiFndWDGP/EuR:tPj1uPzgpXUsAuvGCiFndWDGRR
                              MD5:62AE6E683EA366F3E794E3E44272F13C
                              SHA1:7E5BD7E18F3B3129869632601B364CF2E887C423
                              SHA-256:D10613FA1574CD73CB5B90F409C1C7E2354DAA2A6C32A972D84DE9D017D942B2
                              SHA-512:AD50E23E9F332E2BD0232F2300EAF1005E1E5E610B7F242C7EC2AEE9CD89648189A1890DF9088705879B64DF8B9A07FA35CB5F8D9A87D2040E454A1151F1956C
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z.6...e...e...e.c{e...e.p.d...e.p.d...e...eM..e.p.d...e.p.d...e.p.d...e.p.d...e.p.e...e.p.d...eRich...e................PE..d...N............",.....j...f.......d....................................... ......#.....`A....................................................................D........".......... ...T...........................p................................................text...0i.......j.................. ..`.rdata..bB.......D...n..............@..@.data...............................@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\gatherosstate.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1503000
                              Entropy (8bit):6.883549861616886
                              Encrypted:false
                              SSDEEP:24576:9M2ZXfNRwzqj60dHjn12mipisYq99LsDjIy:TZPNRwz06/3t99LsPI
                              MD5:4B176B5E5CB31109B2910278621AF283
                              SHA1:8D140F36F785E007572CFC6D941D0289B8A1E7CF
                              SHA-256:877F8CA7ADD80147BD27B7911A709C6BC90D9C00B61B241891E087162FB54CC2
                              SHA-512:EED6CDDF12EFD09A264115DA3367BBF9356A108FB03662084DB71AD19AC1577D51D286A3B3BE8E58E4C0D5817D5AED91FCFAC3E64BA548EB01ABA914A16B24EC
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................................A.............Rich....................PE..d......X.........."..................r.........@................CS P................*.....`.......... ......................................X...d.......(....0..\C.......U......(:.....T...................H...(...0...............p.......4........................text............................... ..`.rdata...m.......n..................@..@.data........ ......................@....pdata..\C...0...D..................@..@.didat.. ............V..............@....rsrc...(............X..............@..@.reloc..(:.......<...^..............@..B........................................................................................................................................................................................................................

                              \Device\CdRom0\sources\generaltel.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):828448
                              Entropy (8bit):6.065158647087148
                              Encrypted:false
                              SSDEEP:12288:71Wem3HfCnyMiDhHfpwayiAdJ6vjGuCbCOc0xCstib+t9uXxb2pihatD:71WSyjHRwbmqrbC3U+xbmZtD
                              MD5:505B48BB3E7FA37E9DA53DFB8D0628BD
                              SHA1:CB807DE57687364E53B484572ECBEFB3AB3BBD34
                              SHA-256:9FB09FB1451FDCEB660C7E299EDA0075CA17DCDD89E3EB1F37876E5D66CBEAB0
                              SHA-512:D630C567D8E67973762355C25BA9B220DE3C35FC4B05292B43DCD67DE39FA90671C280EF2F63D291D7611887E639517A9EEE9C4E3967BA3431A0AB7BB12EF61A
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.................................................................#...................Rich............PE..d.....+..........." .....<...R.......................................................b....`A........................................p...H............P...I......H9...... "...........j..T......................(..........................Xt.......................text...);.......<.................. ..`.rdata..<]...P...^...@..............@..@.data...PH.......:..................@....pdata..H9.......:..................@..@.didat..x....@......................@....rsrc....I...P...J..................@..@.reloc........... ...b..............@..B................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\hwcompat.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):208696
                              Entropy (8bit):5.892194174699377
                              Encrypted:false
                              SSDEEP:3072:7T3CnmfQjz1wR62ON59TyzTYxk2c4Mn7cvbcPMrt:H3Cn0x6lNmh7cAPu
                              MD5:4387919A4014D25B1CA3C4B22B49C260
                              SHA1:B5B31526909D3759DEF4B6A9486D1EFEA9FC26D0
                              SHA-256:35A99B1D4F24F06EB41AA56C89B50B3B9E9508C7647ED7548EDE25F4C8EAF3CA
                              SHA-512:C6ABD3088270F6A2C3F7210D080E12D1C58C14E9D1BDF81FD940533BAD9CDFC005555C5EFEF1B7778D5671745FEA6876C815425E58177AC56A684353FA04EC40
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h...,...,...,...8.../...8...!...,...?...8...?...8...)...8...-...8...(...8.Z.-...8...-...Rich,...........................PE..d.................",................Pu.......................................P......y.....`A........................................ ... ...@........0..(.......|.......8!...@......P)..T............................................................................text............................... ..`.rdata..hD.......F..................@..@.data... ...........................@....pdata..|...........................@..@.rsrc...(....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\hwcompat.txt

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):751624
                              Entropy (8bit):4.941596949315087
                              Encrypted:false
                              SSDEEP:3072:5CgixLwQcUHW0tKouM4kD+nRzkSv9N+VYuhras4V:AgixLIUHW0tK7MmkSv9w/tas4
                              MD5:FBF37B8B1EE4640B1C470F2F07A80E4A
                              SHA1:B239C5499FA63D397C3DD35A7F605CE86D91B44B
                              SHA-256:E21DB717F31F9465420E6354BAA5AFAEAA3521DEB885ED46BC90530AEE9FFD20
                              SHA-512:F9439E2D7B63825FE812EE380F1EF8B277D50EED706B6ABE4B8563423891FF425A00083E88626084EE493376F1DA742ECD73B6B5F892E001C4F9048C7D3AC36C
                              Malicious:false
                              Preview:HwCompat V4....1394.inf:..PCI\CC_0C0010..PCI\VEN_10CF&CC_0C0010..PCI\VEN_11C1&CC_0C0010..PCI\VEN_100B&DEV_000F..PCI\VEN_100B&CC_0C0010..PCI\VEN_1033&DEV_0063..PCI\VEN_1033&CC_0C0010..PCI\VEN_1180&CC_0C0010..PCI\VEN_104D&DEV_8039..PCI\VEN_104D&DEV_8039&REV_03..PCI\VEN_104C&DEV_8009..PCI\VEN_104C&DEV_8019..PCI\VEN_104C&CC_0C0010..PCI\VEN_104C&DEV_8009&SUBSYS_8032104D..PCI\VEN_1106&DEV_3044..PCI\VEN_1106&CC_0C0010....3ware.inf:..PCI\VEN_13C1&DEV_1010&SUBSYS_000113C1....55fpgafirmware.inf:..UEFI\RES_{C907D5F6-BBE9-47EE-B76B-5E28C7F9FC63}....55niosfirmware.inf:..UEFI\RES_{06B75ADA-B0E1-46BA-BB3B-4D6E4A0F2CB1}....55smcappfirmware.inf:..UEFI\RES_{364D032C-0041-48A6-A26F-62388D97FC6C}....55smcbootfirmware.inf:..UEFI\RES_{DA50CBA0-8F33-4B66-8A3A-08F84015C33F}....55stguestfirmware.inf:..UEFI\RES_{4E11B2F5-AF26-49D5-A549-72AE52345E22}....55stoutfirmware.inf:..UEFI\RES_{7E2BEABF-4BE5-4C10-AF9C-4C1A69E06033}....55stpcfirmware.inf:..UEFI\RES_{296EFE23-EB18-42EE-8B12-51489B27232A}....55sttouchbackgue

                              \Device\CdRom0\sources\hwcompatPE.txt

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):257
                              Entropy (8bit):5.201569537867736
                              Encrypted:false
                              SSDEEP:6:WFR8lLK0Z8e4weUVy8e0YacOLH1/Z8eUV/NR4AjKGYKr7v:WwlLt8eNeUw8eXQV/Z8eU1fnFxv
                              MD5:8414D43FBFE972AA43AA0CC88A20243E
                              SHA1:C425C26C74ECE847753689E9A02436D4328AF440
                              SHA-256:42FE28AF422F2AE1E17BD36945FBABAF5DCE1D8E92A0C838B4F4778FC80AB1D1
                              SHA-512:88337FCBD3E4D75EE029672F450ADF7C536BD8BA2086D04565537B169A068F69B828DEC244483BB24980FA957D86082E4A5718C914B9C7A5D7636B8A9F2D60E4
                              Malicious:false
                              Preview:HwCompat V4....rawsilo.inf:..IEEE1667_CONTROL..IEEE1667SILO_100..IEEE1667_RAWSILO....netrndis.inf:..MS_RNDISUSB6..MS_RNDISUSB....ehstortcgdrv.inf:..IEEE1667SILO_104....rndiscmp.inf:..USB\MS_COMP_RNDIS&MS_SUBCOMP_5162001..USB\CLASS_EF&SUBCLASS_04&PROT_01....

                              \Device\CdRom0\sources\hwexclude.txt

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):51
                              Entropy (8bit):4.6100565288855355
                              Encrypted:false
                              SSDEEP:3:WFzOwGmRimxKFJK6H9yn:WFRG7n9y
                              MD5:B218D816D960F4A7CE9561ECACFB78BA
                              SHA1:86D7B321129DEDC4D88F20CBD3674B3BC8442573
                              SHA-256:01E77416CA972B067177E97747201503D6532FA3B1276DA4F4BC29957CD2DAD7
                              SHA-512:99B910EC8A92A90DE9B6FCB6B285C4E0959224696A4C9661467B8D2A2176A2605204D684F8F4E4767AF0489F96080CE97691B39FB591753A491D5F63905B33B3
                              Malicious:false
                              Preview:HwCompat V4....NOTE: This file is no longer used...

                              \Device\CdRom0\sources\hwexcludePE.txt

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):15
                              Entropy (8bit):3.640223928941851
                              Encrypted:false
                              SSDEEP:3:WFzOwv:WFRv
                              MD5:5284D1C527346DC66B17AF65BC47AE2E
                              SHA1:D13C1EF53267CD52F53980C1E1F73EDC61FF0404
                              SHA-256:A31537E51920E90ED64DC1B5D1D5FF59CC9D6839D10CCF3E21A536BEF9AEF90B
                              SHA-512:C9CB6CD6D594A5B19D7FBCE9A2C97141010DBE97B61261EC0C9EAEFAC1894FDE90604D7B60F7EC46C9E3390DAFD571662A6F7F2C3B55002CFAE9B65140384FF2
                              Malicious:false
                              Preview:HwCompat V4....

                              \Device\CdRom0\sources\hypervcomplcheck.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):187032
                              Entropy (8bit):6.24386236384026
                              Encrypted:false
                              SSDEEP:3072:bvaxphQWF0+jnd9jVNHh+UXuE6qXblQe7OtpAGgSOL3EVD/cFh:bvgp+WRdHMizqTOL08
                              MD5:DA992375BE80FE5E030719AA1767FDE8
                              SHA1:B702E2585AF9CB41AADDB1189A1D590436674D38
                              SHA-256:EDEC4AE01C2FA87712A01FAB086EA9F77D624D631F6EF493B8BBC660331A25DF
                              SHA-512:C70BE6C62455480E53F3F3E5A7F4A064E2160E161A590095194137C8F61F9F9BD11B45B4F39E86B9048F5DB01176FF324712371BBADEE26A01BD1CFADD00D791
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........tH.W.&.W.&.W.&.C~'.U.&.^m..n.&.W.'...&.C~".N.&.C~%.Z.&.C~&.V.&.C~..R.&.C~#...&.C~.V.&.C~$.V.&.RichW.&.................PE..d................." ................PX..............................................z.....`A............................................d...$...........H................"..........Pd..T...................x...(...`................................................text............................... ..`.rdata..............................@..@.data...h...........................@....pdata..............................@..@.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\iasmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):696336
                              Entropy (8bit):4.9961362005623755
                              Encrypted:false
                              SSDEEP:6144:TuYX5sSRTnBZ+MihWhq45YaZFt/+9a2YQbGtshZ7uXPl:TXznBZ+q5YSR3o4h
                              MD5:CD41D787E6975EFC9A3FA3EC54F35484
                              SHA1:6B24C87BBB93C64531043A72C8A0B1746905D6E2
                              SHA-256:0F1A8BF756585D7FACF6EBA01069D49954482509C293131B83445CFBBA6CB81C
                              SHA-512:53697EFCBF9101D11709658BBEC33C7692163F624995132D24F4A97C565FB40EC603A4665155D16BEC0652892899B3B7897C66A2B1711596D1C81BBC0164176B
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s1].7P3.7P3.7P3.#;0.4P3.#;7.$P3.7P2./Q3.#;2. P3.#;6..P3.#;3.6P3.#;;..P3.#;.6P3.#;1.6P3.Rich7P3.........................PE..d.....|<..........",.....x..........0.....................................................`A.......................................................0...........*...~..."..........."..T......................(...................................................text....w.......x.................. ..`.rdata...E.......F...|..............@..@.data...............................@....pdata...*.......,..................@..@.rsrc........0......................@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\idwbinfo.txt

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):122
                              Entropy (8bit):4.9919229666870555
                              Encrypted:false
                              SSDEEP:3:/jVIB0ELxajDQo/Q8UyKLp9GcZng2DTXCAYjzd:rV80EwD9/x1KDRk
                              MD5:8C48743D4886322FE810D76F1B64BE67
                              SHA1:47F496A316A75ED0713DB9360220F6D41ADB9A6C
                              SHA-256:3CAEB0AB6D39B57CE425C48064EBF24B15642BAE0116208179F9D751C65BD15F
                              SHA-512:3BF911CACBFFFACB2640D68AE56B6D09302EAA53706E099000DA8C03107448994247CD990B93CD62514135B5012A785075003A4D5B47E6FA69C00EF17E3D034A
                              Malicious:false
                              Preview:[BUILDINFO]..BuildArch=amd64..BuildType=fre..BuildBranch=vb_release..OfficialBuild=TRUE..MainBuild=FALSE..Coverage=FALSE..

                              \Device\CdRom0\sources\iiscomp.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):23704
                              Entropy (8bit):6.273913153671545
                              Encrypted:false
                              SSDEEP:384:nBKIdGWVtNn9cPj2ddvx2dEIYKdvWSDWMwGyc7TplxbvE:YoGS95vxTMRM
                              MD5:66F51C81ACA01E2B3290DAFB76815FA0
                              SHA1:9A81EBB26BF3278F438F9CD288F6155F6B692A52
                              SHA-256:483D3B0E2FC0238CDAF0A95AC4D52E981AF67DDCCA3E1BB03208A6F513417178
                              SHA-512:E1080400BDD6CEA6572D52CC884184D13343619772870860E4F528AE182A75F79742CA1967AF2F8B979C5F451E6BC5C04C197180D28F97ED320E7A19F95369AC
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Pu..1..1..1..Z..1..Z..1..1...1..Z..1..Z..1..Z..1..Z..1..Z..1..Z..1..Rich.1..................PE..d....MT..........." ......... ....... ....................................................`A.........................................9..X....9..P....`.. ....P.......:..."...p.......4..T............................0..............(1..8............................text............................... ..`.rdata.......0....... ..............@..@.data........@......................@....pdata.......P.......0..............@..@.rsrc... ....`.......2..............@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\imagingprovider.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):222520
                              Entropy (8bit):5.768598477073119
                              Encrypted:false
                              SSDEEP:3072:Cyayo7EGTFrOwCE18HQp1T0auGzyvN50G6wHPELIghnoyFW8l889L/WHG:CyYdrf1UQp10ajzg522aiG
                              MD5:1B4F6042A3F50B0940C72DEFDF83C286
                              SHA1:FB14ED516A537F1FBF22A3B9D762CBE69FCFFA57
                              SHA-256:D3F11D0B22E9AB6A55EF0673DE5B724E8EF83FC593EE23A5F4B999AD694D3CE5
                              SHA-512:6D53C22B71807B4E74A2DE9862A5E2C7BF2CB7A1DE3D98A15757D7C4D634F565E3184199FCE84487A477130ED5431BA97605BCD3717EB35E6BDF684C32D31100
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tF@.0'.J0'.J0'.J9_.J2'.J$L-K3'.J$L*K!'.J0'/J.'.J$L/K='.J$L+K='.J$L.K1'.J$L&K/'.J$L.J1'.J$L,K1'.JRich0'.J................PE..d...............",.........r...... ................................................#....`A................................................p........ ..XJ......x....D..8!...p.......L..T...........................`...............x................................text...0........................... ..`.rdata..............................@..@.data..../.......*..................@....pdata..x...........................@..@.rsrc...XJ... ...L..................@..@.reloc.......p.......@..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\inf\setup.cfg

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Generic INItialization configuration [SetupFiles]
                              Category:dropped
                              Size (bytes):3286
                              Entropy (8bit):4.594203098559413
                              Encrypted:false
                              SSDEEP:96:MR6kDzk7STJqGpgWUN7iNg1M02jRIWUSZzUH:MR6kDzk+TJqGp67F1M02jRv0
                              MD5:8E996BCD118CEEAB44BF4F3E3A79AF56
                              SHA1:2580FF5C80D1FBE4F4A088D72D6826E9EC1C795E
                              SHA-256:0752F32A936D236EB3D58701782F51782F600E72C8B0F67227A7FBE8775A0498
                              SHA-512:CECA58279BD5A0C82006DD25D224742D3D9AB970C5E9FA3C30A8C9294905E4BFBA292BB2FE3D49D67D8EB9F51A5BF2C28791E2D107CB06B7000A0125863CA8E4
                              Malicious:false
                              Preview:[Media]..type=client..Offer=Off....[SetupFiles]..actionqueue.dll..adfscomp.dll..admtv3check.dll..alert.gif..appcompat.xsl..appcompat_detailed.xsl..appcompat_bidi.xsl..appcompat_detailed_bidi.xsl..appcompat_detailed_txt.xsl..appcompat_detailed_bidi_txt.xsl..autounattend.xml..clustercompliance.dll..cmisetup.dll..cmiv2.dll..compres.dll..coverage.dll..cversion.ini..diager.dll..diagnostic.dll..du.dll..hwcompat.dll..hwcompat.txt..hwexclude.txt..hypervcomplcheck.dll..iiscomp.dll..input.dll..itgtupg.dll..lang.ini..license.rtf..locale.nls..migisol.dll..migtestplugin.dll..nlsbres.dll..noupgrade.txt..ntdsupg.dll..ntfrsupg.dll..pidgenx.dll..pkeyconfig.xrm-ms..pnpibs.dll..product.ini..rdsupgcheck.dll..rmsupg.dll..schema.dat..segoeui.ttf..setup.cfg..setup.exe..shdocvw.dll..smiengine.dll..spflvrnt.dll..spprgrss.dll..spwizeng.dll..spwizimg.dll..spwizres.dll..sqmapi.dll..testplugin.dll..uddicomp.dll..unattend.dll..unbcl.dll..migres.dll..migcore.dll..migstore.dll..ucrtbase.dll..upgloader.dll..uxlib.dll.

                              \Device\CdRom0\sources\input.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):378168
                              Entropy (8bit):5.964918245811134
                              Encrypted:false
                              SSDEEP:6144:fX3rNqBTOWcAI1R/LtZ8ChNaJSMV/4e2VJK:fXbNqBTOWcAuRzt1NA/FIJK
                              MD5:05947A5E2EF800F5B6A1E6004B9A3C80
                              SHA1:D17B60F6CD33E6ABF754715B685AD0906C8F38E7
                              SHA-256:8F55997314E5D67B45CA13C6AA6BF1166DBBDDDAE381796C5221533E7E8E7586
                              SHA-512:B5488E9C37346B1727C8F4334A2E8D7023584C3A3BFEF993D3C86D7B6FDA52FFBB20227426961D882EF77436D5A812240AF50FE1C0AD03B618DA880EE81713C2
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`iV.............j.......j..........g....j.......j.......j.......j.......j.......j......Rich............PE..d................",................................................................x.....`A........................................p...H................`...P..0.......8!..............T....................3..(....................3......d...`....................text............................... ..`.rdata..04.......6..................@..@.data........0......................@....pdata..0....P......................@..@.didat..(....p.......4..............@....rsrc....`.......b...6..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\install.wim

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Windows imaging (WIM) image v1.13, 11 images, LZX compressed, reparse point fixup
                              Category:dropped
                              Size (bytes):5148409297
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:
                              MD5:D41D8CD98F00B204E9800998ECF8427E
                              SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
                              SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
                              SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
                              Malicious:false
                              Preview:

                              \Device\CdRom0\sources\itgtupg.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):85448
                              Entropy (8bit):6.3353925758808725
                              Encrypted:false
                              SSDEEP:1536:0TQtLhXr58j0zd7PaK8SE6nm4pjJNwpEjenIC2ZuGnWy9eHXIKv8T:4QtLd5Rd7PaK8ShnxjJ4KGykHXIKv8T
                              MD5:F1DD2DD35C47921A435B5642BF8376D2
                              SHA1:31AD1BE27ABCFD214FC92F8ED5D0DC6C2C03BBD2
                              SHA-256:04969B1FEDD137E471855EEEE26AE7598C5E4CBE88AB0D752BFEA4BCE891E502
                              SHA-512:13B9CAD24DCAE902E95434E160C2DDD92369DF829CC8B9C5C129F4E0A10E23A131CAB2DAF7FED09153D5E2CFCAF909639DB49023E8B9341E42D40761983F470E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./...A...A...A...@...A...@.A...B...A...E.A...D..A...A..A...I...A.....A...C..A.Rich..A.........................PE..d...2............." .........z......P...............................................&.....`A........................................0...\.......x....p..@....`.......,...!......`...@...T............................................................................text............................... ..`.rdata..03.......4..................@..@.data...x3... ......................@....pdata.......`......................@..@.rsrc...@....p.......$..............@..@.reloc..`............*..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\lang.ini

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Generic INItialization configuration [Fallback Languages]
                              Category:dropped
                              Size (bytes):78
                              Entropy (8bit):4.290980584854066
                              Encrypted:false
                              SSDEEP:3:tkPGvLTPK8EiwJk7piCYK8Eigtvvn:tkO/iLpKtjLt
                              MD5:745BC920024A7492EF509092050BE8B2
                              SHA1:2FB21899684141AA74B17F71E288ED5748252806
                              SHA-256:82278132FC14952DE56F3A219DB51FB37517C6206C41E6219CB92ADC9526267D
                              SHA-512:A913C6935898F9A7586651B125C832BC9F97AA67808C6E4CBA3555AC05ECE7484E9730C9DB898191745ECCCCAB0394BCAB28A23CF3AF0A5AC5AF738D2797793E
                              Malicious:false
                              Preview:..[Available UI Languages]..en-gb = 3....[Fallback Languages]..en-gb = en-us..

                              \Device\CdRom0\sources\locale.nls

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Matlab v4 mat-file (little endian) H\300, sparse, rows 0, columns 0
                              Category:dropped
                              Size (bytes):819496
                              Entropy (8bit):4.533305970373999
                              Encrypted:false
                              SSDEEP:12288:HBlN9m5gDdsFmFEM0Vc8WUnD6D/FAwTkTf1:Hzv0fW8yFA9
                              MD5:25C123C2E2888CEC7242E5458274E3F1
                              SHA1:51CCEEB85BEF886D0196CF0C522A6044C9303DAF
                              SHA-256:1171025AC4DC2569A63D2A2169DC964073AFB4F5CDD4E7BB816BF590A1B1EB40
                              SHA-512:703B5DBAB7B831FC194FA6C84E8F471D422430A21C496634C715A14E03458404F5FC39FD1D983642010805C79B135AEF18AF62B2D8B06BF0295E05AD481B42BE
                              Malicious:false
                              Preview: ................)..H........F...)h....... .....h.....(.....(.....(..... ..... .....H...H.....H.....H.....H.....H.....@.....H.....H.....@.....H.....@.....@.....@.....J.....@.....@.(.....H.............................0................................................................................................................................................................. ......................................................................................................................................... ................. ...............................................................H.H...............0.....2..... .....".....3........... .....".....0.............................2.......................................................`...................................................................................................@.....P.....P.....r.....R.....@.................H. .....0...........p..... .......`.0. ...0.....0.P...........`...p...p.P.........P...p.......@.....p.

                              \Device\CdRom0\sources\logprovider.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):152376
                              Entropy (8bit):5.772088004928904
                              Encrypted:false
                              SSDEEP:3072:Jnil5KerSGaVHC6yIE4EJ+Bq0MX0Igx7DAJoNvgh:JnEXrmC6NEQBrMX0Igx7DAJoNW
                              MD5:019F683F8E91D9CE11AAD7B75A026E6D
                              SHA1:46A66AB86E72C1602427B051286A31D10CA08754
                              SHA-256:9BFDA340701431816681936D52AC50D1AFD318EAC64FF26EB4476AE1618CE8D1
                              SHA-512:4CED3A17535A3211A8561CFF3C93839454370CA6D52CA96EF83E11B580E553BD29EE2BBFA72EC61653F78270D823B189329865CABCDD0A290618DF1C0C1F3139
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.P.Y...Y...Y...!\..Y...2...Y...2...Y...Y...X...2...Y...2...Y...2...Y...2...Y...20..Y...2...Y..Rich.Y..........................PE..d.....^...........",.....T..........PC....................................................`A.........................................................P.......0..L....2..8!...p......0...T........................... x..............8y...............................text...bS.......T.................. ..`.rdata..:....p.......X..............@..@.data...X...........................@....pdata..L....0......................@..@.rsrc........P......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\mediasetupuimgr.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):14034800
                              Entropy (8bit):2.3429617810137384
                              Encrypted:false
                              SSDEEP:24576:n6qulOnXyAIAUhDI3fohtDxz0VdwmTRjB9In5h:n/chOfADMi5h
                              MD5:C660F40D7F5E8C0E45BD917E54006855
                              SHA1:2AE850FACF1FE2EBBCDED4FF51C62BABB15473C6
                              SHA-256:0FDAB9D4A6E10C99D352CF60B72A314D48D9BE15AFCB849717A8163302787BB4
                              SHA-512:3EDA477C1530B69AFDD6AD147AA77CC676DA04FADBC9E8052627A19E7697466FAFB35F97638359447B06E1E5B87C1CDF6877D4B1CDEF2D5CF47004ABBF5EA882
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..[C.I[C.I[C.IO(.HXC.IO(.HMC.IO(.H|C.I[C.I.A.IO(.HPC.IO(.HZC.IO(.H=C.IO(gIZC.IO(.HZC.IRich[C.I................PE..d.....}4..........",.........D...............................................`............`A........................................`...X.......h........=.......7......p%...0..0...P=..p.......................(.......................x............................text............................... ..`.rdata..lC.......D..................@..@.data....X...P......................@....pdata...7.......8...\..............@..@.rsrc....=.......>..................@..@.reloc..0....0...0..................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\migapp.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):654548
                              Entropy (8bit):5.032634920526294
                              Encrypted:false
                              SSDEEP:3072:y2edte6VTG3z0UOdjcj6vwVdknsIFcPhf7xvxlo69fIGcCaEJGPO2c/eXc7PA7Tg:daNsIFcPhfho69fIGcU
                              MD5:7FAFBC593697AA1441BD947E2F901DC5
                              SHA1:48EC6158751B0BAE0F1E7B3465BB38BE6B984930
                              SHA-256:C7F431DC0146147017C29362AF521E10E1A5953285AD9579C5D08C2F11B90803
                              SHA-512:0CBFC4414D5A0E786CA83FDCED78766901F7BDC8135C7E4285B0571FC2A007BF9B7DDFA0F4D0BE4076FCA40439D034CD7B39B4FB6B8F3469F26A548A1A02E9DA
                              Malicious:false
                              Preview:.<?xml version="1.0" encoding="UTF-8"?>..<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/migapp">.... <library prefix="MigSysHelper">MigSys.dll</library>.... <_locDefinition>.. <_locDefault _loc="locNone"/>.. <_locTag _loc="locData">displayName</_locTag>.. </_locDefinition>.... <namedElements>.. Global -->.. <environment name="GlobalEnvX64">.. <conditions>.. <condition>MigXmlHelper.IsNative64Bit()</condition>.. </conditions>.. <variable name="HklmWowSoftware">.. <text>HKLM\SOFTWARE\Wow6432Node</text>.. </variable>.. <variable name="ProgramFiles32bit">.. <text>%ProgramFiles(x86)%</text>.. </variable>.. <variable name="CommonProgramFiles32bit">.. <text>%CommonProgramFiles(x86)%</text>.. </variable>.. </environment>.. <environment name="GlobalEnv">.. <conditions>.. <condition negation="Yes">MigXmlHelper.IsNative64Bit()</condition>.. </conditions>.. <var

                              \Device\CdRom0\sources\migcore.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):9058648
                              Entropy (8bit):6.1386024064518585
                              Encrypted:false
                              SSDEEP:49152:yut7C8aixQ80pP4LcVl/ei7kYCzLks3w0o1Q2VUGtKRoZVVsPmhAl3SGffUNLPNE:yoCB5neNzkVVel3kpoqvBjGV
                              MD5:89AB3F0DE61AC51CB76040F2E64D00DD
                              SHA1:D862CD21A2B274CE147B3A58380D3729AE2B563D
                              SHA-256:F559D7DD307A5C363920BA83AA844C15302ECEEB6C5F695A5CBD17185D284A57
                              SHA-512:7261B26862FD830FBB6D129234B9DF7A770A085C38CED193CDBFD558789D5C9D2388D425C4F62896A59976C68F71AC37B7A0E157BE7276671B390E0FF8335717
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a...2...2...2...3...2...3...2...2...2...3...2...3...2...3...2...3...2...2...2...3...2Rich...2........PE..d....ZJ...........",......E..|D.......@......................................p............`A........................................0Kx. ...P...|....@.................X%...P.......Nc.p....................I.(....I...............I.@............................text...N.E.......E................. ..`.rdata....;...E...;...E.............@..@.data................p..............@....pdata..............t..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\mighost.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):259384
                              Entropy (8bit):5.535875628700205
                              Encrypted:false
                              SSDEEP:6144:/TP+SYlDKFv4mojDuUlMtq10Q8m7NNqM9N+hN1UFpfNS5iXjD56Gpovgp2H32nqB:/rgmeDuUlEqatglsLbH
                              MD5:A9C54F838F534382A7287FD07E166F97
                              SHA1:B04969892D92DCEFF158A6737033841B730B8889
                              SHA-256:EA193F311A0807F07EF7C07F2D031E80C591935F30A736747882A8ECED31C19D
                              SHA-512:B418EC9FA07AFFD4AFE93268D96C80D58AA49B5950A9231BCDD2E652D0D08FFCF22B189950EFB7FAC97059AA583B4FC1A88555043E5756BB937F91B6FECB7BDB
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..k.f.8.f.8.f.8...9.f.8...9.f.8...9.f.8...9.f.8.f.8.f.8...9.f.8..j8.f.8...9.f.8Rich.f.8........................PE..d.....B.........."......Z...|.......X.........@....................................?.....`.......... ......................................0...........@+......,.......8!..........P...T........................... q..............8r..p............................text...IX.......Z.................. ..`.rdata...=...p...>...^..............@..@.data...............................@....pdata..,...........................@..@.rsrc...@+.......,..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\migisol.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):144696
                              Entropy (8bit):6.079285121970161
                              Encrypted:false
                              SSDEEP:1536:ngh6fy8DKXL1suIbaNe4+ciQWwAQgm6QW01NHuMUXQ8t7e5VyX3bgp/UOI8f3gSN:Hy8DcLJvQPXQ+5OI8nbMvDnkm8NH
                              MD5:3D312959064BC1CE0E89C08AAEA19873
                              SHA1:F32F62416C1D3BF6326C5BBF7E0017919F95691C
                              SHA-256:2FE131F9F50FCEBF13F9674EA7F103AF7B48565DF16E605F427F864D5E289673
                              SHA-512:2868C71F255FF215D1A12BB0821CA08B0D10EB2E64FD414375DAB3B346C63377E8F9E33C058AF4D484F545788FBCDE2E33CA28FC3122C2272AA40CDEA6BE7F3D
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w..3..3..3..'...2..'...0..'...?..3..(..'...$..'...2..'...&..'.T.2..'...2..Rich3..........................PE..d.................",.........v......0........................................`......^.....`A........................................01..............@....... ..........8!...P.......'..T...........................................p...X...l........................text............................... ..`.rdata...G.......H..................@..@.data...............................@....pdata....... ......................@..@.didat.......0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\migration\wtr\adminpack_en-us.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ISO-8859 text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):651
                              Entropy (8bit):5.399686546552942
                              Encrypted:false
                              SSDEEP:12:y4Ilv74bQ4IihjncOdONniNjiNFFNIhS+Fu7yn+:nlL3OUQh+hPFA9
                              MD5:7E0F434A84926DE7C06F6E931EBBE853
                              SHA1:339F12D9B85580B97B89EC40BFF0F9E3183AB58A
                              SHA-256:8C1A10CC181D30AFB850034CBA442C1C52B4E810FCC9844A5783540F79798A8E
                              SHA-512:7CB6642B922DEFBE0E82C351AAF61E2F8E5CF26CECC77B1DEDBAD683D30CE6242354E130046248C3F6FA95B505A204006B71998489EFB8ABBAE3DDC9D94C1ECF
                              Malicious:false
                              Preview:[WTR]..Name="Administration Pack for IIS 7.0"..Name="Pack d'administration IIS 7.0"..Name="Administration Pack para IIS 7.0"..Name="Administration Pack f.r IIS 7.0"......[WTR.W8]..NotifyUser="No"....[System.File].."%SystemDrive%\Windows\Migration\WTR\ [MSIISAdminPack70.inf]"....[System.Gac].."[Microsoft.Web.Management.AdminPack.Client,*]".."[Microsoft.Web.Management.AdminPack.Server,*]".."[Microsoft.Web.Management.AdminPack.Client.resources,*]".."[Microsoft.Web.Management.AdminPack.Server.resources,*]"......[System.Registry].."HKLM\SOFTWARE\Microsoft\IIS Extensions\AdminPack\* [*]"....[ProductID].."{C6E9540C-4B66-4367-A8CF-570DCFD9F030}"......

                              \Device\CdRom0\sources\migration\wtr\adminpack_en-us_noloc.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):414
                              Entropy (8bit):5.491155569486037
                              Encrypted:false
                              SSDEEP:6:pzha4PAE1jhjbjvT9SB88FEae5RrAJMLpnC5RrAJMLpjMw8ogFoZFuL+IyniuvZ0:y4IUhjncaodONniNjnhS+Fu7yn+
                              MD5:BCAB0605F46D963CA9A086B46DC91017
                              SHA1:771EF0C20CC8B3ACBFA9692F7AF8EA8F44CFABED
                              SHA-256:D2C7A3EF071BA7BEC6B21E6B7CB1E8347FC8CB6EF2E31B36803295406D59C67A
                              SHA-512:F6A71A11A859DF312F48071EDDC306E4F6E563ABBAE5321BDF0B65AD6B632A45F19EF0F6F1FD8841544B6E32F2AFD487898D57E2A74D3B3F4FD90E6145BC3C82
                              Malicious:false
                              Preview:[WTR]..Name="Administration Pack for IIS 7.0"....[WTR.W8]..NotifyUser="No"....[System.File].."%SystemDrive%\Windows\Migration\WTR\ [MSIISAdminPack70.inf]"......[System.Gac].."[Microsoft.Web.Management.AdminPack.Client,*]".."[Microsoft.Web.Management.AdminPack.Server,*]"......[System.Registry].."HKLM\SOFTWARE\Microsoft\IIS Extensions\AdminPack\* [*]"....[ProductID].."{C6E9540C-4B66-4367-A8CF-570DCFD9F030}"......

                              \Device\CdRom0\sources\migration\wtr\adobe_flash.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1098
                              Entropy (8bit):5.631132641117829
                              Encrypted:false
                              SSDEEP:12:ShjDCJsSwS6S+Vj0dMtVj0di5dMJ5d+hrTUyWMMthrTUyWM+hrTUieb+xMthrTUS:6yJ3j6PVdtVU0pZctpZupBWtpBb
                              MD5:8EBAECBF9A517CA8913A2BEBCD4AFF0E
                              SHA1:6D3C9D3DC372E2AB59B881AEF8A7AE1E7057F20B
                              SHA-256:FC1E5C0B95695D7512564EC1D381FEE0E8510CB7DF7BA7D7146AD4F55E3CF137
                              SHA-512:EBF011025FF1AFF4B80C81B255A7EA485884612D10638985CBF6C8E959E28939EAF3BA68996D7CE46FEC8650C9D27660F3F26FDF6CC9FBFCEC2774E5CFF7660F
                              Malicious:false
                              Preview:[WTR]..Name="Adobe Flash for Windows"....[WTR.W8]..NotifyUser="No"....[System.File].."%windir%\System32\Macromed\Flash\* [*.ocx]".."%windir%\System32\Macromed\Flash\* [*activex*]".."%windir%\SysWow64\Macromed\Flash\* [*.ocx]".."%windir%\SysWow64\Macromed\Flash\* [*activex*]"....[System.Registry].."HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX\* [*]".."HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX\* [*]".."HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX\* [*]".."HKLM\SOFTWARE\Wow6432Node\Macromedia\FlashPlayerActiveX\* [*]".."HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAB3E735-69C7-453B-A446-B6823C6DF1C9} [*]".."HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAB3E735-69C7-453B-A446-B6823C6DF1C9} [*]".."HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32} [*]".."HKLM\SOFTWARE\Wow6432Node\Mi

                              \Device\CdRom0\sources\migration\wtr\appmanwtr.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):17201
                              Entropy (8bit):5.129965960683943
                              Encrypted:false
                              SSDEEP:384:sSARMZG4urnofbMfMDIwrbMMgbMNbMjbMIqMDWMDE:sSAR6urnebMUJbMVbMNbMjbM+bQ
                              MD5:C6520704B9A82F321C14B0915F9BDA13
                              SHA1:1780D87DE9535DFADA55F4EAE28223730E9C9FF8
                              SHA-256:C238B83E61FB9FEB77210A7EF221DAC35F41A6E74413DFBF605F64CC6AEDB0D9
                              SHA-512:63EE1F1CBAB5EB42B74DAB449EA6E5B81671A4F2EC7DA541E9ABEBA32362E3E7F7F88E2247D67A1FA44DCC8DC3C465907170AAA6E064A330895B55AE6609F6E8
                              Malicious:false
                              Preview:[WTR]..Name="Microsoft Application Management (AppMan)"....[WTR.*]..NotifyUser="Yes"..ReInstallURL="https://go.microsoft.com/fwlink/?LinkID=746509&clcid=0x409"....[System.File].."%ProgramFiles%\Microsoft User Experience Virtualization\* [*]".."%ProgramFiles%\Microsoft Application Virtualization\Client\* [*]"....[System.Gac].."[Microsoft.Uev.ManagedAgentWmi, Version=2.1.*, Culture=neutral, PublicKeyToken=31bf3856ad364e35*]".."[Microsoft.Uev.ManagedAgentWmi.WinRT, Version=2.1.*, Culture=neutral, PublicKeyToken=31bf3856ad364e35*]".."[Microsoft.AppV.AppvClientComConsumer, Version=5.*]".."[Microsoft.AppV.AppVClientWmi, Version=5.*]"....[System.Registry].."HKLM\Software\Microsoft\UEV\Agent\Configuration [InstallTimestamp]".."HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6f09cd21-2ab0-41d0-99fd-ba5c3b0aee2f}\* [*]".."HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6f09cd21-2ab0-41d0-99fd-ba5c3b0aee2f}\* [*]".."HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Un

                              \Device\CdRom0\sources\migration\wtr\browserchoice_win7.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):7194
                              Entropy (8bit):4.1194707156218255
                              Encrypted:false
                              SSDEEP:48:rTMmYhQzNTdHEuxEb+4FeA5W/5h8epG5A7W+blyo1xE4jxOFAQWU5Rej:rTJ6QzYCoFR5WBh0q7WInpOSQWU4
                              MD5:B2E81B8DFEE4951156DF2B58B5E9B3D6
                              SHA1:2C13D9B7C18A5252D1EE9CE2F05CDE855D820903
                              SHA-256:33FA87C20278C030FC7D3AAAC51ABE417B996D2ACF5612AA8369752A17EC01DD
                              SHA-512:F6421245C6FF8E4D09A554678FEFEB647ADA5217F2EF07935316D50E4F1433887F321E1A6470088E54F63F4BB37C5BC0399659F6F602A0D32929A8DF41912005
                              Malicious:false
                              Preview:..[.W.T.R.].....N.a.m.e.=.".B.r.o.w.s.e.r.C.h.o.i.c.e. .W.i.n.7.".........[.W.T.R...*.].....N.o.t.i.f.y.U.s.e.r.=.".N.o.".........[.S.y.s.t.e.m...F.i.l.e.].....".%.S.y.s.t.e.m.D.r.i.v.e.%.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\. .[.b.r.o.w.s.e.r.c.h.o.i.c.e...e.x.e.].".....".%.P.U.B.L.I.C.%.\.D.e.s.k.t.o.p.\. .[.B.r.o.w.s.e.r. .C.h.o.i.c.e...l.n.k.].".....".%.P.U.B.L.I.C.%.\.D.e.s.k.t.o.p.\. .[.'...*.J.'.1. .'.D.E.3.*.9.1.6...l.n.k.].".....".%.P.U.B.L.I.C.%.\.D.e.s.k.t.o.p.\. .[...7.1.>.@. .=.0. .1.@.0.C.7.J.@...l.n.k.].".....".%.P.U.B.L.I.C.%.\.D.e.s.k.t.o.p.\. .[.Om.hV...b..l.n.k.].".....".%.P.U.B.L.I.C.%.\.D.e.s.k.t.o.p.\. .[..p..hVx..d..l.n.k.].".....".%.P.U.B.L.I.C.%.\.D.e.s.k.t.o.p.\. .[.I.z.b.o.r. .p.r.e.g.l.e.d.n.i.k.a...l.n.k.].".....".%.P.U.B.L.I.C.%.\.D.e.s.k.t.o.p.\. .[.V...b...r. .p.r.o.h.l...~.e...e...l.n.k.].".....".%.P.U.B.L.I.C.%.\.D.e.s.k.t.o.p.\. .[.V.a.l.g. .a.f. .w.e.b.b.r.o.w.s.e.r...l.n.k.].".....".%.P.U.B.L.I.C.%.\.D.e.s.k.t.o.p.\. .[.I.n.t.e.r.n.e.t.b.r.o.w.s.e.r.

                              \Device\CdRom0\sources\migration\wtr\browserchoice_win8.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1589
                              Entropy (8bit):5.2769145622249924
                              Encrypted:false
                              SSDEEP:24:fJLr3VibEn3VMdUVVIPbETkVVNTkVVcUTjbEtO4ZgGO4ZEV6bEhVValVVNlVVcUi:hvuE3C2YESPSiUDEtZgGZEGEDIPPPiUi
                              MD5:1808B746FBD8086B2FA5FB4E0ED0D631
                              SHA1:5AB18AE6BBAD2787F727FF97753D64A19C6FD861
                              SHA-256:5F908741369FF033B148199DF1A78740B3933E8BAD9009051EE89A4613110A54
                              SHA-512:0B2DE96F4293643E9F0057D0EF05FACEAD42B4545635B3A32EA78599EB72EC1F2AD166D7B0ECF4861733758B0ADDF5F7F40D0A2DA1CC58458BDB03475E67A57A
                              Malicious:false
                              Preview:[WTR]..Name="BrowserChoice Win8"....[WTR.*]..NotifyUser="No"....[System.File].."%SystemDrive%\Windows\BrowserChoice\* [*]".."%SystemDrive%\ProgramData\Microsoft\Windows\AppRepository\ [BrowserChoice_6.2.0.0_neutral_neutral_cw5n1h2txyewy.xml]".."%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\ [Browser Choice.lnk]"....[System.Registry].."HKLM\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\BrowserChoice_6.2.0.0_neutral_neutral_cw5n1h2txyewy\* [*]".."HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\BrowserChoice_cw5n1h2txyewy\* [*]".."HKLM\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\BrowserChoice_cw5n1h2txyewy\* [*]".."HKLM\SOFTWARE\Classes\Extensions\ContractId\Windows.Launch\PackageId\BrowserChoice_6.2.0.0_neutral_neutral_cw5n1h2txyewy\* [*]"....[User.File].."%USERPROFILE%\AppData\Local\Packages\Bro

                              \Device\CdRom0\sources\migration\wtr\compattelemetry.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1558
                              Entropy (8bit):5.1896144980663115
                              Encrypted:false
                              SSDEEP:48:5pTtQbSPVrPOcZJxcZHucZvcZ2ucZrIgdcZn2gx:fqGPVrPOcZ3cZOcZvcZhcZrIgdcZ2gx
                              MD5:DF976C589EF394882D8A4B5668786F9D
                              SHA1:F3942755DD35FABB785B52E291D2AA9C60837506
                              SHA-256:DE3D11644B5A748A925035A6627E6D6CE0407D8BA574AC242DBBF84888593854
                              SHA-512:E102555853DF4D23F720045A03CE505793D5B76C5EAB7C7DE3581D2F18805B917EC271B750BA69DDB2F92BCA0925EB5E2DC9DF194673F300C24CAB5A1CC11C04
                              Malicious:false
                              Preview:[WTR]..Name="Compat Telemetry"....[WTR.*]..NotifyUser="No"....[System.File].."%windir%\appcompat\Appraiser\* [*]".."%windir%\appcompat\programs\ [FullCompatReport.xml]".."%windir%\appcompat\UA\* [*]".."%windir%\appatch\ [frxmain.sdb]".."%windir%\system32\ [acmigration.dll]".."%windir%\system32\ [aeinv.dll]".."%windir%\system32\ [aepic.dll]".."%windir%\system32\ [aepdu.dll]".."%windir%\system32\ [appraiser.dll]".."%windir%\system32\ [centel.dll]".."%windir%\system32\ [dcntel.dll]".."%windir%\system32\ [devicecensus.exe]".."%windir%\system32\ [devinv.dll]".."%windir%\system32\ [generaltel.dll]".."%windir%\system32\ [invagent.dll]".."%windir%\system32\appraiser\* [*]".."%windir%\system32\CompatTel\* [*]".."%windir%\system32\Tasks\Microsoft\Windows\Application Experience\ [Microsoft Compatibility Appraiser]".."%windir%\system32\Tasks\Microsoft\Windows\Application Experience\ [ProgramDataUpdater]"....[System.Registry].."HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OneSettings\* [*]".."HKL

                              \Device\CdRom0\sources\migration\wtr\dtumig.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):412
                              Entropy (8bit):3.6290548172258013
                              Encrypted:false
                              SSDEEP:12:Q+opKlIa9zU8nwqNk8EbOZhkPX2SzweDZaW+ANCEvl:Q+TSY48nwqeLGIPsANCEt
                              MD5:111D889ABB20C0D646495251C912FA38
                              SHA1:05C9804BCCDEBF2F83CC71D8ED65A18A7D029E2D
                              SHA-256:5B5BEDCFB2436A8F1ED076A27E3E537EE9C6D5F07E0F76C81AB15AEAD7D34DD5
                              SHA-512:E11CD14F471E747811516F0E5D1AEF1EDC01EE92CA3A43DEDA38BA87FC595D438D904D5C87DF3B2504BBBACB357AD7E6491403CD25E96A733562CB15825909E4
                              Malicious:false
                              Preview:..[.W.T.R.].....N.a.m.e.=.".M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.D.T.U.".........[.W.T.R...*.].....N.o.t.i.f.y.U.s.e.r.=.".N.o.".........[.S.y.s.t.e.m...F.i.l.e.].....".%.P.r.o.g.r.a.m.F.i.l.e.s.%.\.D.T.U.\.*. .[.*.].".........[.S.y.s.t.e.m...R.e.g.i.s.t.r.y.].....".H.K.L.M.\.S.O.F.T.W.A.R.E.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.C.u.r.r.e.n.t.V.e.r.s.i.o.n.\.W.i.n.d.o.w.s.U.p.d.a.t.e.\.D.T.U.\.*. .[.*.].".....

                              \Device\CdRom0\sources\migration\wtr\ftp_7.0.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1643
                              Entropy (8bit):5.224540430587988
                              Encrypted:false
                              SSDEEP:24:W+fYgLxC8xChOZxCMxC8xCAxCOkxCB5xYOxC9yxCuxCWxOxGZxbxqOx89yx8ux8d:W+fYg0OHi7wVbD1UZj
                              MD5:27A2F7D972F56442FE1660BB5A5492B9
                              SHA1:A12373F8083EC930AA1B7B6D90F489AA726F20F2
                              SHA-256:EC319AE37C16379872DF9228C0731075CDB46FA50E4640B23A31B7A0C320EFEE
                              SHA-512:083BCA2D1DA46CB5CA6185097F174C111D0D744F4B82CA80589B89173B8E6E2780F581B0DBB4897710E9E1060154A81390F5FE8238F820A2A34CC6372F477923
                              Malicious:false
                              Preview:[WTR]..Name="Microsoft FTP Service for IIS 7.0"....[WTR.W8]..NotifyUser="No"....[System.File].."%SystemDrive%\Windows\System32\inetsrv\ [ftpsvc.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftphost.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpctrlps.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpextps.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpres.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpconfigext.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpext.tlb]".."%SystemDrive%\Windows\System32\inetsrv\ [FTPSVC.MOF]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpsvc.man]".."%SystemDrive%\Windows\System32\inetsrv\ [ftp_readme.HTM]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpsvc.chm]".."%SystemDrive%\Windows\System32\inetsrv\en-US\ [ftpsvc.mfl]".."%SystemDrive%\Windows\System32\inetsrv\en-US\ [ftpres.dll.mui]".."%SystemDrive%\Windows\System32\inetsrv\config\schema\ [ftp_schema.xml]".."%SystemDrive%\Windows\SysWow64\inetsrv\ [FTPSVC.MOF]".."%SystemDrive%\

                              \Device\CdRom0\sources\migration\wtr\ftp_7.5_en-us_noloc.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2108
                              Entropy (8bit):5.26260962745666
                              Encrypted:false
                              SSDEEP:24:dRLxCOkxCMxC8xChOZxCAxC8xCB5xYOxCWxCuxCRyxC9yxYdxbxGZxOxqOx8Wx8W:XblO5V+vyZbD1wK1zPJd
                              MD5:5C4A369743CDB57B87C63AA2CD069753
                              SHA1:0345025EC91FF7073E6BE357FB1BC67C2AEEF023
                              SHA-256:F5D8D43C7EA34D02C215AE54B4485BFDD4C96498D158060A92FD671E9FCB9BF8
                              SHA-512:EA6ABC52649A0F340BE2319CC341CB65040E7D27FD4EBFB95BF9171035D646774897852915C5B1FEA14A6F4FF4EE0EB7A9D4E733EA00580842BC311B4C943E63
                              Malicious:false
                              Preview:[WTR]..Name="FTP Service 7.5 for IIS 7.0"....[WTR.W8]..NotifyUser="No"....[System.File].."%SystemDrive%\Windows\System32\inetsrv\ [ftpconfigext.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpctrlps.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpextps.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftphost.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpres.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpsvc.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpext.tlb]".."%SystemDrive%\Windows\System32\inetsrv\ [FTPSVC.MOF]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpsvc.chm]".."%SystemDrive%\Windows\System32\inetsrv\ [ftp_readme.HTM]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpsvc-events.man]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpsvc.man]".."%SystemDrive%\Windows\System32\inetsrv\ [FTPSVC-UNINSTALL.MOF]".."%SystemDrive%\Windows\System32\inetsrv\config\schema\ [ftp_schema.xml]".."%SystemDrive%\Windows\System32\inetsrv\en-US\ [ftpres.dll.mui]".."%SystemDr

                              \Device\CdRom0\sources\migration\wtr\ftp_7.5_loc.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2773
                              Entropy (8bit):5.231055407592589
                              Encrypted:false
                              SSDEEP:24:dRLxCAxC8xCOkxCMxC8xChOZxCB5xYOxCuxCRyxC9yxYdxbxqOx8ux8Ryx89yxqv:XflO5bMj4RbNmy8VbD1wK1IPJ6
                              MD5:6411DC07378E1C333D621D1B3D79449B
                              SHA1:F3CC1D81B24DDAAB6D2F19E3D39B345570041439
                              SHA-256:4133A3D60057DCB8C0A6EC67B46D7A0786781E65F7E84B9103C8DB8055BF9526
                              SHA-512:9D22AC9ECBE29D4A66318312D08AF565DE42A8DA3793C3214E0C9634F42C9638965A455D4C475F718B2F59FCACB81F103EED9F5A148F4043CBB7CAD11033318E
                              Malicious:false
                              Preview:[WTR]..Name="FTP Service 7.5 for IIS 7.0"....[WTR.W8]..NotifyUser="No"....[System.File].."%SystemDrive%\Windows\System32\inetsrv\ [ftpres.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpsvc.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpconfigext.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpctrlps.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpextps.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftphost.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpext.tlb]".."%SystemDrive%\Windows\System32\inetsrv\ [FTPSVC.MOF]".."%SystemDrive%\Windows\System32\inetsrv\ [ftp_readme.HTM]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpsvc-events.man]".."%SystemDrive%\Windows\System32\inetsrv\ [ftpsvc.man]".."%SystemDrive%\Windows\System32\inetsrv\ [FTPSVC-UNINSTALL.MOF]".."%SystemDrive%\Windows\System32\inetsrv\config\schema\ [ftp_schema.xml]".."%SystemDrive%\Windows\SysWow64\inetsrv\ [FTPSVC.MOF]".."%SystemDrive%\Windows\SysWow64\inetsrv\ [ftp_readme.HTM]".."%SystemDrive%\W

                              \Device\CdRom0\sources\migration\wtr\gwxmig.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1078
                              Entropy (8bit):5.6277164777789235
                              Encrypted:false
                              SSDEEP:24:W+3xPRb0+VZ0+V9/2P/tvllBVqQXEa65aykbQtaNKUcyUKUcy4wAbV/s:W+3xPRbXDXr/2P/xllBwCE9vkQowEwAG
                              MD5:29BD678B6B3E5025A3C653A241D1E10A
                              SHA1:DC47A2435B85857E971A4047697301B2DF6D0583
                              SHA-256:630731831F1DA8AF7842B61854ACC7BAB036791C6FFFCAB9AF0A4E3497E51609
                              SHA-512:24842A69F3F276E752C1D76A1BA04E856C009F054A7B0A6281612C64048B53F2942571E573392838DB2D10ABC908C38C01DEF8460CC0CC675F8D6B707B9B58B5
                              Malicious:false
                              Preview:[WTR]..Name="Microsoft-Windows-GWX"....[WTR.*]..NotifyUser="No"....[System.File].."%windir%\System32\GWX\* [*]".."%windir%\SysWOW64\GWX\* [*]".."%windir%\System32\Tasks\Microsoft\Windows\Setup\GWX\* [*]".."%windir%\System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\* [*]".."%windir%\System32\winevt\Logs\ [Microsoft-Windows-GWX-Ins*]"....[System.Registry].."HKLM\SOFTWARE\Microsoft\GWX\* [*]".."HKLM\SOFTWARE\Classes\GWX\* [*]".."HKLM\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-gwx\* [*]".."HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-GWX-Ins*\* [*]".."HKLM\SOFTWARE\RegisteredApplications [GWX]".."HKLM\SOFTWARE\Classes\ms-gwx\* [*]".."HKLM\SOFTWARE\Classes\CLSID\{BEBA2AA5-B5A7-4DD3-9AD6-43B24CDD3B7D}\* [*]".."HKLM\SOFTWARE\Classes\CLSID\{C74C5910-D594-43DD-850F-3AFFEB9B756D}\* [*]".."HKLM\SOFTWARE\Classes\Interface\{C74C5910-D594-43DD-850F-3AFFEB9B756D}\* [*]".."HKLM\SOFTWARE\Classes\Interface\{34B154A4-F695-4C06-9106-56E5FAC65B9E}\* [*]"...

                              \Device\CdRom0\sources\migration\wtr\powershell_en-us_noloc.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1002
                              Entropy (8bit):5.273975925001427
                              Encrypted:false
                              SSDEEP:24:W+xXSA3OLXqlux7Hxi+N+QJfl/zZqJMrrBxMOQJRQJflphvIm:W+J3O0v0+ilbjHVeilphvIm
                              MD5:0708CA2DCAB2B86B2F370D8D78D26E16
                              SHA1:E9E4B0AB08F74484FBF25FB9321D6D4C13B0FFB8
                              SHA-256:32BA0E85E6E1B63072E61B3920216534E60C4AFCD918B4B68687585DC0FDE177
                              SHA-512:1C59825E2F6BBF7308AFE511FD86C9E128B843A26F31C176A730B26EDE2987413A0CD5ACFFBAE8C1501C842368E92D7D31A8C0A5A4462517471E268A31260952
                              Malicious:false
                              Preview:[WTR]..Name="Microsoft Windows PowerShell snap-in for IIS 7.0"....[WTR.W8]..NotifyUser="No"....[System.File].."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [AppHostNavigators.dll]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [IIsConsole.psc1]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [iisprovider.format.ps1xml]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [iisprovider.types.ps1xml]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [Microsoft.IIS.Powershell.Provider.dll-Help.xml]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [NavigationTypes.namespace.xml]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [Readme.htm]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [XPath.dll]"......[System.Gac].."[Microsoft.IIS.PowerShell.Framework,*]".."[Microsoft.IIS.Powershell.Provider,*]"......[System.Registry].."HKLM\Software\Microsoft\PowerShell\1\PowerShellSnapIns\webAdministration\* [*]"....[ProductID].."{3C557BC2-9FC4-4293-9E36-F6F5079E3E0C}"..

                              \Device\CdRom0\sources\migration\wtr\powershell_loc.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ISO-8859 text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2551
                              Entropy (8bit):5.18348144647889
                              Encrypted:false
                              SSDEEP:48:W+J3++J3joJx0vGtilbXilbv2d2ailbT2Milb9ilb1eilMPil37vIm:JJRJToJxVilbXilbv2d2ailbT2Milb9G
                              MD5:D6E50529A144E1CEC2820B1EE820AFDD
                              SHA1:6B66A07196CB256AE71D87C0C987C126C57A9A18
                              SHA-256:A58B57D79FE8EE5DBC8060C9BBD44BC89EB82E2D4CD004521A4EBC664DB1942F
                              SHA-512:45C04FE39397B555CFF4B824AEE244A1128263CF33FDDB830DE4EA8E4B3C18A83A981899EC777F3EDB848F646CEF71D223A43A3798679B0DAA769B2E4BFD3BAB
                              Malicious:false
                              Preview:[WTR]..Name="Microsoft Windows PowerShell snap-in for IIS 7.0"..Name="Microsoft Windows PowerShell snap-in f.r IIS 7.0"..Name="Complemento PowerShell de Microsoft Windows para IIS 7.0"..Name="Composant logiciel enfichable Microsoft Windows PowerShell pour IIS 7.0"....[WTR.W8]..NotifyUser="No"....[System.File].."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [AppHostNavigators.dll]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [IIsConsole.psc1]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [iisprovider.format.ps1xml]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [iisprovider.types.ps1xml]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [NavigationTypes.namespace.xml]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [Readme.htm]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\ [XPath.dll]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\de-DE\ [ApphostNavigators.dll.mui]".."%SystemDrive%\Program Files\IIS\PowerShellSnapin\de-DE\ [Microsoft.IIS.Powe

                              \Device\CdRom0\sources\migration\wtr\standardcollector.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):486
                              Entropy (8bit):5.05775553876184
                              Encrypted:false
                              SSDEEP:6:pzhNERHjike9UjbjGMWVKTWtdfAgrtWtdfAgWHoWtdfA2yn/WtdfA2AcdfAgry:MDi59UjD8K/mtyIW
                              MD5:769B9ACA6CF7E44D8AF0DA2B75F0A22F
                              SHA1:934CD66821EF228A9ACF799BD07422BCC1963DA7
                              SHA-256:D64225BE8D74ACF1D0E0413851FED2525C8E5CA72A792B05C97E7CCA9EFF3632
                              SHA-512:0F5E7EE0285E1492B0EB9669997FE28062A129F99F34758A8AB2288F924B187786246DF16DBA074FBB120DCF417D30E254A0B0D3C80055135B6F59BA6615AFA5
                              Malicious:false
                              Preview:[WTR]..Name="Standard Collector Migration"....[WTR.*]..NotifyUser="No"....[System.File].."%windir%\system32\ [DiagnosticsHub.Packaging.dll]".."%windir%\system32\ [DiagnosticsHub.StandardCollector.Proxy.dll]".."%windir%\system32\ [DiagnosticsHub.StandardCollector.Runtime.dll]".."%windir%\system32\ [DiagnosticsHub.StandardCollector.Service.exe]".."%windir%\system32\ [DiagnosticsHub.StandardCollector.ServiceRes.dll]".."%windir%\syswow64\ [DiagnosticsHub.StandardCollector.Proxy.dll]"..

                              \Device\CdRom0\sources\migration\wtr\unpmig.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):10086
                              Entropy (8bit):3.9544673338048484
                              Encrypted:false
                              SSDEEP:192:/drf6WxMz/ZzEu6EyyqeFMLfbsAbFWSaAiEUS381upoPrk7d7MH:/pf6Wxe/ZzEu+yqemLfbsAbFWSaAiEU/
                              MD5:C2C3762894900AF48E429D531771A939
                              SHA1:D51669FF39ADA8CA614F4F3ADCD30745763F58D7
                              SHA-256:B785DFD3E8C82D635626B878FF05AAB01B5FDEE9CFE9E40CA2D19058E7DEED65
                              SHA-512:C63637D55B98E53E0284AE543F81C27140833F1C7E441AC5AC362B02FF47DEDB896BB703538EC2A037D26B51DF97A9F35E43D599A48FE0EDAA3BBD85C591D2CB
                              Malicious:false
                              Preview:..[.W.T.R.].....N.a.m.e.=.".M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.U.N.P.".........[.W.T.R...*.].....N.o.t.i.f.y.U.s.e.r.=.".N.o.".........[.S.y.s.t.e.m...F.i.l.e.].....".%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.U.N.P.\.C.a.m.p.a.i.g.n.M.a.n.a.g.e.r.\. .[...U.N.P.C.a.m.p.a.i.g.n.M.a.n.a.g.e.r._.L.o.c.k.F.i.l.e.].".....".%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.U.N.P.\.U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.M.g.r.\. .[...U.N.P.C.a.m.p.a.i.g.n.M.a.n.a.g.e.r._.L.o.c.k.F.i.l.e.].". .....".%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.U.N.P.\.U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.M.g.r.\. .[...U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.M.g.r._.L.o.c.k.F.i.l.e.].".....".%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.U.N.P.\.C.a.m.p.a.i.g.n.M.a.n.a.g.e.r.\.*. .[.*.].".....".%.p.r.o.g.r.a.m.f.i.l.e.s.%.\.U.N.P.\.U.p.d.a.t.e.N.o.t.i.f.i.c.a.t.i.o.n.M.g.r.\.*. .[.*.].".....".%.w.i.n.d.i.r.%.\.S.y.s.t.e.m.3.2.\.T.a.s.k.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.U.N.P.\.C.a.m.p.a.i.g.n.s.\.*. .[.*.].".....".%.w.i.n.d.i.r.%.\.S.y.s.t.e.m.3.2.\.T.a.s.k.s.\.M.i.c.r.o.s.o.

                              \Device\CdRom0\sources\migration\wtr\webdav_7.0.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):724
                              Entropy (8bit):5.378583942402738
                              Encrypted:false
                              SSDEEP:12:W+2hjnxY5x/hxK7xelx/kDtxu5x58dOoBohKl2:W+eLxY5x/hxqxyx/khxu5x5oOOtl2
                              MD5:3AEE60E5B755B1A64F6B40433C98E78A
                              SHA1:871D355315F62405048DF62A18AEF01183F4EFA3
                              SHA-256:1208C789784EC53368859BB60E454F8B7B28F13090731B0B06FBAF615A8FD92A
                              SHA-512:779A7CB6715A16927E0B385B1CD94D27D383513A9CA1A99C798A4AE1FCE99E85D48A870748FD5C07A372A47D13CE6F4B7B3F4436892F4AAD72D2E37510A6684A
                              Malicious:false
                              Preview:[WTR]..Name="Microsoft WebDAV Extension For IIS 7.0"....[WTR.W8]..NotifyUser="No"....[System.File].."%SystemDrive%\Windows\System32\inetsrv\ [webdav.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [webdav_simple_prop.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [webdav.chm]".."%SystemDrive%\Windows\System32\inetsrv\ [WebDAV_ReadMe.htm]".."%SystemDrive%\Windows\System32\inetsrv\config\schema\ [WEBDAV_schema.xml]".."%SystemDrive%\Windows\SysWow64\inetsrv\ [webdav.dll]".."%SystemDrive%\Windows\SysWow64\inetsrv\ [webdav_simple_prop.dll]"....[System.Gac].."[Microsoft.Web.Management.WebDAV,*]".."[Microsoft.Web.Management.WebDAVClient,*]"....[System.Registry]....[ProductID].."{C4C36B6D-0400-4160-B9A1-7F0E44F626ED}"....

                              \Device\CdRom0\sources\migration\wtr\webdav_7.5_en-us_noloc.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):961
                              Entropy (8bit):5.396088690463055
                              Encrypted:false
                              SSDEEP:24:7RLxY5x/hx/vkwxqxyx/khi5xu5x5hx5vkTOOtPFX+:V0k+8kKOtPd+
                              MD5:CA15744DD40103F5EB4D26F5E05B51B3
                              SHA1:646C32641FC9DBCB9ECBFB96DC1F35E654F40F24
                              SHA-256:BD1E63604D233DD1BAB0CC0E257871E00408C64AE9A49F900B2A2FA65D88B02B
                              SHA-512:FD8D39D5E397C37FF63672767118D0AA45CE2B2911680D07E8D3157A5D2432C8C1852DA7B91AA08C5AC0FFED3883A30513C6F28360D3F24184CA358C153194D8
                              Malicious:false
                              Preview:[WTR]..Name="WebDAV 7.5 For IIS 7.0"....[WTR.W8]..NotifyUser="No"....[System.File].."%SystemDrive%\Windows\System32\inetsrv\ [webdav.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [webdav_simple_prop.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [webdav_simple_lock.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [webdav.chm]".."%SystemDrive%\Windows\System32\inetsrv\ [WebDAV_ReadMe.htm]".."%SystemDrive%\Windows\System32\inetsrv\config\schema\ [WEBDAV_schema.xml]".."%SystemDrive%\Windows\Migration\WTR\ [MSIISWebDAV75.inf]".."%SystemDrive%\Windows\SysWow64\inetsrv\ [webdav.dll]".."%SystemDrive%\Windows\SysWow64\inetsrv\ [webdav_simple_prop.dll]".."%SystemDrive%\Windows\SysWow64\inetsrv\ [webdav_simple_lock.dll]"....[System.Gac].."[Microsoft.Web.Management.WebDAV,*]".."[Microsoft.Web.Management.WebDAVClient,*]"....[System.Registry].."HKLM\SOFTWARE\Microsoft\IIS Extensions\WebDAV\* [*]"....[ProductID].."{E59555E2-6572-4BA5-90A9-3D2327739979}"......

                              \Device\CdRom0\sources\migration\wtr\webdav_7.5_loc.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ISO-8859 text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1265
                              Entropy (8bit):5.451633150161133
                              Encrypted:false
                              SSDEEP:24:7vDLxY5x/hx/vkwxyx/khi5xu5x5hx5vkwz8zazQzdzYOOtPF2:LD0k/8ky+MShxOtP8
                              MD5:1BD653027C0E0860C3EACDD624BF0EE5
                              SHA1:BF88B7548CE1E1137912563B02451EA82E8CC4A6
                              SHA-256:5E955FD4EAEF18009E82E7F0F763D269082D49A1FCFC040D5F5F1C2972D7D0B6
                              SHA-512:1D02D4E84CDFBBA221DA8C2949D34C8448BD8C04CB49713C6D41D5C863CE64A0EF417AB98AEC634918D5E362B823AAE42EEAF3C34AB4E8CEC0686F4C239A7F7B
                              Malicious:false
                              Preview:[WTR]..Name="WebDAV 7.5 For IIS 7.0"..Name="WebDAV 7.5 f.r IIS 7.0"..Name="WebDAV 7.5 para IIS 7.0"..Name="WebDAV 7.5 pour IIS 7.0"....[WTR.W8]..NotifyUser="No"....[System.File].."%SystemDrive%\Windows\System32\inetsrv\ [webdav.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [webdav_simple_prop.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [webdav_simple_lock.dll]".."%SystemDrive%\Windows\System32\inetsrv\ [WebDAV_ReadMe.htm]".."%SystemDrive%\Windows\System32\inetsrv\config\schema\ [WEBDAV_schema.xml]".."%SystemDrive%\Windows\Migration\WTR\ [MSIISWebDAV75.inf]".."%SystemDrive%\Windows\SysWow64\inetsrv\ [webdav.dll]".."%SystemDrive%\Windows\SysWow64\inetsrv\ [webdav_simple_prop.dll]".."%SystemDrive%\Windows\SysWow64\inetsrv\ [webdav_simple_lock.dll]".."%SystemDrive%\Windows\Help\mui\0407\ [webdav.chm]".."%SystemDrive%\Windows\Help\mui\0409\ [webdav.chm]".."%SystemDrive%\Windows\Help\mui\040C\ [webdav.chm]".."%SystemDrive%\Windows\Help\mui\0411\ [webdav.chm]".."%SystemDrive%\Windows\He

                              \Device\CdRom0\sources\migres.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):16184
                              Entropy (8bit):5.863224867364895
                              Encrypted:false
                              SSDEEP:384:zW0YeW3XgSwe4sQbTqpD1IDBRJtA4JeRlFt:6Hg1PsQbTq3I1P96
                              MD5:0711F02A9CF4716F6525710258621637
                              SHA1:1DA8D660708B44E1C1699CE13E4A3A0672348AB8
                              SHA-256:61656D0D4B181644AE5C9A318193DBC71E82B2F189B471EC776421E60F8E65DB
                              SHA-512:4E926C65560C92723A391ECBEF492B817C7DEB23DEFD2B62A662EC4525B36D177C00542C75A4AB3913427F21A882B32F94F58187EBFD1AF6673E7FF8270CCA28
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.................",.........................................................@.......R....`.......................................................... ..................8!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................T...8...8...................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....$.......rsrc$02.... ............<..PP.X.Q.]U.z............................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\migstore.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1238872
                              Entropy (8bit):6.0368206824626975
                              Encrypted:false
                              SSDEEP:24576:qXZF4xTtvZbPsbJ9ieyvoHxCzHSFw+r9LR:IITtvZwb3/xCzyFzt
                              MD5:CB4FB8A1A8BCCED9E7E9CF4F20A0B345
                              SHA1:48FCE98CAB8B7379AF4C8F1A3840D41869C00198
                              SHA-256:4A3FDC5AB862EF262C7CD3532CA10C2C8553C5EF9F7D3CA1424FA29E06F7F763
                              SHA-512:75D6B69067E68A3B55B74E43B162F0946C138E2E0C02FCAD389F5605DD532727348FBE799F3096CD545E106B6FD553CA83655D4E7BE9CBCEB01FA78D8307421D
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........rx\.............x.......x...............x.......x.......x.......x.......x.......x......Rich....................PE..d...0$Y...........",................`...............................................~r....`A.........................................,..d....B...............`...\......X%.......'...C..p...................x...(...`................................................text............................... ..`.rdata.. ...........................@..@.data...h............~..............@....pdata...\...`...^...6..............@..@.rsrc...............................@..@.reloc...'.......(..................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\migsys.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):401208
                              Entropy (8bit):5.929553204489019
                              Encrypted:false
                              SSDEEP:3072:Jd3rw5o/I4cU+rkWeXShTvD/A99P8u4K+bqp0fe3qFs2L/CShrQb1brsXd/c3/nt:J8o16eXeANYbqp0fey1/hMsXd/c3/N/
                              MD5:801F7C5685F3EB66FC15D1585A5630A8
                              SHA1:BA34C6A0ECDB18D06E9CB9CE50A35BD3FAE21EC2
                              SHA-256:D145083FB80D476045708F785D8826F1AA8C62CC764C59F1E7D90B9509720612
                              SHA-512:86DBA241EC6B2D44EF94206A411C6891C93F928EABADD8F7E5C68305B61C20A65F0AEE08EF7E5451CB522CA9F37EABD3FD8E7D31298457010AE6EB1C2CEEB5F7
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............[...[...[...Z...[...Z...[...[...[...Z...[...Z...[...Z...[...Z...[...[...[...Z...[Rich...[........................PE..d...UY.b..........",.........................................................0.......V....`A.........................................[..`...`[..x.......................8!... .......T..T............................S...............T...............................text............................... ..`.rdata...q... ...r..................@..@.data...HN.......H..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\migtestplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):49608
                              Entropy (8bit):5.791312007767243
                              Encrypted:false
                              SSDEEP:768:AuuS/rLtaWKqnG+zjqOu1dZjZ/RQs/eMvGheLcRx97:zrLtai70ZjZ/RQs/eMvGYL+xB
                              MD5:0DD4B7DF5BD9EF9B4D06E2692E54E228
                              SHA1:83D3158567E2BAAC9AB9E9355FD681326FD32C9E
                              SHA-256:3C402EE7EAF4366050B5F51F7907F3D142368A0D7C9574496513B23FEBE23171
                              SHA-512:F5C8E140A1FB279786D4A197B826E06FDDB4B2809A214B2119BE5189FA8832C8B14D1BAC417F53C934BFFE6D0FCD3C941FC75C10B5DCF71E1E715E9087E47162
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O...O...O...$...O...$...O...O...O...$...O...$...O...$...O...$U..O...$...O..Rich.O..........PE..d................." .....J...X.......L..............................................-3....`A............................................................................!......(... ...T............................`..............(a...............................text....H.......J.................. ..`.rdata...C...`...D...N..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\mitigation.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):281432
                              Entropy (8bit):6.273740820921855
                              Encrypted:false
                              SSDEEP:6144:8ghXtb2Ik7VTJkTmrD4y13TC9OCC54cED2k:8gh9VEVTKKX4QT1WP2k
                              MD5:32FDFC1510BAE103F41067FA47081002
                              SHA1:77F100F10B94FB6A23716FC508D64A35947E3AC4
                              SHA-256:220D7AFFFF347EE7ABD46C15E7798BFB4B147716F893CD03EC6A94E796C24D8E
                              SHA-512:2AF255736F8F4FCCED02E4C33E1C73859D60AA7CED5660AEFDE95443713A96112F119E3CB2417E40F878F323D4D1B5642948D0133C53F62229688DFA2039A256
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M..C,.C,.C,.JTQ.A,.WG.@,.WG..A,.WG.O,.C,..,.WG.L,.WG.B,.WG.i,.WG=.B,.WG..B,.RichC,.................PE..d.....r'..........",.....(...........".......................................p...... .....`A.........................................................P..(....0.......&..X%...`..........p............................K...............L...............................text...@&.......(.................. ..`.rdata..*....@.......,..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc...(....P......................@..@.reloc.......`.......$..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\mxeagent.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):326456
                              Entropy (8bit):5.868834013446046
                              Encrypted:false
                              SSDEEP:3072:FjL9T8zujhN48954mrws5XCxtmkTpc59Mc+k:Fn9T8zuha8vrws9kTpc/n
                              MD5:C8209A0E651B4B097D095DFE37F48AB7
                              SHA1:4FB9E1D76B1CF1D3CFE7C47DD0FE479B4E60BA7F
                              SHA-256:452B142F8E8A0DEDBEAE379B355A0E5796EDC1D98008773817C7B12C7CEB7115
                              SHA-512:500E977E1A4259FD2C1B840720240B21880CB7083EC114345DAF8EFF0280CEADBF6FE90FD14F26BC12F037D2229FDBF3AFBD5B85CDD5D4133ACF1D893AF845CB
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3TZQR:.QR:.QR:.E99.SR:.E9>.]R:.QR;..R:.E9;.ZR:.E9?.TR:.E9:.PR:.E92.SR:.E9..PR:.E98.PR:.RichQR:.........PE..d...5;.H..........",.....4................................................................`A.........................................M.......R..x.......................8!...........h..T........................... ...............8................................text...b3.......4.................. ..`.rdata...(...P...*...8..............@..@.data....N.......H...b..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\nlsbres.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):90640
                              Entropy (8bit):4.685194622399538
                              Encrypted:false
                              SSDEEP:1536:OI/GQv3ULaY+Gxz2r8/wuvo2ac1R3jIb2AA81GrP3MDNPpJc:DOFmu28Yuvo2acr3jIbu81GrP3MhBJ
                              MD5:5420F2375B51A4B3AB00FF142D453ADB
                              SHA1:5F139FA7C258CAF76B6CFAB5325563EB3AC687E0
                              SHA-256:F4C83C04A4484B6F46AC797B43E652083FBF8E8CC318686F500F94F1D60E1EE9
                              SHA-512:FB9AD9D53EB6E940FB4A284CC4C6D602A1BACF1AA15F2A8E04654A829D081FD2C78EB7100A5C4C6BA262AAE7BD84F13A6B7A9BC57D95D1B3DB7CF6D8A87C09CC
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....=F..........." .........>...............................................`............`.......................................................... ...;...........@..."..............8............................................................................rdata..............................@..@.rsrc....;... ...<..................@..@.....=F.........T...8...8........=F.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....3..((...rsrc$02.... .....D..x}.x...,..J....$KF..t.=F.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\ntdsupg.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):28608
                              Entropy (8bit):6.116117921416865
                              Encrypted:false
                              SSDEEP:384:lLKntuWdELIiiEkbfMhRlHQSPOB24y+VbLZXWQuWNwGyD4JeRlFH:lLmJpykvPj9Z+
                              MD5:981D4E2F670D599A0BC4CE6A01E49006
                              SHA1:BE3D5AEA5641D8B1F2F87BA4E7698439B57DFC0E
                              SHA-256:857620F9C3878C1B13A7F8B2EBB5FC18474B6E901D769A6AC15AABCF46030D45
                              SHA-512:B97F5B9C1EFED0FB4E07FD6D7950D6B4BFF8F5F3CBC5771A0DA178162A7895786F68B23B34DB92EA6A4AE72285D29597631EDB6E8B4D4E018F5BB3B6C21CA158
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1`.._3.._3.._3..\2.._3..[2.._3..^3.._3..^2.._3.._2.._3..W2.._3...3.._3..]2.._3Rich.._3........PE..d.....-m.........." .....*...&......@-..............................................&.....`A.........................................L..\....L..x............p.......N...!...........F..T............................@..............(A...............................text....(.......*.................. ..`.rdata..t....@......................@..@.data...P....`.......B..............@....pdata.......p.......D..............@..@.rsrc................H..............@..@.reloc...............L..............@..B................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\ntfrsupg.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):52168
                              Entropy (8bit):6.151943841936431
                              Encrypted:false
                              SSDEEP:768:8PR+y3oqwk42aUEWjLAfi7wtSoR07wWF3Fa5HELdI1:8pDz4Ehcfi7wtSoWMY3oHqs
                              MD5:6E593166D86F0A8660770915DA11C7E1
                              SHA1:EE0295E64F81216BAFA7484CD8D1B9F5BAB9D839
                              SHA-256:B071542E8B87574B6007AB080EC4CB4FF8AF7ACBF218EFC986BCB4D28A788E21
                              SHA-512:7470AFC71698F6094C9BEFC552579C47EE680376453C02B5DD23D7E2E3D4B3CDF3DBB60C9AACB3D240E2F6BB81EFD24917F92BAA28C08D8A53A1A5B5C1B95289
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.c1...b...b...b...c...b...bE..b...c...b...c]..b...c...b...c...b...c...b...b...b...c...bRich...b........................PE..d...i..d.........." .....`...X.......................................................U....`A............................................\.......<.......8.......d........!......T......T............................q...............r...............................text...T_.......`.................. ..`.rdata...+...p...,...d..............@..@.data...............................@....pdata..d...........................@..@.rsrc...8...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\nxquery.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Generic INItialization configuration [SourceDisksFiles]
                              Category:dropped
                              Size (bytes):1475
                              Entropy (8bit):5.080584038269316
                              Encrypted:false
                              SSDEEP:24:uRfcDfBoiNLawEW8rF1jD0/JGTrAwxMMRQxlP35faFvADs1tDman:uVcDfjNOwXWEsnAqM3/5iBADoJn
                              MD5:ABBA30E5BF0FBBB502C61C7E4FB0245C
                              SHA1:E6211ECFAF07506018A95D32759BF3B543D2B9A2
                              SHA-256:846F025AEB3E4DDCF2A56082E8425C4D2C4DDB2485F2C3F9D823C0590D81DE82
                              SHA-512:65EC072C1B13158EB318E31E84910C53CE344A0B8B6C78D5C076107BA41355188AAACD2B33834017A9A5C115C94DB7C4AFE6734A97E72DD0BFD4D2945F692EA6
                              Malicious:false
                              Preview:;;;..;;; NXQuery..;;;..;;; Copyright (c) Microsoft Corporation..;;;....[SourceDisksNames]..1 = %InstallDisk1%, Instd1, 0....[SourceDisksFiles]..nxquery.sys = 1....[Version]..Signature = "$Windows NT$"..Class = "System"..ClassGuid = {D0A1C3D7-8382-403B-8556-34A55D314A73}..Provider = %Msft%..DriverVer = 12/05/2012,1.0.0.0....[DestinationDirs]..DefaultDestDir. = 12..NXQuery.DriverFiles = 12 ;%windir%\system32\drivers....;;..;; Default install sections..;;....[DefaultInstall]..OptionDesc = %NXQueryServiceDesc%..CopyFiles = NXQuery.DriverFiles....[DefaultInstall.Services]..AddService = %NXQueryServiceName%,,NXQuery.Service....;;..;; Default uninstall sections..;;....[DefaultUninstall]..DelFiles = NXQuery.DriverFiles....[DefaultUninstall.Services]..DelService = NXQuery,0x200 ; Flags not to stop service first....; Service Parameters..[NXQuery.Service]..DisplayName = %NXQueryServiceName%..Description = %NXQueryServ

                              \Device\CdRom0\sources\nxquery.sys

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):15816
                              Entropy (8bit):5.9710716291259995
                              Encrypted:false
                              SSDEEP:192:fDL1VouyM4Y2Wzb0xL7wWMWSawTyihVWQ4eWqqT5M8xOSqnaj3yY+c:fDLEMR2WvgfwW1wGyVCTlu5
                              MD5:0277790CACA1A29DA537FB8608BA8D9B
                              SHA1:05AAF2E91DA6FD4DCAB1F911E154F16B84503228
                              SHA-256:7C6B09F9D84059131CFFB89B93B093DE6767B375B87BD44933047FBC5FAFC92F
                              SHA-512:7B83B90F25566E09DF975E63E67F0ABCA1FCF7E08179A7461C601B49834A9881B532B36B6935757DEB82BF629E17DA914A24DB9BD0F5085221463F21A62E7635
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B..B..B..B..B..)..B..)..B..)..B..)..B..)+..B..)..B.Rich.B.........PE..d....%]..........."..................q...................................................`A................................................XP..(............@...........!...........!..T............................ ...............P..H............................text............................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@......................@..H.idata.......P......................@..HPAGE....g....`...................... ..`INIT.........p...................... ..bGFIDS... ...........................@..B.rsrc...............................@..B.reloc..............................@..B........................................................................................................................

                              \Device\CdRom0\sources\offline.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):38899
                              Entropy (8bit):5.177046259461185
                              Encrypted:false
                              SSDEEP:384:IdtbaKX8SmpuFoc1FrEAmBmuThUbt9V7Zs64QTlHUlHubP/AoHp7M6e8fG203AgF:IioSa3FBP0dCoUw9
                              MD5:78E9E0A9A2F3E9B7256E2AD9DF2C4FB1
                              SHA1:2A2007C5DD3577CFA9AAA27FF268984343877F5D
                              SHA-256:BE7958BB57E1F099F08DC892345DED30489140B7535DF1336226571CD036C7D2
                              SHA-512:BC99D2972154D934396D48C005E643958406033EA62736936643F123048EC2CF272CD2884084BEBFCC8CF899A55A0BF31D76027014DA58B2E008AEAF4FA63A5F
                              Malicious:false
                              Preview:<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/offlineupgrade">.. <component type="System" context="System">.. <displayName>offlineUpgrade</displayName>.. <paths>.. <path type="File">%WINDIR%\offlineUpgrade</path>.. </paths>.. <role role="Settings">.. <rules>.... <excludeAttributes attributes="Security">.. <objectSet>.. <pattern type="File">* [*]</pattern>.. <pattern type="Registry">* [*]</pattern>.. </objectSet>.. </excludeAttributes>.... <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Lsa [Security Packages]</pattern>.. </objectSet>.. </include>.... <include>.. <objectSet>.... <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\NDIS\IfTypes\* [*]</pattern>.... <pattern type="File">%WINDIR% [WindowsUpdate.log]</pattern>.. <pattern type="File">%WIN

                              \Device\CdRom0\sources\offlineprofileutils.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):199168
                              Entropy (8bit):6.128596457761586
                              Encrypted:false
                              SSDEEP:3072:ntDbHVr/o0BCkQhX2dygd2o2189DxfoUsvQaHBcrT5TAwv:ntDb1r/pPdjRgcRTAw
                              MD5:63F62CE1008D2F891BA9994BCC374528
                              SHA1:5DBDD4C3EEB0CC145B85F586D05362B918947278
                              SHA-256:5CE0DF70B3BBFD7B96824EB8150D5648F57D3FCA71C5C814B763D1A352091EE1
                              SHA-512:97820967604E514B3AAB9538F295E2E923C678954053170FAB6047E9B0DEDCA1E9C5FFE9F5733FD4BB9F7F6009428EC39B7EAB8BA89A5B49FCDF8D1838BB2C95
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...<...<...<...=...<...=.0.<...8...<...?...<...<...<...4...<...9.9.<.......<...>...<.Rich..<.................PE..d................." .........,...............................................`......6j....`A............................................D...$...P....@..0....................P..0...@...T............................$...............%..........`....................text............................... ..`.rdata..............................@..@.data...8...........................@....pdata..............................@..@.didat.......0......................@....rsrc...0....@......................@..@.reloc..0....P......................@..B........................................................................................................................................................................................................................

                              \Device\CdRom0\sources\oscomps.woa.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):249101
                              Entropy (8bit):5.244437695271397
                              Encrypted:false
                              SSDEEP:1536:SLXPHJTOOq7HCBrft4wkP1eHqFrBKX4d2j05C6HoNm53gOvXnGTtstffNDM9:uBtq7HCBrft4wkNeHW33gS3NDM9
                              MD5:1C56998FB3790C3AEBDC28900EBE696F
                              SHA1:5DCB663A9D4A3EFEE290C7CEE64B90B7D5C185D3
                              SHA-256:D22394CFE00B8B4C2493F845B2A3753B050AE9F28A3CAA9C036DA65E0AA88B8A
                              SHA-512:30289CED417A93D9868552BF75DF98790908D68B6680D0861D4F2589A633B11CC3E863D2BFECDC3160BDD21135A81A99D10DDD87FA18B3D1C851AA534BC6CD5D
                              Malicious:false
                              Preview:.<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/OSComponents.WOA">.. <component type="System" context="system">.. <displayName>Microsoft Office</displayName>.. <role role="Settings">.. <rules>.. <windowsObjects>.. <objectSet>.. <pattern type="File">%programfiles%\microsoft analysis services\as oledb\110\resources\1033[msmdsrv.rll]</pattern>.. <pattern type="File">%programfiles%\microsoft analysis services\as oledb\110\resources\1033[msolui110.rll]</pattern>.. <pattern type="File">%programfiles%\microsoft analysis services\as oledb\110[msolap110.dll]</pattern>.. <pattern type="File">%programfiles%\microsoft analysis services\as oledb\110[msolui110.dll]</pattern>.. <pattern type="File">%programfiles%\microsoft office\*[*]</pattern>.. <pattern type="File">%commonprogramfiles%\designer[msaddndr.olb]</pattern>.. <pattern type="File">%commonprogramfiles%\microsoft sh

                              \Device\CdRom0\sources\oscomps.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):435175
                              Entropy (8bit):5.2949022760421585
                              Encrypted:false
                              SSDEEP:3072:US40PVn7DRBlKkkhLXBQt3OtupVw+cHxgLgVX9:RNm
                              MD5:1844A7B1C2AB1B21A04D821FEF288083
                              SHA1:0561CDC607650F645CCBA071EDC48C6E192E3843
                              SHA-256:50B71CF2C0D9A748157163AB7EE30BAC07120EDBAE240FD016423ED5EAB07F12
                              SHA-512:D414026F03201BC06899E27CC9B902AC6B2EE9DB792FBC55EDEFAE22E62B6B1D594D80FAF6B58D722C136F7F6098BC41899B5436CE6B1A7494F31B6B3C96309B
                              Malicious:false
                              Preview:.<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/OSComponents">.. <component type="User" context="User">.. <displayName>ar-SA Current User Cleanup</displayName>.. <role role="Settings">.. <rules>.. <windowsObjects>.. <objectSet>.. <pattern type="File">%CSIDL_QUICKLAUNCH% [Show Desktop.scf]</pattern>.. <pattern type="File">%CSIDL_QUICKLAUNCH% [..... ...... Internet Explorer.lnk]</pattern>.. <pattern type="File">%CSIDL_FAVORITES%\Links [Hotmail ......url]</pattern>.. <pattern type="File">%CSIDL_FAVORITES%\Links [Windows Media.url]</pattern>.. <pattern type="File">%CSIDL_FAVORITES%\Links [Windows.url]</pattern>.. <pattern type="File">%CSIDL_FAVORITES%\Links [..... ...........url]</pattern>.. <pattern type="File">%CSIDL

                              \Device\CdRom0\sources\osfilter.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):21299
                              Entropy (8bit):5.212915176000003
                              Encrypted:false
                              SSDEEP:96:gSpCuNGoFWMuquws8k5WkGNwdYe6Y6sHPyeT8N4jSr8xKr8xdI+f+0SCtBLyuru+:e+v7Zf6NYN4BEg4xhKBGFhs7vEnnu9
                              MD5:AAF2A0B9C4BF7E115726513E87141056
                              SHA1:80F6AFF7E870574256891FE73A19BC9CFD1D8F8A
                              SHA-256:6A59D6737D5AD526C02EA64A54A6419D188DA0E46912FCDEFA04BBF00FDF1A7D
                              SHA-512:62C626F3856BD10610C1156F8D6EF56DECD6E354DEF85708EA1632CB9E749661AC15F4DEF1436EEDAC7E3E81E6BA33DCB91FD40E275AFEFDEBAEF4DE7CD4D27B
                              Malicious:false
                              Preview:[System.File].."%SystemRoot%\Prefetch\* [*]".."%SystemRoot%\SoftwareDistribution\* [*]".."%SystemRoot%\system32\dllcache\* [*]".."%SystemRoot%\WinSxS\* [*]".."%SystemRoot%\$NtServicePackUninstall$\* [*]".."%SystemRoot%\$NtUninstallAwayMode160$\* [*]".."%SystemRoot%\$hf_mig$\* [*]".."%SystemRoot%\$ntuninstall$\* [*]".."%SystemRoot%\ServicePackFiles\* [*]".."%SystemRoot%\i386\* [*]".."%SystemRoot%\system32\migwiz\dlmanifests\* [*]".."%SystemRoot%\syswow64\migwiz\dlmanifests\* [*]".."%SystemRoot%\system32\migwiz\ReplacementManifests\* [*]".."%SystemRoot%\syswow64\migwiz\ReplacementManifests\* [*]".."%SystemRoot%\system32\smi\* [*]".."%SystemDrive%\ProgramData\Microsoft\Search\* [*]".."%SystemRoot%\system32\DriverStore\* [*]".."%SystemRoot%\servicing\* [*]".."%PROFILESFOLDER%\all users\documents\my music\sample playlists [*]".."%PROFILESFOLDER%\public\music\sample playlists [*]".."%SystemRoot%\Microsoft.NET\* [*]".."%SystemRoot%\assembly\* [*]".."%SystemRoot%\Installer\* [*]".."%CommonProg

                              \Device\CdRom0\sources\outofbox_windows_db.bin

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4780
                              Entropy (8bit):7.464086897652776
                              Encrypted:false
                              SSDEEP:96:fDrD9DDZu5Mg8/14o8tsoWDUDxDrD9PkjbpoGxBH2kEqkyDrD9WGrBXowDD0pBDP:DtatHmwHUNYDBQABJZ
                              MD5:867B036A91A3FAD35123337F6549D4DB
                              SHA1:D60096E8C71C6D91FC1A2BE1D2F44886EC4C3DAC
                              SHA-256:6F00153FBF5ADD78A466F6B46EF7BF9E0BBD392C81DFCCDA039965F131094648
                              SHA-512:AF308A5920AA6F3A542571F501A976DE7FB103F61979FD3A229768E60114B5FD844A099B21B393F03EB4828B1BEBF6E14A940B593D4AA1E532C7F2A60F4D18E4
                              Malicious:false
                              Preview:..........................J.h.I..4}7Ve.0..y...1.0...`.H.e......0...*.H..........0...0..........a.=.......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1*0(..U...!Microsoft Corporation KEK CA 20110...110711210350Z..121011211350Z0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1.0...U....AOC100...U...'Microsoft Windows UEFI Key Exchange Key0.."0...*.H.............0...................c..>S..I..8.;zs=pg.3...'G.4.0.8m...+&*.d.Gg..5.%:......J6R>=.?.K.~.he....LTX.p3....>k..+h...z...._.:...b..a.x......5.4,ut..kc..Of.;.w.9.0...Ra.V.N..X....".j.s.;..1D.....[..1..9p4..W..n..P.V.vhNil..k..n..gT.`.s.U4k.d..s....9K..phr.e...........0...0...U..........v.&..........B.0...U.#..0...b.C.>..g..[.U.{.._0S..U...L0J0H.F.D.Bhttp://www.microsoft.com/pkiops/crl/MicCorKEKCA2011_2011-06-24.crl0`..+........T0R0P..+.....0..Dhttp://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt0...U.......0.0.

                              \Device\CdRom0\sources\pnpibs.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):82232
                              Entropy (8bit):5.357757616641578
                              Encrypted:false
                              SSDEEP:1536:bKGzxIGFVkbgmYszcOo8sGEuJY3j12fUWJesUyd9IzAj82Ik7THuiwJqo3MPkN:1z60mYszcOo8sGEuJOj12fUW8sUyd9Ix
                              MD5:31A562DF788C3C614129EE16D0C04EAB
                              SHA1:E780F384AFD6FE28379EB039D1B49E75E4ACD18C
                              SHA-256:7204F091F89F9256CD6A370F960D36D3EF2EA45542284A0EA1A9BC9A57434213
                              SHA-512:5FC23224559308924F3551CAA59711AB0964A3B329F32E8DCAF153850244B2D14132223A4A876C17D1F625597AE4E4806D15581337D7DDC173383837FD55D395
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.]...3...3...3...7...3...0...3...2...3...2...3...6...3...3...3...;...3.......3...1...3.Rich..3.................PE..d...y0............" .....T...........W.......................................`............`A.........................................................@.......0....... ..8!...P..........T............................................................................text....R.......T.................. ..`.rdata..b....p.......X..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\pnppropmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):79160
                              Entropy (8bit):6.220198929126554
                              Encrypted:false
                              SSDEEP:1536:a0lYvjwPR6ZNOo0RpO/fzXo+SQ33ToeAiE2BP0Qd:aGYvU5iwoGUzL733TAiE2Btd
                              MD5:C3E4D5916367CB0CE60CAB93C87B97E5
                              SHA1:A08A44514A57A0B89456E1F4F57DE09F833F4ECD
                              SHA-256:561202610015BCA000447FC610FF831FC6E7F06F4437EA0B93E5B223E7CB7455
                              SHA-512:F47349E4F5FB385D6FA35FDF21D153636D00FDC7A6B901E7293DC0D9CFC7773EB133A3BE645D17145297607CAF740581894438CD24CC8659B0748997B700158B
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>V..P...P...P..S...P..T...P...Q.:.P..Q...P..P...P..X...P..U...P.....P..R...P.Rich..P.................PE..d.................",.........^..............................................P.......c....`A........................................ ................0..(.... ..........8!...@..h.......T...........................P...............h................................text.............................. ..`.rdata...>.......@..................@..@.data...............................@....pdata....... ......................@..@.rsrc...(....0......................@..@.reloc..h....@......................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\rdsupgcheck.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):23864
                              Entropy (8bit):5.964766290071868
                              Encrypted:false
                              SSDEEP:384:+PNuaLd9sctgYF+lFM2rJW1Qm5WuD1IDBRJtrr2LIKliK9y:+PfFqYFiGQm1I1PN2Lhy
                              MD5:B8471257089DFA191D402B5F0B3FE70A
                              SHA1:A6F1A6C56A8D9A395C645B991C3700F0C1FF0DE5
                              SHA-256:4FB4B50DD026BABE9F5E00D65CAA146A3EC4F7F070C194DB4E9EE51FE3BEC51D
                              SHA-512:922F528D7423C51F4459D9537E34108A660899423C848D4E7428C50867B93E0017C841CC656CB3B206CCC1D9D91A161BAE147E9E0C2424B986B61C2A815182B8
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........M.{...{...{.......{.......{...{...{.......{.......{.......{....G..{.......{..Rich.{..................PE..d....k............" .........&.......................................................%....`A.........................................<......x=.......p.. ....`..t....<..8!..........`8..T............................0..............(1..p............................text............................... ..`.rdata.......0......................@..@.data...P....P.......0..............@....pdata..t....`.......2..............@..@.rsrc... ....p.......4..............@..@.reloc...............:..............@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\reagent.admx

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1240
                              Entropy (8bit):5.207091071989849
                              Encrypted:false
                              SSDEEP:24:JdgeDwjo8gWt4+3FpKteLo6fmAL0s6fE3+dK9lKP8OpKjcp0+1GVnTPTlAF9lJJM:3geDw08gmDPfxofHKnKk25q+1GxPTqFa
                              MD5:0FFF459097841B7C8A7C1092492935D3
                              SHA1:CFE1AB996A4A20429C4BDE8F28A51BDC45C35B67
                              SHA-256:1703B66AF219987931127FCD599B9A8D5ADA5FF37F1B2CDA3AA668B5C2E07F02
                              SHA-512:F74C1DCDB4C023F2ACCC848E1DD38592390BFA7D2211C52910C3785EE03992CD72397EDCD96448DF5FA74DE645258E9EF37F4F3054C837344572DE9AEB902DB5
                              Malicious:false
                              Preview:.<?xml version="1.0" encoding="utf-8"?>.. (c) 2006 Microsoft Corporation -->..<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">.. <policyNamespaces>.. <target prefix="WinRE" namespace="Microsoft.Policies.WinRE" />.. <using prefix="windows" namespace="Microsoft.Policies.Windows" />.. </policyNamespaces>.. <resources minRequiredRevision="1.0" />.. <categories>.. <category name="WinRE" displayName="$(string.WinRE)">.. <parentCategory ref="windows:System" />.. </category>.. </categories>.. <policies>.. <policy name="ConfigureWinRESetup" class="Machine" displayName="$(string.ConfigureWinRESetup)" explainText="$(string.ConfigureWinRESetup_help)" key="SOFTWARE\Policies\Microsoft\Windows\WinRE" valueName="DisableSetup">.. <parentCategory ref="WinRE" />.. <supportedOn ref="wi

                              \Device\CdRom0\sources\reagent.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1133880
                              Entropy (8bit):6.143134366907476
                              Encrypted:false
                              SSDEEP:12288:0Yg+QBlPyLWMhyEt8nA28Sw9Dx6NfAvq/fejjidE+ETKRa7nSdmSJx/VA1oP:yrvKL9AnHXJcUGjjOE+EWdnhA1oP
                              MD5:22699DCD3DE98589E645AA59D233D312
                              SHA1:956F34A75EB02CD84DE1334D04DEE6249DB10E82
                              SHA-256:3A6731B384C132ADAA6D25CAFD3D360EDEBF30714BB417A77C471C04A378510A
                              SHA-512:51CCB304E219517002758A169AE3E52AE2FE4152C8D40AAA596C96842826D1DA42260667BFE3E8EADA69E1D2AB04626CAF7372F463FD2D86F5FC88AC7338D1B4
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Gz..Gz..Gz..S...Cz..S...Iz..Gz..vx..S...fz..S...Fz..S...N{..S...Oz..S.l.Fz..S...Fz..RichGz..........PE..d......E.........." .................................................................k....`A.........................................,.......3.......0..p:.......a...,..8!...p......@...T...................(...(...0........................).......................text............................... ..`.rdata..............................@..@.data....K...`...4...R..............@....pdata...a.......b..................@..@.didat....... ......................@....rsrc...p:...0...<..................@..@.reloc.......p.......&..............@..B................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\reagent.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):837
                              Entropy (8bit):5.117264570343191
                              Encrypted:false
                              SSDEEP:24:p/vQyjHOjuLjaLONGjaiG0lTTGNTTGQmITQjaDvZnbi2b2e:WyjujuLjHQj8kPGNPGzITKm
                              MD5:D27D254127CA476BB393C7F3E5436EDE
                              SHA1:D9185620FEDD2427EB7492C625739F8B8BEAE231
                              SHA-256:EDE4938A41AFF39A4845E509F38CFE3C53751FF6770685EC92AF005DFF1B53BF
                              SHA-512:A59C7F0F7ABF992C491D65AB3F8DC2C0F92DE0FFE91673EA49FEE5F86396C265080D4A05C5E11A9B24F9294715EA4F044EF5A332920A398064597906F2D199C7
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<WindowsRE version="2.0">...<WinreBCD id=""></WinreBCD>...<WinreLocation path="" id="0" offset="0"></WinreLocation>...<ImageLocation path="" id="0" offset="0"></ImageLocation>...<PBRImageLocation path="" id="0" offset="0" index="0"></PBRImageLocation>...<PBRCustomImageLocation path="" id="0" offset="0" index="0"></PBRCustomImageLocation>...<InstallState state="0"></InstallState>...<OsInstallAvailable state="0"></OsInstallAvailable>...<CustomImageAvailable state="0"></CustomImageAvailable>...<WinREStaged state="0"></WinREStaged>...<ScheduledOperation state="4"></ScheduledOperation>...<OperationParam path=""></OperationParam>...<OperationPermanent state="0"></OperationPermanent>...<OsBuildVersion path=""></OsBuildVersion>...<OemTool state="0"></OemTool>..</WindowsRE>..

                              \Device\CdRom0\sources\replacementmanifests\activedirectory-webservices-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1734
                              Entropy (8bit):4.768479203725951
                              Encrypted:false
                              SSDEEP:48:22e8aS1M+Sc+SKFyg06oySSS1A+SKFSgmwG+SkgE:22uS1/SvSeISqTSecwZSU
                              MD5:B229ED33C2573FBEE1142C390EE443C8
                              SHA1:4B42C6267EB9EE5F479ED41DAD973DB65FCF5D60
                              SHA-256:92DECCB102C685BA31EEFF535E9B0412577CEFD56339AF0DD090FCE1564B002D
                              SHA-512:E75C03A8921D2C9023B2FA5AE7247603DB03765FCCB5CDBA2273ACF2581F0590ECC4AE4A37D90E548ACC15BB1DAC47F201E849F683C8291161B39C931B3CFDCE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. description="Microsoft-ActiveDirectory-WebServices replacement manifest".. displayName="Microsoft-ActiveDirectory-WebServices replacement manifest".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-ActiveDirectory-WebServices".. processorArchitecture="*".. language="neutral".. version="0.0.0.0".. />.. <migration replacementSettingsVersionRange="0" .. settingsVersion="0".. alwaysProcess="yes">.. <migXml xmlns="">.. <plugin.. classId="{06996584-9164-4CD2-BD44-3DEC24314516}".. file="Microsoft-ActiveDirectory-WebServices\adwsmigrate.dll".. offlineApply="Yes".. />.. </migXml>.. <supportedComponents>.. <supportedComponent>..

                              \Device\CdRom0\sources\replacementmanifests\adsi-router-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1995
                              Entropy (8bit):5.032436249566013
                              Encrypted:false
                              SSDEEP:48:22e8v+wkgfAIg/oLDolJmg/oK/o/I/o3DoKDo/IDoxDpg/oLDolQX:22CZxoHo3joYoWozo0oaoeoHoQ
                              MD5:53E3313FBC77D096946299CD02E9EB50
                              SHA1:58994379A599211DC79E7C9FE6C8528C99EFC809
                              SHA-256:19B856BAF5DF62BB8A35CB9C11867F318D2A6372BEFF743CE8DFE265B57DCB37
                              SHA-512:6709D4AB6A7D38B314CE86EC9FEC6C6F99D7F68AC36AE68FC1667CD4BAD46ADC741A66BD5ADA1806353518B8883E36CB5C5EDF16F8E8B2E506209F86A052AE67
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Active-Directory-Services-Interface-Router".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\ADs\Providers\* [*]</pattern>.. <pattern type="Registry">HKLM\Software\Wow6432Node\Microsoft\ADs\Providers\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern type="Registry">HKLM\Softwar

                              \Device\CdRom0\sources\replacementmanifests\application-experience-program-compatibility-assistant-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):11951
                              Entropy (8bit):5.366050233359695
                              Encrypted:false
                              SSDEEP:96:229LW0CgZcZ/u9wHb+XCnMnFcZ/u9wHb+XCnMpwcZEueDMbd8CnHnkcZEueDMbdH:7p89e5VJ8uyByL
                              MD5:367638531303643E57989B77C0BEB4FB
                              SHA1:B7E5EB96714683C70C5C2F5975B1975DB5AA5DB6
                              SHA-256:ACBE403EEE565F4A9D86FAC4F7EFF81897A2D9AB223616E2338AA3FA933592D6
                              SHA-512:000470EC997B6453EFB30EBE938FD7EC3DD4F172C48B8B72795B912CBD423029C8E0707FA51631FC499FCBC779D7532315C7F74BD95DC5237BBD1F785308816F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Application-Experience-Program-Compatibility-Assistant".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. replacementVersionRange="6.0.0-6.1.7000" .. replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="6.0.0-6.1.7000".. >.. <migXml xmlns="">.. <rules context="system">.. <include>.. <objectSet>.. Settings under the Layers key are handled by the Shim Infrastructure manifest -->.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\* [*]</pattern>..

                              \Device\CdRom0\sources\replacementmanifests\appmanmigration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2193
                              Entropy (8bit):4.894125437305986
                              Encrypted:false
                              SSDEEP:48:22e872r+l/gayd24D3lptY4/n/PBu4/ZY/Zk/co/c+tY46n6PB2/:22/2ilgxlpth/J7ZOZ6/hY6J4
                              MD5:0F40384918BAC7129A5F3B159538EA90
                              SHA1:E46C3AAF3153BD82AF557301F6F93B12A42A0A13
                              SHA-256:91DFE24052657317EDABD9879E5EB68DCC77B95D488AB59A175534CAE5198A35
                              SHA-512:E03E2E0F10F3B6796190000B36480322A857C9E499C2FC12FFCD5CBD332312005FD8600CD336E5ED1FCFAA00A67AA4C99F688CC4C38A3D624BFE82584D8E8605
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-AppManagement-Migration".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementVersionRange="6.1-65535.65535".. replacementSettingsVersionRange="0".. scope="Upgrade".. settingsVersion="0".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <plugin.. classId="{2AF7D9A3-FA1C-410A-B6D3-C6AD32232531}".. file="Microsoft-Windows-AppManagement-Migration\AppManMigrationPlugin.dll".. offlineApply="Yes".. />.. <rule

                              \Device\CdRom0\sources\replacementmanifests\appxalluserstore-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2042
                              Entropy (8bit):4.955317487481054
                              Encrypted:false
                              SSDEEP:48:/2e8G+scgfjmYBXIlfr1UxAfr1Is5u6vfr1btvfr1akJmxuMnfr1riX:/29sjmYBXERYWRIs5u6nRbtnRao8u+RI
                              MD5:D674E0E70E5FA314C6B952FE1C51EC75
                              SHA1:74E4FF7B6D7AAA1C9E69353BBE98F86E1149B418
                              SHA-256:29E06E13E89EDC7D13E522B29E12A588E7DD0C25197246B9016AD408C3127018
                              SHA-512:59CF2437CD15E11AA311DD2CCDFBAADE45FE8FCBD56F2460D38F7E2EAD58A042DBA7986E5D749713DE67C7981AA626F35087B57CABCB792979BA0B303D6BF046
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-AppX-AllUserStore".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. />.. <migration.. replacementSettingsVersionRange="1".. settingsVersion="2">.. rules specifying what files and registry entries to collect -->.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. include everything in the EOL list -->.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\EndOfLife\* [*]</pattern>.. all packages that survived upgrade will live to see the next OS if they weren't taken care of in this one -->..

                              \Device\CdRom0\sources\replacementmanifests\appxdeploymentserver-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4900
                              Entropy (8bit):4.924239903657945
                              Encrypted:false
                              SSDEEP:96:22CHBqag14NR7rdedZYNGcoUBgb7MA1tLlhZ34:OBqwNprdSY011lXo
                              MD5:FDDD606EE52DA521323776EC6C2A2C18
                              SHA1:EC1017EAA20D138CCFB36DDC21D6A14F339E431D
                              SHA-256:AA96F0C3EAD02D87AB70C21C98732E191CB3B06C9FB7742C5407B615D6F6E6EB
                              SHA-512:F65A42D4A148B832387248B36B4B47789D8AABB2BE114DDD0DA4C1E074DDD316CC616A083B64F607C470AF1E6D823B1B17C1A2FA26981378EF94FAA812C39D85
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-AppX-Deployment-Server".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="1-3".. settingsVersion="3".. >.. rules specifying what files and registry entries to collect -->.. <migXml xmlns="">.. <plugin.. classId="{AE27C1A6-25F2-45FD-9A28-081B81F29E0A}".. critical="Yes".. file="Microsoft-Windows-AppX-Deployment-Server\AppxUpgradeMigrationPlugin.dll".. offlineGather="Yes".. offlineApply="Yes".. />.. <rules context="System">.. Note: StateRepository database preservation rules are in the base\nt

                              \Device\CdRom0\sources\replacementmanifests\audiommecore-mm-other-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):852
                              Entropy (8bit):5.047740008596734
                              Encrypted:false
                              SSDEEP:12:MM3ii1o2Mf8ior5MF+9XYgV6cjfo0ddVcg0QzAazAUPSDuqo7sDqpgD9VLjc8hym:p/o2e8ZQ+tYg0cjhpE3NWJslrLgUFCUD
                              MD5:6225EE9F44A4352E34F8BFD5B9E54F76
                              SHA1:66900B7F4E05896A3C7D29DDA083B5D4862DD871
                              SHA-256:A0E5779110EAEF51F08F3050E6548D844EA9758092305F611A4A29D51BA89506
                              SHA-512:AE8FFCA492960A36F705CB5694FDB050887FA90FDFE732FC250F6164DC8C24E5496FC648851E21447776D0FBB05EB6A4B396AF817F454608B2130F126E8BB7C2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity .. name="Microsoft-Windows-Audio-MMECore-Multimedia-Other".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementVersionRange="6.0-10.0" .. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns=""> .. <plugin.. classId="{4D36E96C-E325-11CE-BFC1-08002BE10318}".. file="Microsoft-Windows-Audio-MMECore-Other\audmigplugin.dll".. />.. </migXml>.. </machineSpecific>.. </migration>..</assembly>....

                              \Device\CdRom0\sources\replacementmanifests\authui-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8193
                              Entropy (8bit):5.027484893998515
                              Encrypted:false
                              SSDEEP:96:WNPERXr2q6QOOzJMk67cY8GrPVYRjDjXK2FJpjjsjwjZjj6OzJMk67cY8GrPVYRM:a2gwP625sQ9jsw902I
                              MD5:2D6ACF2AEC5E5349B16581C8AE23BF3E
                              SHA1:0AA7B29E8F13EB16F3DFC503D4E8CC55424ECB15
                              SHA-256:B48F54A1F8A4C3A25D7E0FBCB95BF2C825C89ACD9C80EBACE8C15681912EDEA2
                              SHA-512:7943AA852F34778B9197C34E6B6978FE51E0CDD2130167CB9C7C56D1B2B1272051EFE03DF3A21A12ECB9B9303DE0733E335CDE0BBBE1A1FC429E3323D335A1FE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. AuthUI has 3 different component names that matter in its migration story... The one that applies during the migration gather phase is as follows:.. Microsoft-Windows-Authentication-AuthUI: Vista and Win7.. Microsoft-Windows-Authentication-AuthUI-Component: Win8 (and beyond).. In order to support migration from Vista/Win7 to Win8, we update the Microsoft-Windows-Authentication-AuthUI component.. to gather in the MigWiz scope (in addition to the Upgrade scope, which it already supported)... -->.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Authentication-AuthUI".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. optimizePatterns="no".. offlineApply="no".. alwaysProcess="yes".. scope="MigWiz,

                              \Device\CdRom0\sources\replacementmanifests\authui-migration-win8-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):10219
                              Entropy (8bit):4.966520026409024
                              Encrypted:false
                              SSDEEP:96:NPgBOOzJMk67cY82SGrPVYRjDjXK2F6KJzLLwGXtXqWgrjj31jj6OzJMk67cY82s:UYwP62I+Wr3JjkwP62I+Ws
                              MD5:381138FA1B1C4C298AD2441898677ED6
                              SHA1:B8A0B0ECAAF6F3BBD7C27DD54ACD4BC3366DD0A4
                              SHA-256:D4EE07BC2183E3D013B68B080B9E2F603676B27F8B0C95CCA2ED533BC671FAFA
                              SHA-512:095C2B1C129C36125FE17ED096FDE58AE0F8AF61527D9AEDCAB379C3221BF09D87F28846E6FA3CF9FE05C750689A2ADFCDD1AB67409780A12A425A33219858EC
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-Authentication-AuthUI-Component".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. optimizePatterns="no".. offlineApply="no".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2-10.0".. scope="MigWiz,Upgrade".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. Downlevel settings -->.. <pattern type="Registry">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [DefaultUserName]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [DefaultDomainName]</pattern>.. <pattern type="Registry">HKLM\Software\Microsof

                              \Device\CdRom0\sources\replacementmanifests\bisrv-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1511
                              Entropy (8bit):4.647585676810535
                              Encrypted:false
                              SSDEEP:24:p/uDfA2e8ZR+Mg0cj06jm3vUzFuUzgEF4LnmLn4BX0FCUK:8DfA2e8v+Mgf0G7zFuhY4LmL4B2A
                              MD5:3BD9DE0D8F2C1476368AE4D61842B064
                              SHA1:6A7DD23DA4D6D98E405A267BBA5F983A1D55F149
                              SHA-256:7E0E49E2F4B530069E122951058DC2E210EED96D51C63C430B04F81012A77430
                              SHA-512:C4ACF7F5666405DC2F84ACEF45BEB3CB5448AC16C9345BE06F0FFF1D08D8C7BAF66CCB3DF20F7C3E11406E5BD08C8519776FD405719CFB09888E7FF582D7E6D7
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.... ../************************************************************..* *..* Copyright (c) Microsoft Corporation. All rights reserved. *..* *..************************************************************/..--><assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-BrokerInfrastructure".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <environ

                              \Device\CdRom0\sources\replacementmanifests\bthmig-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):785
                              Entropy (8bit):5.103421506797806
                              Encrypted:false
                              SSDEEP:12:MM3ii1o2Mf8ior5cF+9SgV6cjr8o0QzAyfzA+SclD+XkD9FQCc0dOsZyuhURpz:p/o2e8Zg+Yg0cjY3ykeFvQB2FhUf
                              MD5:A5C3085136096755CA7947B392007373
                              SHA1:BF5C3D03B2BCEBB8807C5062C8447DE1E4E3C65A
                              SHA-256:12EF766F5FE6BA39F6D9567E0D43BA31134682BAB973478EFF34BBA16494BC4B
                              SHA-512:837C5EFFAD658F816F1721A4230F3BCA071BE168B4E9A935129B46CDA8E15675F36F5F05661AFD1A0BAC0D21F5E01F034B11EE2C6157A9BB39BCC4E4B4909419
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-BTH-USER".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. />.. <migration.. replacementSettingsVersionRange="0-7".. scope="Upgrade,Data".. settingsVersion="7".. >.. <migXml xmlns="">.. <plugin.. classId="{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}".. file="Microsoft-Windows-BTH-USER\bthmigplugin.dll".. offlineApply="yes".. />.. </migXml>.. </migration>..</assembly>

                              \Device\CdRom0\sources\replacementmanifests\capi2_certs-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):9285
                              Entropy (8bit):5.323898920295421
                              Encrypted:false
                              SSDEEP:96:22CFpJOChRp6ChRSMB6ulN6u2RRmOtD5vgBV/4VUQVbWBIhdtYAChvF/wWjA52tX:Cr0M0hKTk6DN
                              MD5:C71B646706C5434040DA979E8520C316
                              SHA1:1BD453769F68E04D9AB6268922DDB18A10803DA9
                              SHA-256:64E604B2349E7ED55C8B38E22F5C5C75F5F5FE0F5E7B5FE5B91E4BC1077C2F19
                              SHA-512:BDF57861098BC28A4CEF54DD3CA23C44D501795599F4645113D4B8607241D63994BC57FB9C5A0AE5DC89AFBCB1E538DEFA4853CE0E9853B97326E326E7744677
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-CAPI2-certs".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="2".. replacementSettingsVersionRange="0-1" .. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\SystemCertificates\My\Certificates[*]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\SystemCertificates\Request\Certificates[*]</pattern>.. <pattern type="Registry">HKCU\SOFTWARE\Microsoft\SystemCertificates\*[*]</pattern>.. </objectSet>.. <

                              \Device\CdRom0\sources\replacementmanifests\certificateenrollment-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):976
                              Entropy (8bit):4.8075274707755895
                              Encrypted:false
                              SSDEEP:24:p/Vd8+7g0cjTi3v5HUDovjgENgw5OJXLENgwQOJXMFhUK:a+7gfTcHU0LgIg6OJ7Ig/OJuX
                              MD5:35339250840F1F409E0332A5EBAB1511
                              SHA1:A5E3615D9CDDCDC2C4BB2CDA5F465BB48573A4E1
                              SHA-256:6AEBCF445DF8BDCE1EEC2FCFFA0E1F7CCD9D5F01303C7D6EE540E4510D40B209
                              SHA-512:60F443A3760BCDB73BBA856A3970315D3BF72195B9E847D9DDC3180483886F4E74277AFE76495768A84F7582B6666DDA25A755B97C7EB35F03D1C69D0ABC4885
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-X509CertificateEnrollment".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.*".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Cryptography\PolicyServers\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Cryptography\PolicyServers\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\cliplicensemigration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2888
                              Entropy (8bit):4.977848909675534
                              Encrypted:false
                              SSDEEP:48:22e8v+pD4gfHkFJN3pDQASgElDSSgOkRYIxi+H/t9MQtf6ptfQw53nwi3wAw9B2A:22CpDLGbpDQaGwOkRkupXb
                              MD5:29817E2761505BFC4C5A7E8DB1F6E6DB
                              SHA1:AF96DE441E0FD02D1314AE8F207FFDEDBBA22153
                              SHA-256:71E9968661163B0F86694D64B1A47EF018DCCFA00BD1EC7E7D891D8682A3BC1E
                              SHA-512:F90701D1B99C1756342CAC6BB37BBCDE33FE0573EF3064FF708C335F4103F25D29CFEFA71C281BDC0471F06EF0F41E9A54B67808001B718D2A1B1EF8A7F65886
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Client-License-Platform-Service-Migration".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. scope="Upgrade,Data".. settingsVersion="10".. replacementSettingsVersionRange="0-9".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <plugin.. classId="{6014E67F-2537-48F9-951D-D29D720523E1}".. file="Microsoft-Client-License-Platform-Service-Migration\ClipMigPlugin.dll".. />.. <environment>.. <variable name="ClipDataFolderV1">.. <text>%windir%\ServiceProfiles\LocalService\AppData\Local\Micros

                              \Device\CdRom0\sources\replacementmanifests\cloudapreplacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):5.025441434105171
                              Encrypted:false
                              SSDEEP:48:22e8v+VJgfaIUlMY4/kCYDh/iBJE4/kCYDh/iY9A:22CcUlMhHQpeJ1HQp1C
                              MD5:7E629246DB3511D7E9AE712801D2B613
                              SHA1:973937542D0F1964053CFC0EF36C1493AC5B9C86
                              SHA-256:A15B2BF6B5B36F8FCC218C892212A46E87B8B7FFBB1C9F8E598373D51E361702
                              SHA-512:5D5A7A0BB2C37656F7984D225F79FCC3F200D3AA27A088CA42E672DD34B70FB4B5B86CFC9FFCF38D296E46A7617FAB20C8FE0E5A89F4D9624EE46DA7D7E9F767
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-CloudAP".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0-2".. replacementVersionRange="10.0.*".. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="3".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\IdentityStore\LogonCache\* [*]</pattern>.. <pattern type="File">%SYSTEM32%\config\SystemProfile\Appdata\Local\Microsoft\Windows\CloudAPCache\* [*]</pattern>..

                              \Device\CdRom0\sources\replacementmanifests\cloudexperiencehostonecore-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):967
                              Entropy (8bit):4.951819185515753
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+poDg0cj3+3NjmBizkENgw5VOEbIS8BJJXMFhUf:/2e8v+mDgf8dkIg6YvFBJJu2
                              MD5:99796029A1C11A4B6FCA8E3CE2A4C186
                              SHA1:8CEFCE4A71E96A799E15A81B42427E3C3E9FEC73
                              SHA-256:879DDC1A8D1F21A223941EE9FFB9BF9FEAA05B7DA984A4FAF32A7E9603761BA2
                              SHA-512:4DDD2CCBFFD1E3DE4D8B1DA9C82B45C34B233320107C05AD409B34C3291947D0C461A286C729BD23B522795EBEB0796666C1A51475D4A7CF47DFB7D0AADF6627
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-OneCore-CloudExperienceHost-API".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="0".. replacementVersionRange="*".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Context\CloudExperienceHostIntent\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>

                              \Device\CdRom0\sources\replacementmanifests\codeintegrity-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2413
                              Entropy (8bit):4.866774440300788
                              Encrypted:false
                              SSDEEP:48:22e8v+FaJgfeIMY4G9g63bGRBu467dxd4A:22CFmIMDp8dxdR
                              MD5:B504374A76ABFDA822072A2E83033767
                              SHA1:65754A0F69891134345DB6127F7733F071D2A861
                              SHA-256:1ECDC3A14A2B12C15F5489AECEE797E7A344311A20E90493A751EFAB408F06F8
                              SHA-512:A4135858896BA743698F45B0A90D3202C29A6AF1E6F1DCFE781EC7EC3FFD0E7A9749FDD11A1987CD0DEE3AB56EBCC121D006DE99AF6EEBC3DF03EAF29BA0812E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-CodeIntegrity".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0-5".. scope="Upgrade".. settingsVersion="6".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\CI [IntegrityLevelPolicy]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\CI [UMCIAuditMode]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\CI\Config\* [*]</pattern>..

                              \Device\CdRom0\sources\replacementmanifests\commandprompt-win7-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2795
                              Entropy (8bit):5.031967362325969
                              Encrypted:false
                              SSDEEP:48:22e8v+FVgfi9FH5SIgr0htfhtr0hSfhSr0hLfhLr0hyLfhyLr0h9fhLJ5Ig6ht6q:22CFJ9FHMd0Tf0uU0950mc0DX5IG7czD
                              MD5:9774AEA0FE198D18A7142A3F437142AB
                              SHA1:0D4717E9AD0D9377C49E1906AD083776AC2907B0
                              SHA-256:2E0D34CC86B71BD4011684F7119847F102E0B0006328762542EC292AA48F4AC7
                              SHA-512:FF8505FB098759FA90462479498304EC03D14F3511EF8BFDB3B8234194DE0745F2304715BC6064EF1E4B153237F6DDDF7994A502587D0ECD6D6A6F7658C340BB
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-CommandPrompt".. processorArchitecture="*".. version="0.0.0.0".. />.. We only need gather rules as this is for sourcing from Windows 7 systems only-->.. <migration scope="Upgrade,USMT".. replacementVersionRange="6.1.*".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKU\.DEFAULT\Software\Microsoft\Command Processor [CompletionChar]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Command Processor [CompletionChar]</pattern>.. <pattern type="Registry">HKU

                              \Device\CdRom0\sources\replacementmanifests\commandprompt-win8-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):11666
                              Entropy (8bit):4.9392594111383215
                              Encrypted:false
                              SSDEEP:192:CeiU/2xduQqYnuQqY47xf8ywRuAKIcQG8uAKIHvM:Ceixq98yw9i
                              MD5:2FE64A17BEDE84F23BC9E2447BFCB3CA
                              SHA1:508DE2A3759223B92EE1952D2464265FD4DE7513
                              SHA-256:28D69F024F083A37FB7183D3FD26C48BCB55BAB1A24D0691F42AF8E9C136C055
                              SHA-512:19A9A2CFCDE7789CFAB10FBF600ECF32BC0D7D2ADC7DD44E413659C21188F62BA34EF9BF89D6772FEA6784E564D02F2079D59A22F830B45822F5C51A7693BCAB
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-CommandPrompt".. processorArchitecture="*".. version="0.0.0.0".. />.. Gather blocks required for collecting data from Windows 8, Windows Blue, and some Windows 9 systems -->.. Apply blocks required for applying to Windows 9 versions built BEFORE the correct CommandPrompt.man reaches winmain -->.. The body of this should match CommandPrompt.man to fix Win9 systems before the changes reach winmain -->.. 9845 is a guess of the build version when this will reach main. The correct CommandPrompt.man will be used after that build -->.. <migration.. replacementVersionRange="6.2-6.4.9845".. scope="Upgrade,USMT"..

                              \Device\CdRom0\sources\replacementmanifests\contentdeliverymanager.utilities-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):7442
                              Entropy (8bit):4.939410824781118
                              Encrypted:false
                              SSDEEP:96:22CFsYiY3YxeYiYQYxv8v7pkYAeH0YRe9hfx4zhJpYfvBzYJLIYMGT5WY08:CbVox5VXx8DAgZyyv908
                              MD5:31AE2E8A99F90C1DE3427B86B1EDA876
                              SHA1:10956CCD8B7F4CCB1C73AD30DF2A0C4FA0E20F0B
                              SHA-256:0AC50CC864D69BB0616CAB0A923A8845520E74EC807146357879E80343527F23
                              SHA-512:0AE661580FF05C792BA94783A8A91F01CF256FA7BDB8A628BED4F4B130A283A027E4857BCB2432DFDA3D62B8E6D9A4C422D2A1323617F10F0A1B487FCC7819B7
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-ContentDeliveryManager-Utilities".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-5".. settingsVersion="6".. >.. <migXml xmlns="">.. <rules context="User">.. <conditions>.. Checking if the regKey with the name AvailabilityForAllContentIds exists at the location HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\314559 -->.. <condition negation="Yes">MigXmlHelper.DoesObjectExist("Registry", "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions\3

                              \Device\CdRom0\sources\replacementmanifests\coreos-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1619
                              Entropy (8bit):4.998944920995779
                              Encrypted:false
                              SSDEEP:48:/2e8v+FyYgf3MY47pfpRfpfB847pfpRfpfwA:/2CFCMPp5p5bp5pB
                              MD5:223082297B08E6CF991BB126890ED706
                              SHA1:EF34AE3F5F67F63C62BA9C01F1C14461D965C534
                              SHA-256:8C95AE9AC825EC8A8CA743387BBCD8ADCBA5CAD3B82DC175E6C73C6E984DC030
                              SHA-512:DB7BECE7D6A84E48554620D59E941681F6C402C6AB1B3D7C415629350AFF0F4B62FA4E27C71550DD16AE4C5D964A7AA4F1A670AE3FE935CF971D7AD5AE364B13
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-CoreOS".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration replacementSettingsVersionRange="0" settingsVersion="1">.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName [ComputerName]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion [RegisteredOrganization]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion [RegisteredOwner]</pattern>.. </obje

                              \Device\CdRom0\sources\replacementmanifests\credential-manager-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4431
                              Entropy (8bit):4.934400468669594
                              Encrypted:false
                              SSDEEP:96:22CFn9HODy6DXHFLvnybhmeb6ybS1LHn6DN:CBSFLsmH1Lc
                              MD5:3158782040A145447413435FB6F44D5A
                              SHA1:6AF19E9AB870CE49ED2EE2C433762643E6DB084F
                              SHA-256:1ADA3B14FD10EB4AA229944B685728264A41EE6B53176838695BA0932A16DFF0
                              SHA-512:DD71279CE5B84C4184971DECC4BF769899211D9D145FE6E64B6FB2DEEBB99747742F43BD6E889EB91CCFAD153DAA4802371B4427F7247B30F49238D26DDFC861
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Credential-Manager".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="1".. replacementSettingsVersionRange="0".. >.. <migXml xmlns="">.. <rules context="User">.. <conditions> .. <condition negation="Yes">MigXmlHelper.IsMigrationScope ("Upgrade")</condition> .. </conditions> .. <include>.. <objectSet>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Credentials\* [*]</pattern>.. <pattern type="File">%CSIDL_LOCAL_APPDATA%\Microsoft\Credentials\* [*]</pattern>.. </objectSet>

                              \Device\CdRom0\sources\replacementmanifests\crypto_keys-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2829
                              Entropy (8bit):5.130068712095974
                              Encrypted:false
                              SSDEEP:48:/2e8G+F0Vg8DIIgPdunPduPPduNJ7IgfCfikfidjikjirJu/MY4C5uXC5u/C5upL:/29F+cO0Mf7Rwiai5ieiFEMAQSQaQwX4
                              MD5:CD55A48FE382A6820EC4FB55A66C2858
                              SHA1:70A0A7B0E12DF915BD5E68FF0432637EFC2153DE
                              SHA-256:97838AB994B53DFADEEF63955EECB05A7F118C2066EF97B0B0EB7BB48A526451
                              SHA-512:37C6D78CCD807B04834659B5E796424C443B2C4F72481CB4080ED1BC5E6A954E47C4AF837A653DDAAFED2372C4FF60CE442170EA58586AB93C57B841449C5195
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Crypto-keys".. version="0.0.0.0".. processorArchitecture="*".. language="neutral".. />.. <migration scope="Upgrade,MigWiz,USMT" .. replacementVersionRange="6.0-6.1".. replacementSettingsVersionRange="0".. settingsVersion="0" .. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\RSA\*[*]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\DSS\*[*]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Crypto\Keys[*]</pattern>.. </objectSet>.. </include>.. </rules>..

                              \Device\CdRom0\sources\replacementmanifests\dataintegrityscan-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1222
                              Entropy (8bit):4.97712413819867
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+kg0cj35BY3vOG+jxMEF4wwawwKBX0FCUK:/2e8v+kgfzjGCxMY49a9KB2A
                              MD5:901B9CCB483DF4E7EEA698A29556F8DB
                              SHA1:201C2D80F561164EC00D47B0B304346E341ACC56
                              SHA-256:1A762F1B25764DF291796046D8CA77C6B63ED26B59B2EFE88081749192FCCA2D
                              SHA-512:7E7B1FE099B71E5253463943124E59FA70ABD44172B2F96DDB6E6158FCB7A1391F3CCEA92B1AF930C4B6D19E1634736F2DCF8AFA7292EDF29A09881E1701B752
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-DataIntegrityScan".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.2".. scope="Upgrade,MigWiz,USMT,SvrMig".. alwaysProcess="yes".. settingsVersion="0".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\FileSystem [ScrubConcurrencyMaximum]</pattern>.. <pattern type="Registr

                              \Device\CdRom0\sources\replacementmanifests\dcb-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):734
                              Entropy (8bit):4.7396510547837725
                              Encrypted:false
                              SSDEEP:12:MM3ii175QgF+9DH3dgV6cjfo0QzAazAjoZPSDuqcsDfMfeqNCl6F5/y9v6/2NvAu:p/VR+pNg0cjh3NjoFMEF4wuXBX0FCUK
                              MD5:1F79008BF6DD4F2C7C9D91A627B3859F
                              SHA1:3F77E853926C6ACB5D0AEEC6CAA6985B77034046
                              SHA-256:B2D7E6510EA743371F9F35AC7FFCBE7C195ACF2631A37AC80218FBD890B72DF9
                              SHA-512:16356F1317CBB7630A9F271A56B1F16E97DBAC8152148FB7FFB27611E7052BBD928FAC043581EF037EEAB53BB4290A7C8A9E253E3CB7FF315FC65B68B9C28A56
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-DataCenterBridging".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\msdcb\Parameters\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\desktopux-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5044
                              Entropy (8bit):5.103765593503646
                              Encrypted:false
                              SSDEEP:96:/2C/RgngPgH/gHGgH1gqtgqWigqGgq1gdggGgFgZzgLxDgWRghgH//9u/F/n/2tg:NltiR/awV7
                              MD5:5B7B85223E369CE86BF4205036D12CB5
                              SHA1:3F0345114F672492C990C708494BFD123B9929AB
                              SHA-256:0643523D1E84174BDDEB12EE927DBFC557ED19DF20CB96E561F546719F824F7C
                              SHA-512:5385B2A7AB1B0A645B7B992BE7D2BCA514C356898437881BDCAFE3B50EA188292EBEC20553D05AAE0169B9D759C2A22779BB3B9B005B46524AABF5B34DFA7A3C
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Update-Ux-MusScnHandlers".. version="0.0.0.0".. processorArchitecture="*".. />.. <migration.. replacementVersionRange="10.0.18267-10.0.18362".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings [UxOption]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings [ExcludeWUDriversInQualityUpdate]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Setting

                              \Device\CdRom0\sources\replacementmanifests\deviceassociationframework-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1527
                              Entropy (8bit):4.750020982588492
                              Encrypted:false
                              SSDEEP:24:p/o2e8g4+o4g00j/3DdrwR2oRzE1gwwGpA5wwuUcRZwwuUcg5X0FiUK:22e8d+o4g/VwR2oRz4gff+OcgOcg52g
                              MD5:22DCFF0F9921F3ACCDCEDF191A67F44B
                              SHA1:FBF1DE346A1CED6691E90BBA1F3E6E0E595DC5C3
                              SHA-256:073821E3AD6A19CCBD6D312190F97611723D514CBF140D9B62D55658D6DE5335
                              SHA-512:A5719634CABDD09E9DC3D98F65834D36D187F2E7AE5E74E80EBD66C7A04D9BC1726AFA43BEEA1D4A64519BB0A1D32561791DDFE63CFEBB847B6B577797331001
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0">.. <assemblyIdentity.. name="Microsoft-Windows-DeviceAssociationFramework".. processorArchitecture="*".. version="0.0.0.0".. language="neutral"/>.. <migration.. replacementSettingsVersionRange="1-4".. settingsVersion="5".. alwaysProcess="yes">.. <machineSpecific>.. <migXml xmlns="">.. <plugin.. classId="{C939EC0F-2F56-4CE8-AF56-2336596A5FA7}".. file="Microsoft-Windows-DeviceAssociationFrameworkMigration\dafmigplugin.dll".. />.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFT

                              \Device\CdRom0\sources\replacementmanifests\devicedirectory-devicedirectoryclient-desktop-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1222
                              Entropy (8bit):4.869997993326137
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+fjg0cj3dm3N1LRMEF4wQgBXs4wQgLKFCUK:22e8v+fjgfNClMY4/gB84/gwA
                              MD5:460E858E0364E11F720E9EF18B308790
                              SHA1:CE0108EABE6CC04A8D1171DFF87B45BA82E393D9
                              SHA-256:AA3F72F63D80EB119796444B7BB1C23D9FA9FE380CC22936B76BF676ED607F44
                              SHA-512:A8DDA9762BA9E4CF1E1821CA9EA75C9E01F1B7EC228A5AEA6610FEE52775461506457CC2CA4FDA43BBB53B1BDABF19FAF54405E0652E7E989AE04E5B7970D00D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-DeviceDirectory-DeviceDirectoryClient-Desktop".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade".. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="Yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Settings\FindMyDevice\* [*]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.SourcePriority()">.. <objectSet>..

                              \Device\CdRom0\sources\replacementmanifests\deviceregistration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1066
                              Entropy (8bit):4.952598624081196
                              Encrypted:false
                              SSDEEP:24:p/o2e83UfY+F2YQ8+Pg0cjtmjq3V7Z1ENgw5VhJXMFhUK:22e8Efr2I+PgftKwZ1Ig6XJuX
                              MD5:34F446F4224D054521CFB4B75FB67C8C
                              SHA1:B0A00887EA291A7ACECA641F99F3C453C7C8AE3C
                              SHA-256:A6AC2B07E28B4B9CF5AB624AC3FF79B06BC67AEE7C09B170656CF77FFB1359DE
                              SHA-512:D6FD8D2B9DA9DE34DCEFF6F79CF043DEFC68CC87F5937D7AF08D6113A882BCE54909C57BD1CF7011D741FC95BD735CF3BD222F8EFFA7ECCDE592ABD52A6D3285
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. description="Device Registration API Package".. displayName="Device Registration API".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-DeviceRegistration".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.3.*".. alwaysProcess="yes">.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceRegistration\* [*]</pattern>.. </objectSet>.. </incl

                              \Device\CdRom0\sources\replacementmanifests\dhcpclientdll-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4207
                              Entropy (8bit):4.885006901209119
                              Encrypted:false
                              SSDEEP:48:/2e8z8+KgfnmMY4olbGGLZ1mo3B2GwPvh27+SgLBqg5i+DI4l72GLZ1W43Q0wPvQ:/2XP0MMZRwPvh2SZZLBlwPvhn2
                              MD5:A25FDA36C4B46A0507103069D28323CA
                              SHA1:9F3AD77F1380D4F503E77248270EB9401304964D
                              SHA-256:4A91CD71519A081EA4A19B4B4253443CFA551986D25CC7217345D15E7BE0C039
                              SHA-512:03C3A06235E7ACCF4853F47316F63F6F2BE391EF14A267B50A8F16DC2D3B21B0F641A16D0E5F519F2DE6B6FF7FA27BE1D6FD6728EACBA25915C647B64DC0B7F7
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-DHCP-Client-Dll".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration .. replacementSettingsVersionRange="0" .. settingsVersion="0".. replacementVersionRange="6.0-6.1".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\* [EnableDhcp]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\* [ActiveConfigurations]</pattern>.. <

                              \Device\CdRom0\sources\replacementmanifests\dhcpserver-tools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):636
                              Entropy (8bit):4.931916286097198
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+95cPgV6cj3whQzA0zAjkaKlctScYfA0nXd+FRZyuhURpG:q/Vg+gPg0cj3K3bjkFK4tMPFhUK
                              MD5:160F6484FE0FAEB7DB1BDE535FF6C6FB
                              SHA1:CA0DD06B7B4BB20A15128A41EB8EAD1294001E7D
                              SHA-256:AB4F4998F96182D8910D6478CB5AF54A42E338330DF054B24E99160E484202BE
                              SHA-512:867FFAB3581CBC52F8C994714936B187EE547B6B9D6C6ABBD4591F1544D121816D3996A07A53B4EB0E498E1AF8C33C7582A2A9E45081B8DAE1DA4EC8C4434A1C
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-DHCPServer-Tools-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="DHCPServer-Tools"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [dhcpsnap.dll]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\dhcpservermigplugin-rep.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):12795
                              Entropy (8bit):4.917973395362896
                              Encrypted:false
                              SSDEEP:96:22XPPrAr7TISN8nFqx8FCOWjHTOWFe/bp3XGiKzKSlSXx/ISN8nFqx8FCOWjHTO6:E/nYeuYebB8QZlP4e1
                              MD5:1639CA3F8B9325438FCC7921B45A3057
                              SHA1:A67925AA4BFF7706178348BE6F01AD20DA379B30
                              SHA-256:6DED13121A671B9C9B908561A3CDE949A7F9A9722CDD570275FFF41D4C116BDA
                              SHA-512:1493DB0170208AD111A0C1F5983CD3A18D203E04BE9A778D5B9FFB2B58ABC54C01E40780CA2EF0E298F6ECEBAC1FE5F1C46C9798696EDFBE7237B22F14D96A05
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-DHCPServerMigPlugin".. processorArchitecture="*".. publicKeyToken="31bf3856fd334e35".. type="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. scope="Upgrade,SvrMig".. replacementSettingsVersionRange="0".. settingsVersion="0".. >.. <migXml xmlns="">.. <environment>.. <variable name="DatabasePath">.. <script>MigXmlHelper.GetStringContent("Registry", "HKLM\SYSTEM\CurrentControlSet\Services\DhcpServer\Parameters [DatabasePath]")</script>.. </variable>.. </environment>..

                              \Device\CdRom0\sources\replacementmanifests\dhcpservermigpluginwin8-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6093
                              Entropy (8bit):5.01096118143971
                              Encrypted:false
                              SSDEEP:96:22CgUArbTISN8nFqx8FCOWjHTOWFe/bp3XGiKzKSlS34PQXKJT1XQ0JqKYxJo:BfnYeh1Io
                              MD5:0FD30E8BDDE53D115DAD926D025D8B16
                              SHA1:B7444EE2A5FB4315D6CD5FE635759B66FEB48936
                              SHA-256:7B4CBEC8AF4B802E76235A4C0FED831F877BDD3D6E9BDDC3401241BF9890D8DF
                              SHA-512:6C3BEFD7D36514502114F2982B011920984C62A72FC903FB7C297791BFD784653E3FA80400BEE32EE4629B2D4D08A4BE6E8D1C9B9E1C5B582EDA1DF8903B84E6
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-DHCPServerMigPlugin".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersion="2".. replacementVersionRange="6.2.*".. scope="Upgrade,SvrMig".. settingsVersion="2".. >.. <migXml xmlns="">.. <environment>.. <variable name="DatabasePath">.. <script>MigXmlHelper.GetStringContent("Registry", "HKLM\SYSTEM\CurrentControlSet\Services\DhcpServer\Parameters [DatabasePath]")</script>.. </variable>.. </environment>.. <rules context="system">.. <include>..

                              \Device\CdRom0\sources\replacementmanifests\directaccessservermanagement-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1244
                              Entropy (8bit):4.903442512402791
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZF2YS+f/g0cj0M3v5HPjoUaR36d4KENgMJXMFhUK:/2e8z2j+ngf06HroUaKd4KIgMJuX
                              MD5:F079E5F12AFE7F273F2B7599BBA9119B
                              SHA1:9B640C7EF19D41C55E9E14BB86854700B032D165
                              SHA-256:65B4FF4F1CBC03FF6CAEBB41282237276F629B8C677FA3999F78FA692030B1B1
                              SHA-512:7D5D42E7291AA953D73A5F61A13D30C16725E6830C90192C092260E36EA543073A3A0CC0F8AE682D4059D24DC5547524657CBCFA591A627534D6B2F2F1928FB6
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-DirectAccessServerManagement".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,SvrMig".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.*".. settingsVersion="0".. alwaysProcess="yes">.. >.. <registerSDF name="RemoteAccessServer"/>.. <registerSDF name="RemoteAccessPowershell"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("File","%WinDir%\System32 [damgmt.msc]")</condition> .. </detect>.. </detects>.. <rules context="Syst

                              \Device\CdRom0\sources\replacementmanifests\directoryservices-adam-client-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1064
                              Entropy (8bit):5.0158030188669604
                              Encrypted:false
                              SSDEEP:24:p/VR+MWjVg0Ki3vMj8hwFV9wPMPF/JYh7MdrFCUK:5+5Vgfr88IPMN/JY5y5A
                              MD5:4078CFC6D57B9E4E62A66CCF41D0C736
                              SHA1:517D8DA0A3C729AA97344A57B9CD5BBE00EB7475
                              SHA-256:69F9228B5880A2CDA290D3B3812E9FA5E4B4BC4E7546B8006033CDBF34CB23FE
                              SHA-512:60EECF3FB84352DFFF6393308FD2C7EEFF72C4D8B704160055CA6A46DF1A8B786A6A1A9876D80F280433FF67D363DA5B71103D6BAC5A73901767EBCE9DC18482
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-DirectoryServices-ADAM-Client".. version="0.0.0.0".. processorArchitecture="*".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1".. settingsVersion="0".. >.. <registerSDF name="DirectoryServices-ADAM-Client"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "Registry", "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ADAM_Shared [InstalledVersion]" )</condition>.. </detect>.. </detects>.. </migXml>.. <machineSpecific>.. <migXml xmlns="">.. <plugin.. classId="{43CCF250-2A74-48c6-9620-FC312EC475D6}".. file="Microsoft-Windows-DirectoryServices-ADAM-Client\adammigrate.dll".. offlineApply="Yes".. />..

                              \Device\CdRom0\sources\replacementmanifests\directoryservices-adam-tools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):664
                              Entropy (8bit):4.930553132942979
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9KB0gV6cj3whQzA0zAjkaKh8B+ScYfA0WYyG9d+FRZyuhURpG:q/Vg++0g0cj3K3bjkFhCtymMPFhUK
                              MD5:1D408C67658E10B80CF573F81548C758
                              SHA1:E433E861D21DA0DF5C02412D343AE844D2F3E538
                              SHA-256:8E2CC4D0697831264DFA7376A67B182C2094A21BFDF971938FC4E69166BC9F49
                              SHA-512:348C62C61BD8AF7D163AAC263993D79E65002518652E6BD6F1646D9D057197F643D9F93819D21EE73E65817240BEC4632927038F068328EF41C8BBA8870B1D39
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-DirectoryServices-ADAM-Tools-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="DirectoryServices-ADAM-Tools"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\ADAM [ADSchemaAnalyzer.exe]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\directoryservices-administrativecenter-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):666
                              Entropy (8bit):4.858287190542381
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+S6Je5HQgV6cj3whQzA0zAjkaKh815CScYfA0XVd+FRZyuhURpG:q/Vg+ShZQg0cj3K3bjkFh6tMPFhUK
                              MD5:CBEB8194A187B973B6794F19E3C3A3EA
                              SHA1:1FA241F0658F4EBE4657BF8499415F8611A2E702
                              SHA-256:58B463F2DEA2FFA02EF36909D9CE31221E9B8AEF514AD0A0AA46D517FAB36F29
                              SHA-512:CDBE973F00FDE95229E84FDE6A23B159EC6CD258D93C386E101C5A5F1EB8392F5DF71A1454ED06F965E11F91FE1F0D637AF806E0F2749AF1AF65CE5325A4305D
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-ActiveDirectory-AdministrativeCenter-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="DirectoryServices-AdministrativeCenter"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [dsac.exe]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\directoryservices-domaincontroller-servercoreupg-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1178
                              Entropy (8bit):5.071951493652405
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+q0g0cjCjc3NOFhqPAepflinHPMPFhUK:22e8z2j+tgfulFmPtinHPMNX
                              MD5:E8BC0038D709706BD07D3BD5488717FB
                              SHA1:85E060263B1C062030779C1D28204124C6DB52FD
                              SHA-256:1A77D17B7742CD6EBE10D66699BA16861BAADB862ECF884C46A5C16C09EE6B23
                              SHA-512:2F729095DD0ECC427939D4F6FCBA09286003437E917FB063B9F529E754555404DC4B5584EEBA85F27D6DCBD744A678AC5387AA859EF0C42386E2D030A752DFA3
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-DirectoryServices-DomainController-ServerCoreUpg-RM".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration settingsVersion="0" .. replacementSettingsVersionRange="0" .. replacementVersionRange="6.0-6.1".. alwaysProcess="yes">.. <registerSDF name="DirectoryServices-DomainController"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [scregedit.wsf]" )</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesStringContentEqual("Registry"

                              \Device\CdRom0\sources\replacementmanifests\directoryservices-domaincontroller-tools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):682
                              Entropy (8bit):4.890080845048399
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9KTlPgV6cj3whQzA0zAjkaKh8TltScYfA0ld+FRZyuhURpG:q/Vg++Pg0cj3K3bjkFhSKMPFhUK
                              MD5:4C14244CDB796EA1D313C2F1E0AF9888
                              SHA1:058937775856CA9C4E3CD8F15D042F9745952321
                              SHA-256:29411538D24C0CBAE353735C4C550F97235566F3DA68198E45F32D4F94A6A6F1
                              SHA-512:5682F9B4E9D2197AC920A0F673C0237647BC65BE084255D07BC405A6A39C0710BB112897BF5A0BE5D3F148990D13A06AC80FFDB13E65DCA55BA13BE47B43A5B2
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-DirectoryServices-DomainController-Tools-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="DirectoryServices-DomainController-Tools"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [domain.msc]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\directoryservices-sm-plugin.registration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1676
                              Entropy (8bit):4.932978662778133
                              Encrypted:false
                              SSDEEP:48:22e84+Kg0LlHz7bboOtiHHYOrzSY4fuB2A:22XWH/bboiindrzSBCb
                              MD5:3ADF8BB7B8D2CCA9D066840A975A7CFD
                              SHA1:70734DDB57E7FC125B36D55BCD6682998C518C89
                              SHA-256:EF1C988F891CF24A811F8CE6B695EE0E7B91DCB894F15D0A27A298168D5CFE7D
                              SHA-512:64B748EEFE708CF6693E36250033B2BB27165A39FDBB947DE4EF32E5D2E5346860DEB0E160E3D1EC988F62940526D1142EEA72015269BAE3ADB247C4C4CEC537
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. authors="algao".. >.. <assemblyIdentity.. name="Microsoft-Windows-DirectoryServices-SM-Plugin-Registration".. processorArchitecture="*".. language="neutral".. version="0.0.0.0".. />.. <migration.. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.0-6.1.*".. alwaysProcess="yes".. >.. In place upgrade only part -->.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. If the machine is a DC then create DS role configuration status for Server Manager -->.. <conditions>.. <condition>MigXmlHelper.DoesStringContentEqual("Registry", "HKLM\SYSTEM\CurrentControlSet\control\Produc

                              \Device\CdRom0\sources\replacementmanifests\displayconfigsettings_win7update.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2206
                              Entropy (8bit):4.8067303052202295
                              Encrypted:false
                              SSDEEP:48:22e8v+86gfN0aHbIgQRJui62UB7MY4oBB2A:22C80aHbyZ62OMSb
                              MD5:B14BF2C174B64A1D538E9203315BC335
                              SHA1:B168F3D0908E73FC479150B6207F2AD94BAAE8B6
                              SHA-256:B0A119C72DE60CC76DF7A3367C156CCFE8875D5B51A5C821AE791DBB056AE138
                              SHA-512:E0943D10CA2204150FF9E327C3EE13611F2BC0F1FDEF351168C8E41457F8B7C50DC2BC328C97C561999A1B65D1954D6B40F1CC8FFF00957CD5EB9F7BF7E418A2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-DisplayConfigSettings".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. settingsVersion="1".. replacementSettingsVersionRange="1".. replacementVersionRange="6.1.*".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Connectivity\* [*]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\GraphicsDrivers\Configuration\* [*]</pattern>.. </objectSet>.. </i

                              \Device\CdRom0\sources\replacementmanifests\dmrcwin7replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):917
                              Entropy (8bit):4.9381922501976065
                              Encrypted:false
                              SSDEEP:24:p/o2e8Zg+Yg0cjY5HB31+jeENgrVzJXMFhUK:22e8G+YgfAHfCeIgrxJuX
                              MD5:D39C6ACA15DEF54D49C02C38C63CFC4D
                              SHA1:A88301AE5B8CBC8FA18FAEEE25EB2F0F8470E3B3
                              SHA-256:96F19E0AFBD1F2D4D1571F684B4D41DF38B0C15B11815E9C13AFF483F462ADED
                              SHA-512:1596954772D2266FA9A06D71FD230BEF75A33DA916DDD3FB4B16644B136EA765FFCC691278BC0F731E01040A461F0935DDBA603B5FA508249A84DAC306AE07A5
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-DeviceMetadataRetrievalClient".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. />.. <migration.. replacementVersionRange="6.1.*".. replacementSettingsVersionRange="0".. alwaysProcess="yes".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%ProgramData%\Microsoft\Windows\DeviceMetadataStore\* [*.devicemetadata-ms]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\dns-client-mw-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):7642
                              Entropy (8bit):4.878551816017647
                              Encrypted:false
                              SSDEEP:48:22e8v+pygf6X4Y4UE9daTpyu3zpspycAyIAb95Bu4vuWFE4UE9daTpyu3zpspycd:22CpMo4u2897lku289cHu289/
                              MD5:D2A1FCB47D786405F2107A0604954BD4
                              SHA1:303969BC0AF9637DFDDBF44C7EF495691D392994
                              SHA-256:94D7AACBEDB060A2B1C156EE526DCAF331CC912E5CAE5D859CF04AF4C075666B
                              SHA-512:3633FA18FD7D2AB1BA16D5038DCBEEC6794F42AB448FE3BF42ECA70805435F0D4B20AEEC186F505811E17E32E132262D647EEBF17E3BAAFD861145ED13598C5F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-DNS-Client-MinWin".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. Collect settings for vista state -->.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters [Domain]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters [SearchList]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSe

                              \Device\CdRom0\sources\replacementmanifests\dns-client-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2108
                              Entropy (8bit):4.825339144578858
                              Encrypted:false
                              SSDEEP:48:22e8v+7gf6X4Y4vDvuUBu4vuWFE4vDvuWuWY7f4vDvuUwA:22CTollaC
                              MD5:9F930AE453B0842015E5A04865719A96
                              SHA1:5C1CF60B47752A6334E65BCBBB1BAFF1D4C0516D
                              SHA-256:08A12C48DDBC131AC2C5F3DA65329128501C9E92F8F19A9FDF5EFF4700952592
                              SHA-512:628FC0EF7E6E3D3B3EE7B8983D47D33FD7C09FF525B46540A22B029BC6E640BA4BF8B783C5B530943858374AB0CCF77D28C12C9FBA2C40218FE5C931EDFED035
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-DNS-Client-Core".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. Collect settings for vista state -->.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Dnscache [Start]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <

                              \Device\CdRom0\sources\replacementmanifests\dns-server-role-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):802
                              Entropy (8bit):4.99224368263752
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9VkDgV6cj3whQzA0zAjkaKegGXScYfA05Y5/yjRWd+A0tHd+FRZyQ:q/Vg+Qg0cj3K3bjkFJpN0o9MPFhUK
                              MD5:A5D56E8F64C5684F7A6D34A585AEE1A1
                              SHA1:AC5F0E4A70728B44BE746639832B2864236DACFF
                              SHA-256:F57DA5AED8BA5F8D7B7CC97C342543AB97390F5DA28926D8F22CB41470EE3A15
                              SHA-512:8B9DD6DFDDAB4B46EE0843D76CDFFA6F71CCCEB4CFF68921AECB68E1230E313AA96066394DA2475EEFD54B0DF1E1D156EF4196F8416B687C0FB6F49BFCEEE77F
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-DNS-Server-Role-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="DNS-Server-Full-Role"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SYSTEM\CurrentControlSet\Services\DNS [ImagePath]")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("File", "%windir%\system32 [dns.exe]")</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\dns-server-tools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):634
                              Entropy (8bit):4.907226746154442
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9VbPgV6cj3whQzA0zAjkaKestScYfA0GT8d+FRZyuhURpG:q/Vg+7Pg0cj3K3bjkFplGMPFhUK
                              MD5:87AFDB381CD3F179B14FCF85614B9ED4
                              SHA1:58D0416219C9DAD8FC948024491A27BD0D1FCABC
                              SHA-256:6A1975DC4214044120D4019E54D7C3A757C3F516BAC4AACF813A4427F54CDD9F
                              SHA-512:F02C599E7D2120297DE963E0FD57D6DA6652E7EEB2F904B114C1242F1A8F476A01B2E0A04A48C4F9C116679ED2A355A6C423D2A52E6FAA747A2643218EABA368
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-DNS-Server-Tools-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="DNS-Server-Tools"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [dnsmgr.dll]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\dpapi_keys-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4309
                              Entropy (8bit):5.059776328378613
                              Encrypted:false
                              SSDEEP:96:22CBzmeQiHRAQgXx9QgXcOaBIpghKkQlwYBwkbsgo9:MmCZy7BhA
                              MD5:3A9306662FE93D09B05B9AE44128BCF1
                              SHA1:77A917FFE8FF0EAAD8F3D3B764836C810E4C9DF5
                              SHA-256:1988183ECBC3C6987DA9CB598C78B52D7563D995FA94D1E91E0470392E765374
                              SHA-512:DA1F2776E8D1E08076032365B0D463DC847A31C6C360181D9966488455E878C7738DEC6F2B39153B2A410E3BEB73A05EB524593D125077273343740826A7B9F9
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-dpapi-keys".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="1".. replacementSettingsVersionRange="0" .. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Protect [CREDHIST]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Protect\* [Preferred]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.DestinationPriority()">.. <objectSet>..

                              \Device\CdRom0\sources\replacementmanifests\dsreg-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1420
                              Entropy (8bit):4.80703006675234
                              Encrypted:false
                              SSDEEP:24:p/o2e8o7f75R+4ng0cjtEjq3VUI6WEdwwZV2GuZXrEdwwuYzZZXcFCUK:22e8o7f7P+igft8dI6WowacZbowZY9Zj
                              MD5:1A3C1BCB5EAE58F879F37AD22C4E9BC5
                              SHA1:8FA10AD505AB6D5739275BE81F46174FC9A7B8DB
                              SHA-256:03F8B0CA182A38987B301627C8D422A49FC0DDABDCA2DBABFCA58657434CD730
                              SHA-512:DF7BB44C8DDF1195A2F6DDB503B93C281711E92EB0D6F24EDB13632C1285AEF96FF0FD781E78E08877C4AC7B39A18B39BDBD08DBA4458055BBD1DEB05EB0BB79
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. description="Active Directory User Device Registration API Package".. displayName="Active Directory User Device Registration API".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-UserDeviceRegistration".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade,Data".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="10.0.*".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\* [*]</patt

                              \Device\CdRom0\sources\replacementmanifests\edgemigrationplugin.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):923
                              Entropy (8bit):4.974754316258957
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+zcEQg0cjTi3NWJhFzcNq4NFCUK:22e8v+zcngfT3J7zcNq4jA
                              MD5:9617935B5AB3BB9E7055E8F1EC95A102
                              SHA1:B02DA4FB03F5E96249D0CDC339E24058AF18E808
                              SHA-256:A59AA9DC50CEE935225D571E63F96F2477C21830A8514000DA1E57B8265DD50F
                              SHA-512:DF48341A16A7BF948A81904715940387478020EA0189F8CD3877C08F5E5D55D98C3F091789FE968B313C55474F0611C9EED8AD2EB3AEFFFE8461A1A298D117A5
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Edge-Migration-Plugin".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns="">.. <plugin.. classId="{2A275F71-DFC4-42FD-8E68-B644F0AB4941}".. critical="Yes".. file="Microsoft-Edge-Migration-Plugin\EdgeMigrationPlugin.dll".. offlineGather="yes".. offlineApply="yes".. />.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\edpnotify-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):830
                              Entropy (8bit):4.957769176334863
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+Hg0cjh3u26ENgwQPPcGJXMFhUK:22e8v+HgfR6Ig/PPRJuX
                              MD5:AE4078DB50AA65B23DA50C6ECF39AC35
                              SHA1:64DDE8927F44EAB4FE410A01EB27FE512C379114
                              SHA-256:C2F02139B0A95121FD592F9352FC404A960974FE6A1D20C3B6F0819550787BF3
                              SHA-512:8FC47A4403ABE74290D166E7C9E71F89831BFD9FBC54A3FBB17FD4CE061476AF8349112E5D254187A022259B2F5A25B1DECCCC7217D4D3250315C77C866B38A0
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-EDP-Notify".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="1".. settingsVersion="2".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\BitLockerCsp\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\elam-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1016
                              Entropy (8bit):4.641998910627401
                              Encrypted:false
                              SSDEEP:24:p/VR+IQg0cj06v3vUzFME34w1BXOH4wzL0FCUK:5+IQgf0bzFMO4iBy4iyA
                              MD5:7000F08F33FD1F3727F353C7E62D1610
                              SHA1:2B38E6910B18877173459F6B2EC30345280E12E5
                              SHA-256:E96CFDDCAAE6FD79E49491F7EDDC9C415DA73F9A2CE08DFB76F75FB50268F5B5
                              SHA-512:4439224E1D49823024455584A8E88E6FE925C695B06E4E491C2A5F897144AC83EEA3BD4957BF561E6E84F59536569580E0B2FA02424179BB9598642B19B76A98
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-ELAM".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade".. settingsVersion="1".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. include everything under the ELAM key -->.. <objectSet>.. <pattern type="Registry">HKLM\ELAM\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. exclude Defender's key -->.. <objectSet>.. <pattern type="Registry">HKLM\ELAM\Windows Defender [*]</pattern>.. </objectSet>.. </exclude>.. </rules>.. </migXml>.. </machineSpecific>.. </migration

                              \Device\CdRom0\sources\replacementmanifests\etw-core-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1424
                              Entropy (8bit):4.599579507926098
                              Encrypted:false
                              SSDEEP:24:q/uDfA2e8ZR+Qg0cj06jm3viHkElQwWAwUpXkFCUf:VDfA2e8v+Qgf0GrHkYQNAppmR
                              MD5:75E28254EF89FD731FCCA54B10430EA2
                              SHA1:7B8C0D2D483D6BE667895FF2C0A1DF85E72D15B7
                              SHA-256:CA8CB291126941C1E74175251B1A277F72C02CF05FDA55A44E875819E60F3CC4
                              SHA-512:384597AAFEEF4ED1314D22DD153F8F2A14FC66F18C2C65B94ED29C7E996FF70D3508F1FE8F75F54DF672D49D5CF7B8200305D5CD1EACF4FE239E79D27DFCB013
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>.... ../************************************************************..* *..* Copyright (c) Microsoft Corporation. All rights reserved. *..* *..************************************************************/..--><assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-ETW-core".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1-6.2">.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include

                              \Device\CdRom0\sources\replacementmanifests\eudcedit-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (464), with CRLF line terminators
                              Category:dropped
                              Size (bytes):2057
                              Entropy (8bit):5.107647159063472
                              Encrypted:false
                              SSDEEP:48:cbRttMTn70wbi81/+asg30p1JPIgQPJ5IgDwhtCwhtVJuX:UntW3m+0zFY527HQ
                              MD5:3956175734A7635CDC95DAB3F733BF11
                              SHA1:22FFBFE1002CF092C521C6548BB2689722401626
                              SHA-256:9D1760A9462E679A5EAA6C1DE6A2DCCA172C616752F292440F1C0AAEAC3E9312
                              SHA-512:B704EC60C6DA87798DE283D9EFAA4D50ABEC37481FFCE718EB3C4100F406EED02A38A81D99ECED4AF25EA461DFC4074F148443E17FF5D8B86337C5F78F5A9D12
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. replacement manifest for Vista, the original did not include a migration section, this one adds it at upgrade time -->..<assembly manifestVersion="1.0" description="$(resourceString.description)" displayName="$(resourceString.displayName)" company="MS" copyright="" supportInformation="" creationTimeStamp="2003-11-11T22:56:35.2127782-08:00" lastUpdateTimeStamp="2004-01-13T19:42:36.8260572+00:00" authors="ericflo" owners="ericflo" testers="" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="urn:schemas-microsoft-com:asm.v3">.. <assemblyIdentity name="Microsoft-Windows-eudcedit" version="0.0.0.0" processorArchitecture="*" language ="neutral" versionScope="nonSxS"></assemblyIdentity>.. <migration.. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. alwaysProces

                              \Device\CdRom0\sources\replacementmanifests\explorer-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4062
                              Entropy (8bit):4.974822207141735
                              Encrypted:false
                              SSDEEP:96:/2Cr108w9j6cOU/xwAR4uDO/Xi7ok7xD9HsZxRJo:l+8uj//Mu
                              MD5:CA8FD2312C035F7200EE3F90F82E95A2
                              SHA1:803B347B7DDC75CB7400385CA052BC977EE771BD
                              SHA-256:5CE4FFF2A903F97894198E37ED45BD71DD542AF5BEC19A017D975E4CAFA50B18
                              SHA-512:185F17E7AF12DFB7AC0991B3A614C44A40A9397BF7A9C90EF636CE6DFA7F61E5E65D2608999AB9C1A3AE5F92F4A195D6AAAEA510FA493FC47AAECE765503229D
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-explorer".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.1-10.0.10135".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. Migration engine uses explorer-repl.man for builds with in the replacementVersionRange instead of explorer.man in the OS. -->.. So if a key needs to be migrated when upgraded from a build with in the replacementVersionRange to a higher build then it -->.. needs to be

                              \Device\CdRom0\sources\replacementmanifests\extensibleauthenticationprotocolhostservice-rep.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3019
                              Entropy (8bit):4.884926762491409
                              Encrypted:false
                              SSDEEP:48:22e8z2j+YgfH0LeIg6aFnJmINGbYgaFnQ7sPvh27+QgL7sYN2b4waFnw+:22X2qD0SPJv1/Pvh2S/pVN
                              MD5:63F04FB9936532B21E616E88E3EBED14
                              SHA1:56CEC96A0D4B10C6FC28C726B76BEF278CBC512F
                              SHA-256:61C5B3D0FD4051236AD00A0A39BE2F75F7E0DEC2AFBFF85617AED19AEF3FC650
                              SHA-512:66FF4756CE723378126DC6C1EC493B665D08387B3305A97ED9A80500CCCE6001DFB7F8957E8246C7C572D0362DA49EEC7AF8451B849F9E0E89FD8E14041CE75D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Extensible-Authentication-Protocol-Host-Service".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1.7150".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\EapHost\Methods\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\EapHost\Configuration\

                              \Device\CdRom0\sources\replacementmanifests\failovercluster-core-wow64-rm.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):929
                              Entropy (8bit):4.941054504390184
                              Encrypted:false
                              SSDEEP:12:MM3ii175cF+9Lhj0gV6cj3AhQzAszAjUaS06aqcYfA0kkCd+A0Mtd+A05H3d+FRn:p/Vg+/og0cj363zjUV5okQbPSNMHFhUK
                              MD5:49BF28FD4FFEC1C3DC8978B761DF657A
                              SHA1:FFD8BCBF03A4C2199F2A7F33BB93FE09BDD3F375
                              SHA-256:BC91828FBC7651740493F965C3E2639DF66EB687A93F74F0026102C2E17728A4
                              SHA-512:5A00FE7D10A7B9781793951FB7E181B3617CB6AF49B2F3674FAEADB1DBE3ED7A9887CD467FF5F0F48BEDFCEA9352CC222AF620CDF2E0902AC8885EEBDE649453
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-FailoverCluster-Core-WOW64-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="FailoverCluster-Core-WOW64"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT", "6.0.*")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [scregedit.wsf]" )</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\syswow64 [CPrepSrv.dll]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\feclient-replacement-th.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1054
                              Entropy (8bit):4.9838583887553956
                              Encrypted:false
                              SSDEEP:24:p/VR+sg0cj0Qjm3vUafHZENgw5V2zluLJXLENgwwV29JXMFhUK:5+sgf0QBafHZIg6sluLJ7IgfcJuX
                              MD5:21579DC7DABDA251067EC4D1EB62CFC3
                              SHA1:3D15DD0D1E892B995601F8C1FF88377000A34C37
                              SHA-256:D5FF6B1E4B8387B14E628A42A56E22BE51D3EC309AC0846AE588FADED56F15D5
                              SHA-512:319490A9532595B9E128C3217AC06C84BB332A42695F6E3F424D8D39CE40F3219AEC5E373E87F3182CFCE164465E7ECCD77C6B5F069C5D27264E4575E0309B6A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-feclient".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="10.0.10240.*,10.0.10586.*".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows NT\CurrentVersion\EFS\* [*]</pattern>.. <pattern type="File">%CSIDL_LOCAL_APPDATA%\Microsoft\EDP\*[*]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\* [*]</pattern>.. </objectSet>.. </include>..

                              \Device\CdRom0\sources\replacementmanifests\fidocredprov_dll_repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1561
                              Entropy (8bit):5.216779982285529
                              Encrypted:false
                              SSDEEP:48:22e8v+Vr5gf0JI56IgfbrDjrJmgfbrDj/BYgfbrDjrQX:22Cly8RjjFDjj/Tjje
                              MD5:5354043BE6C328F2FF61D2DA766CD474
                              SHA1:E543FAB83C145C71BE6A38C3CFB1D658F9AD3971
                              SHA-256:F555F05151BEB9F674140E762DFA612C7633290A70C3895C3B9235B4E6071206
                              SHA-512:48F7DA19E024B76B121640CF1EA84FEE09317AB636FDBEE234CC4076C4258C2813BFAD72CFD5916E29145194E22F1324A66D60A074F37D59293400F8C1E04FC5
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-Fido-CredProv".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,Data".. replacementVersionRange="10.0.*".. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{F8A1793B-7873-4046-B2A7-1F318747F427}\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern ty

                              \Device\CdRom0\sources\replacementmanifests\fileserver-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1290
                              Entropy (8bit):4.912454405794113
                              Encrypted:false
                              SSDEEP:24:p/VFPvJ2YQ8+Wpg0Lmj3gi3Nj4LDvuCPy2q3jR5OYymRvYfUYp2MPFhUK:NPvJ2I+WgUKQgey2q3ewRvSv2MNX
                              MD5:B0ADB8E2BC8B20F88DA11EC3568D8525
                              SHA1:FCABB838A59DB3C93494E134D997B5A66691A494
                              SHA-256:6AA9DB9D6DF3332678264255C61B02DF28D6BBD8CD2416F525C09E0818AB2CB5
                              SHA-512:2DCAF46657CC60C8108F2533BCAD24ED557603E7FA52F23F68BF5A1AC6A66768D61DA0B88587A8C9DDFBA96743078E154FC6D072AA145C3C92C98D2234711186
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-FileServer-Replacement".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="0".. >.. Installing File-Services will automatically install CoreFileServer -->.. <registerSDF name="File-Services"/>.. <migXml>.. <detects>.. Multiple <detect> are AND, multiple <condition> are OR: -->.. <detect>.. Install the File-Services update if File Server -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\FileServerRole")</condition>.. </detect>.. <detect>.. Here is the check

                              \Device\CdRom0\sources\replacementmanifests\font-truetype-fontsregistrysettingsmigration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (314), with CRLF line terminators
                              Category:dropped
                              Size (bytes):100794
                              Entropy (8bit):5.0253228977612245
                              Encrypted:false
                              SSDEEP:384:ifgLTeR40kKUzT7Hs/okLhHi43i41jFJVrvVro7ZhaRboPW2BnH4kb4k5NBfs4z5:ZKsrsQbaRbos0j85G
                              MD5:EBEA2DB6B1AACD4DAD0D351708AE125F
                              SHA1:D1EF013481674D171E53BB63A0BFEB5F82780676
                              SHA-256:A7E791421852280544294346E5A183DF78ECF0762F06626CD07404E75E723895
                              SHA-512:A2EDBCDC4BBC230C802CE06205CB7A8885AB98E0EF7477871C6AB8061FDF07286E66A1322486DD3CCD13E257317B8967BE79064B65FF81FD43B98F1CB7617945
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.... replacement manifest for TrueType fonts, contains merely the gathering portion of migration --><assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Font-TrueType-FontsRegistrySettingsMigration".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-2".. settingsVersion="3".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <include>..

                              \Device\CdRom0\sources\replacementmanifests\fonts-type1-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1393
                              Entropy (8bit):5.027425662945494
                              Encrypted:false
                              SSDEEP:24:2dtis90vhC67SsKoKpl85ZOc+hkjngWgjE3X6vENgwwV2iuLkJXMFhUK:cdqhC675b48nJ+hcng91vIgfbuLkJuX
                              MD5:2FBDB1C139AF6A15C56A649C28567C92
                              SHA1:BB21E380292186A507F69D6CFE5C936441F5EABC
                              SHA-256:B953372D56DA812E74D79AEA458546C29E4A58D5234A438B2C99EEE4186CE7BC
                              SHA-512:2A1C081E81D525D32E60811C7673169D54FDB468D40E745E56F63367081441EDDF516835684492641517D5388A27C1D96C211411FBD44F80B59747D6079253FA
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.. replacement manifest for Type 1 Fonts on Vista, contains merely the gathering portion of migration -->..<assembly .. manifestVersion="1.0" .. description="$(resourceString.description)" .. displayName="$(resourceString.displayName)" .. company="MS" .. copyright="" .. supportInformation="" .. creationTimeStamp="2003-11-11T22:56:35.2127782-08:00" .. lastUpdateTimeStamp="2004-01-13T19:42:36.8260572+00:00" .. authors="ericflo" .. owners="ericflo" .. testers="" .. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" .. xmlns:xsd="http://www.w3.org/2001/XMLSchema" .. xmlns="urn:schemas-microsoft-com:asm.v3".. >.. <assemblyIdentity .. name="Microsoft-Windows-Type1-Fonts" .. version="0.0.0.0" .. processorArchitecture="*" .. language="neutral" .. versionScope="nonSxS".. />.. <migration .. settingsVersion="0" .. replacementSettingsVersionRange="0"

                              \Device\CdRom0\sources\replacementmanifests\fundisc-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1390
                              Entropy (8bit):5.116772135289911
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YKYg0Lmj3uV73VjkMEF4wwNmtwatNmtwwNKwatNOBX0FCUK:22e8z2VYgUKKkMY4fstjstfkjkB2A
                              MD5:37EE70FC23AC31119E912A5D31231ABF
                              SHA1:37ADEBEBC415C4A398F849289660A1D56A769001
                              SHA-256:130468C89436F2E0DBB1172CE539DA3E39EE9B636F7379773A74E5DF2037E335
                              SHA-512:8926DB40EFE7550890BA927E680E4E3920233CEEFCAC820A9B6F54DF4E61FF05944AC19F34770767B554C4FC97BD97DFD05253E5A410EA4DADD6D0EC52256C3F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="FunDisc".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementVersionRange="6.0-6.1.7000".. replacementSettingsVersionRange="0".. settingsVersion="0">.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Function Discovery\Categories\* [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Wow6432Node\Microsoft\Function Discovery\Categories\*

                              \Device\CdRom0\sources\replacementmanifests\fveapi-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1101
                              Entropy (8bit):5.047781747277296
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+V8jg0cjh3u26ENgwWVc7w5c7wqJXMFhUK:22e8v+V8jgfR6IgOH1JuX
                              MD5:757B34E30C476140575C26E95E6236A2
                              SHA1:0936295EBAF2004228AA34BCDEED63F01D4F76F2
                              SHA-256:BF33A2E277CCF7A1A29A39E4A1D6126E460C72B0D1E06D1335471972C9EE3B47
                              SHA-512:C1D272F6EB57A107E435A669C0AC62CEE774BFC52AB42675E2C2F8C66BD53E9700C5A146580B630DD2E5F15BAE4AC19D2977D55C0830DA0225B4E48A72321ADE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-SecureStartup-Core".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="1".. settingsVersion="2".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\DmaSecurity\UnallowedBuses\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\DmaSecurity\AllowedBuses\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\DmaSecurity\VerifiedBuses\* [*]</pattern>..

                              \Device\CdRom0\sources\replacementmanifests\gpbase-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):10121
                              Entropy (8bit):4.925185083058193
                              Encrypted:false
                              SSDEEP:96:22CcNMoSHJ6twzkj3Tx/dSieyRN7sxm8xQg6YafSHJ6twzkj3Tx/dSieyR3YEWEp:TMibV1jdldp
                              MD5:9FC32DC431090B3C6B057BE441DA428A
                              SHA1:5FBEE3821278BDC78E1DE505EEA3EED3C32E74F6
                              SHA-256:122DE55AB581BB1C8ADF3822CDA9BD5DA36114ED765C578163899D3B0B8E5C4D
                              SHA-512:1CB761748D8F2C28569A612CAC94DCA5DF0793A6CC067FEE4C0502C255A9769DC67F6D09CDBCD544AC7EE2F4DC98C092C021D4A5E60439E574C95805727FB9C7
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-GroupPolicy-Base".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade".. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <migrationDisplayID>Performance_and_Maintenance\System_Settings</migrationDisplayID>.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\system32\GroupPolicy\*[*]</pattern>.. <pattern type="File">%windir%\system32\GroupPolicyUsers\*[*]</pattern>.. <pattern type="File">%ALLUSERS

                              \Device\CdRom0\sources\replacementmanifests\gpiobuttons-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.101086918616923
                              Encrypted:false
                              SSDEEP:24:p/VR+mg0cjTi3NWMEF4wg+niwg+qwg+Tiw5EBX0FCUK:5+mgfT3MY4eieqemjB2A
                              MD5:6A2E65580B3056A4A60DED905FE57643
                              SHA1:B01FE7D4AEA7FF4C6A6EEEF8FE56D20A62DE43A8
                              SHA-256:0F2EEBB5378C3AD4D50578ED416EC28145D1F4E1AB18A914F7EC4E3834DB9B1D
                              SHA-512:8A99FA49C50D5C5D40D640F8DC0E8F369C0FEB4556BA3F143DA9F8005C83DBF6D9A2A3B14950F62F498AFA5DA853E0BDCF5223DBDD438E85A32347ED2B00390F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-GPIOButtons".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 [ConvertibleSupport]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 [KeySltDockSupport]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 [KeyButtonSupport]</pattern>.. <pattern type="Registry">HKLM\SYS

                              \Device\CdRom0\sources\replacementmanifests\hal-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1179
                              Entropy (8bit):4.815793495361154
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+hg0cju3I6QMEF4w5+Z6BX0FxE+Bg03IUK:/2e8v+hgfWQMY4jYB2O+Bgh
                              MD5:5EF5D219ACC29E27F09BE012BFF33904
                              SHA1:6AF0989517BEE7A9AA2F6E72A94147A34196EE36
                              SHA-256:91FD4AC02909F68F60AA879AC9526E44E5956C05156F32FFB5424C8A0B3E537D
                              SHA-512:F32E237053C952777E3A1F766FDBF8DACA39813AA678F29EB88D5FBEB85EDFEAFAFCF2B763FFFEC98B1A60971A11F9FC2BF3AAD9F2CD72E26614126288160634
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-HAL".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration replacementSettingsVersionRange="0" settingsVersion="1" alwaysProcess="yes">.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Pnp\Pci [VmProxy]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. <supportedComponents>.. <supportedComponent>.. <supportedComponentIdentity.. language="*".. name="Microsoft-Windows-HAL"..

                              \Device\CdRom0\sources\replacementmanifests\helpandsupport-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1033
                              Entropy (8bit):4.985015717656309
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+zjg0cj06jm3vUz6ENgwQVBwQV7JXMFhUK:22e8v+zjgf0G7z6Ig/P/pJuX
                              MD5:79B95F0CA52A3EDF7031C504A1110430
                              SHA1:4C9DACE79528C7DD757F5BA07A3F2C9DA319BA2A
                              SHA-256:FA98175357648F81CD2D8584D85C850B019512E29075849FAABEA30593F44D30
                              SHA-512:E6F9822ED9A8C3CA9EA6E6F3FCF4959F69FB2C7427C03A1CEC59BEC60F02AEF1A6DAAB3B63536FCF8DD6D225A5A057FE1AA24143D1DC5E15B3E6F9003745D936
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-HelpAndSupport".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\HelpAndSupport [*]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\OEMInformation [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXm

                              \Device\CdRom0\sources\replacementmanifests\http-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):942
                              Entropy (8bit):4.937170394830959
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF8+6Dg0cjV31jmloMEF4wuyBX0FCUK:22e8z8+2gfnDMY4IB2A
                              MD5:E1CD020DB885A6CDFA6A33D98B8282F2
                              SHA1:387339F69D460A75A08421A58D235DA57AD70F21
                              SHA-256:165C147520AAF7132D40479208D519873CF348693CF4B7D159D285162204990A
                              SHA-512:DFD87026480AEDA0BC6C49CE76B5091A0F6C9AAA992A656F9932BFDC334440933596B590C1E262F368115A06CA9CBDACEFBE350DFF3FF58624124432F43D9221
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-HTTP".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration .. replacementSettingsVersionRange="0" .. settingsVersion="0".. replacementVersionRange="6.0-6.1">.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\hwvid-migration-2\hwvidmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):75064
                              Entropy (8bit):5.993374334699346
                              Encrypted:false
                              SSDEEP:1536:Z+xLOqlqSocUQ/PMJ48Mvm5FAMbRuVEh2TP7lXhOzpAdWx8P2I:ZABMDclPMyru1RuB/VhOz2881
                              MD5:AA1FCC48EF987681086255E287FDC26E
                              SHA1:2F68706A84051D16EB9CC80C0A5AA489D8D3B1B6
                              SHA-256:8C781F307DD870EB0F629BD28F15962B0786C592E6C960982F3D94DA45D04B05
                              SHA-512:2987E7547DF6BEE22EF2F4A6F66E1F5DF25C56BD54D082EEC45C2CA73CE2EBEE6DB38F88A18577260D3F38F30951B55F685225BA3F0D9DD0375E43B7E69B1F9E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{.yj(.yj(.yj(...(.yj(..i).yj(..n).yj(.yk(.yj(..k).yj(..o).yj(..j).yj(..b).yj(...(.yj(..h).yj(Rich.yj(........PE..d...~.i...........",.........f...............................................P......+.....`A.........................................................0..8...............8!...@..........T........................... ......................p...@....................text............................... ..`.rdata..ZF.......H..................@..@.data...............................@....pdata..............................@..@.didat....... ......................@....rsrc...8....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\hwvid-migration-replacement-2.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1072
                              Entropy (8bit):4.957272215657846
                              Encrypted:false
                              SSDEEP:24:p/o2e8Zg+xVYg0cjh3A62i0MEF4wuMeBXWoA9dSWFCUD:22e8G+ggfuTi0MY4qeBmo0dSA9
                              MD5:9BDAF64325D1DBD652E2A3A184356129
                              SHA1:11744C67232C3B018933A381824730481858BC56
                              SHA-256:A88CF075490967726B8C4BA82F9FB7F2A6BCA1A4D46FBAC67123EC08129577DD
                              SHA-512:9ADAE1497D04465681DED32844C16A9D77C612C62A5E1510E301DA3EE90BD99450D2D2C4C43D6F778FFF06C051E2C4F9AF7B904C5FCCB64903D13B2185D6A992
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-HWVid-Migration-2".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0-1".. settingsVersion="2".. alwaysProcess="10.0.*".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\CPK1 [*]</pattern>.. </objectSet>.. </include>.. </rules>.. <plugin.. classId="{28f2d4c8-eea0-4f7b-8b91-dabc0ed51d96}".. file="HWVid-migration-2\hwvidmigplugin.dll".. offlineApply="yes".. />..

                              \Device\CdRom0\sources\replacementmanifests\identityserver-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1479
                              Entropy (8bit):4.9724792914246905
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+ijVg0EQ3mDovjosuhlCS4f/d1pMPo+ug03iEUf:22e8v+OVgv0LosuPCS4f/vpMQ+ugB
                              MD5:F584EDBD1855A5912E7C2E85D11D27F0
                              SHA1:1D81FFB40CDA0D2551870C7FEC1C82C246B8D323
                              SHA-256:4F032C2392DCE64776A2C2E9DA69C4253E9E408FC98A39C002391D4C79FD3189
                              SHA-512:4A5424B4824C8D05BF4A83D9B686DF151152D1334966577EC252A9B2E10E3DC869905740C61CB7D62EEB5494A1A5B997808EDE9AFCD79DD82AC81CC5F86114A1
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-IdentityServer-Migration".. version="0.0.0.0".. processorArchitecture="*".. />.. <migration.. replacementVersionRange="6.0-6.1".. replacementSettingsVersionRange="0".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. alwaysProcess="yes">.. <migrationDisplayID>Microsoft-Windows-IdentityServer-Migration</migrationDisplayID>.. <registerSDF name="IdentityServer-SecurityTokenService" />.. <registerSDF name="ADFS-Role-Package" />.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "Registry", "HKLM\SOFTWARE\Microsoft\ADFS2.0\Components [SecurityTokenSe

                              \Device\CdRom0\sources\replacementmanifests\identityserver-proxymigration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1971
                              Entropy (8bit):5.018277691606613
                              Encrypted:false
                              SSDEEP:48:22e8v+qVgs0Losub3MY4nSnU4nwIDmpFDmfFKzfB84zfwR:22C00KrM3QmUi5pM
                              MD5:D2D56B94FE6AE9200A6215095C23A784
                              SHA1:0308F6EC0752DC2821FEC55B25EE23AB11D2BC1A
                              SHA-256:E87CDBFC0F9E868682899DA8CA9C4D135D91F98FD456A9ED61844E64ABC3A155
                              SHA-512:1CB7A8381C6C7E4272AB4A10698742558F9C1E1F01C0BBF175B8099EFE5FC18757F359B934A328A2B2F50AA0163879BDD7AF9B6025752A3B1EE220FB3D5A6FAE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-IdentityServer-ProxyMigration".. version="0.0.0.0".. processorArchitecture="*".. />.. <migration.. replacementSettingsVersionRange="0".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. alwaysProcess="yes">.. <migrationDisplayID>Microsoft-Windows-IdentityServer-ProxyMigration</migrationDisplayID>.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\appproxyctrl [Start]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\apppro

                              \Device\CdRom0\sources\replacementmanifests\identitystore-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1100
                              Entropy (8bit):4.94384795886721
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+VfYg0cj3+3vUIUQjxMEF4wQzwQP1BX0FCUK:22e8v+VggfpIUQxMY4/z/P1B2A
                              MD5:231FEAAA4F3570CEF3DB181F416835DF
                              SHA1:9B0C08250CAF0A3B0F701B8CD42618351008C240
                              SHA-256:6E8AED86FC8CFD16D5C9C54482EEB24B13A1685D83266921D981C7C17E3141E2
                              SHA-512:DB768ACB6778BA7E7555F50D6A9A1D5D65E9221F6228D9A5DBAA01DB668E7CC57E80DACE14D6622EEE934C4887B8D583BC73FB004CFCBA98F3DBF7569547E551
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-IdentityStore".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="10.0.*".. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="0".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\IdentityStore\Cache\* [*]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\IdentityStore\Providers\* [*]</pattern>.. </objectSet>..

                              \Device\CdRom0\sources\replacementmanifests\iis-adminservice-rm.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):970
                              Entropy (8bit):4.8073605418354735
                              Encrypted:false
                              SSDEEP:24:p/VR+ag0cj3h03lNVMEF4wOSPwOSsWDmwOS81BX0FCUK:5+agfx0VMY4IPI3DmI81B2A
                              MD5:DB4BCB3824BCB1C55EE4C659560F580D
                              SHA1:08737F1C36045F0745E39B798151B8415E156990
                              SHA-256:8159CB923DFD6B6B3E43D7288659E9E3F4D91724D4028C8FE0289CF465C3A6B5
                              SHA-512:9C0687F37CB96443CA07596447A663F6D00B89977545D8A04632B2EC53D82ADA5ACA8A3D02D18E4E6929CAD744CD400E75F1725FD41A96ED0823D4489934B4D0
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-IIS-AdminService".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\WMSVC [Start]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\WMSVC [DelayedAutostart]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\WMSVC [FailureActions]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\iis-appwarmup-rm.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1051
                              Entropy (8bit):4.7097341603512195
                              Encrypted:false
                              SSDEEP:24:p/Vg+wyg0cj3K3TjkVzs0WlFqR9pnl9ZPlzzMHFhUK:Y+VgfikVzs1ixl9h1zMlX
                              MD5:FB5642A3CFD6A0DF606FD0ACBC433E40
                              SHA1:38466C413283274AB78E191713B94780EA81BA3F
                              SHA-256:33EF00CD30BAEF5EB0B2E8F1973788D0C2F054C60F04986474C5733FCFF1D6C9
                              SHA-512:F398192C4678C8D131A06189CF02760E11EE1074C83E51E32E785E83166DC037EAEF4ED62BFF5DA25FB396608588D20BBE38324C297AF26A7D682B8BC7B8E223
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-IIS-AppWarmUp".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0" .. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="IIS-ApplicationInit"/>.. <migXml xmlns="">.. On a down-level system, we detect the presence of OOB -->.. Application Warm Up by looking for the WTR file installed by -->.. the OOB MSI -->.. .. DELETE this file and the references to it in sources and -->.. WindowsSetup.kml once upgrades from Win7 are discontinued -->.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\migration\WTR [appwarmup.inf]" )</condition>.. </detect>.. </detec

                              \Device\CdRom0\sources\replacementmanifests\iis-ftpsvc-rm.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):967
                              Entropy (8bit):4.832275799442703
                              Encrypted:false
                              SSDEEP:24:p/VR+DQg0cj3h03lNVMEF4wOQwOxWDmwOt1BX0FCUK:5+kgfx0VMY4amDm71B2A
                              MD5:5519A38EAA7986AE35413C1F13AEFA28
                              SHA1:9D8F9A067BAE4E197B2A8455EBD1FC9813084666
                              SHA-256:889F9ECABAF92B7E991024B4E4D5871CB0D20645D3969846D6E607C93887B4D2
                              SHA-512:D69A75579BBB3A50AE8397BC2BE4D2C0F06ED33FE341E7E58CAA2496A66D4919E2E7B7E63DCA48265DFFBFE844D39A7D76C2F50EFEE895960E153792E7BC507E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-IIS-FTPSvc".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\FTPSVC [Start]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\FTPSVC [DelayedAutostart]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\FTPSVC [FailureActions]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\iis-managementconsole-rm.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):743
                              Entropy (8bit):4.766628049619575
                              Encrypted:false
                              SSDEEP:12:MM3ii175QgF+91cgV6cj3qQ0QzASzANpPSDuqcsDfMfeqNCl6F+m6/2NvAMf+/hK:p/VR+Xcg0cj3h03lNVMEF4wwEBX0FCUK
                              MD5:92DFF82148D9B76AC110F3A8046B7190
                              SHA1:B26FE4D2408AFC9F554A8F9195E697578D8C46CC
                              SHA-256:C5F7D41729FC0931823E8CE00AC9F48B382836D3A5DC88D41B3A1B3AC3C132F3
                              SHA-512:C2D2368D672980D31DD9A3AC67850F9F4398479994AE9BC3148EAC22BFFC53CA367BE1BEB504B362578C0C39ABED2521A4ECDAFC755DDBDD35021DC0143A8C30
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-IIS-ManagementConsole".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\InetMgr\Parameters [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\iis-sharedlibraries-rm.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1880
                              Entropy (8bit):4.864545020454707
                              Encrypted:false
                              SSDEEP:24:p/Vg+Qg0cj3F37zjUU68IdK12FtEF4G0VBXOF4ouB3P3VCyL0FCUK:Y+QgfRjHVsK1iY4G0VBu4oy3P3VCyyA
                              MD5:B3C9EDDA63F10984B700C638C90E92AF
                              SHA1:5E5649A48F283D7CE99BD573E06C69A4726E6A1E
                              SHA-256:E345786871D3446533CBFC353A5EFF316C473B1F793EDCFB2745658EE18A2A28
                              SHA-512:8D3228F8141518A00EFE0F8620CB830BFD137F110D905D38A7E297E53B320CE0393EF5625138620BE1ED144D503B8E3BBA8B4A29A87F329774B4001839FC4392
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-IIS-SharedLibraries".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. language="neutral".. />.. .. <migration replacementSettingsVersionRange="0".. settingsVersion="1">.. <machineSpecific>.. <migXml xmlns="">.. Allows us to use the plug-in to restore any captured config -->.. settings from the down-level machine or previous build -->.. <plugin.. classId="{A33259A7-E9DB-4195-A31F-57E3C4D74C49}".. file="Microsoft-Windows-IIS-RM\iismig.dll".. offlineApply="Yes".. />.. <rules context="System">.. These rules migrate the extension DLLs for IIS -->.. <include>.. <objectSet>.. <pattern type="File">%windir%\System32\inetsrv\*[*]</pattern>.. <pattern type="Fi

                              \Device\CdRom0\sources\replacementmanifests\iis-w3logsvc-rm.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1306
                              Entropy (8bit):4.8059318926081644
                              Encrypted:false
                              SSDEEP:24:p/VR+lCg0cj3J03lNVMEF4wO8PwO8TIWDmwO88bwO87BXOF4wO8QL0FCUK:5+IgfZ0VMY4w+rDmNbQBu41yA
                              MD5:B82EC54B1F78A911FC2F2C7D4E3C676D
                              SHA1:8DC22984FEA870A17360B5AA448E9BDC2CD5475E
                              SHA-256:5944B728999D5D9F399FD3A90F77DBB871F136DDAAEF6422B0AFBFB8CE36B688
                              SHA-512:372481E4ECCE045B4D404DBB039775ED76BAAAAC2C14DAD207504A7BC5F1006006DB7B3ADC6DF046D0171598749B1BE359DB5ADC8C99501F617F3BECB9A89CA2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-W3LOGSVC".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\W3LOGSVC [Start]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\W3LOGSVC [DelayedAutostart]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\W3LOGSVC [FailureActions]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\W3LOGSVC\Parameters [*]</pattern>.. </objectSet>.. </include>

                              \Device\CdRom0\sources\replacementmanifests\iis-w3svc-rm.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1286
                              Entropy (8bit):4.775214472200289
                              Encrypted:false
                              SSDEEP:24:p/VR+1tYg0cj3h03lNVMEF4wOSLwOS4WDmwOSIbwOSWEzBXOF4wOSWE4L0FCUK:5+1Cgfx0VMY4wwDmNbQBu41yA
                              MD5:35483FCCBFBBECB8789043F9C1EB4D7B
                              SHA1:F9C0FA88BB468954071557B0766EDAD49AFD762A
                              SHA-256:22C476D0A25F06C84DD29B8C47A4FB6E1E038E50698773F0998A13259F0B5FA4
                              SHA-512:9B066A2F4C277DDF141F200B4922C92BB4B9030F91674A8C915372ED3E8B97D96D2746C66C7C0B42C3551F870547D0860A9DC2DD256F5748BE1659B0F9C1EB7D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-IIS-W3SVC".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\W3SVC [Start]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\W3SVC [DelayedAutostart]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\W3SVC [FailureActions]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\W3SVC\Parameters [*]</pattern>.. </objectSet>.. </include>.. <excl

                              \Device\CdRom0\sources\replacementmanifests\ime-eashared-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1530
                              Entropy (8bit):4.964270675749926
                              Encrypted:false
                              SSDEEP:24:p/o2e8Zg+ag0cjrVovlB3ImzlB8EN3vwQ1JXmNqBwQxXwQFwQOETMFhUK:22e8G+agfrCKI3v/1JmqB/l/F/jiX
                              MD5:283A242D45B57D583B0804E60CDA8A52
                              SHA1:AE1D45D229CB79B0756B7F4C6A41E7C466086FD3
                              SHA-256:EA0A03F6AD78E83FF0162A4E0BC9F0C3BB6E68CF1FA7AD24601DD6CA5A1DC7FA
                              SHA-512:D987A7E2209853AAA11C2936FB74C8E237804B1BD1DA7CCF68A11744921FD7DF427FDF772373D02088B24B348BBDC33D9EC2F6A42B8E74C4400F3FFF8F01C88E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Desktop_Technologies-Text_Input_Services-IME-EAShared-Migration".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. />.. <migration.. scope="Upgrade,Data,MigWiz,USMT".. settingsVersion="10".. replacementSettingsVersionRange="0-9".. replacementVersionRange="6.3-10.0".. >.. <migXml xmlns="">.. Gather the registry keys that need to be migrated -->.. <rules context="System">.. <include>.. <objectSet>.. keep whole InputMethod -->.. <pattern type="Registry">HKLM\Software\Microsoft\InputMethod\* [*]</pattern>.. </objectSet>.. </include>.. <

                              \Device\CdRom0\sources\replacementmanifests\international-core-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4907
                              Entropy (8bit):4.8772779989190385
                              Encrypted:false
                              SSDEEP:48:3J1j2e8v+WgfN06uYDdNASq3kbFBVlcLzB8DdNASq3kbFBVlcLzw3IZMSpBJ0Zqh:5l2Cn06uWASZiFCASZi2WZhD
                              MD5:34D9D8AEDD61CF3D25DB4BCF9D94DCF4
                              SHA1:0705546246ECB2BFEDA3E187727271A096DE4F2E
                              SHA-256:1AAB50CE5733C2763F8B9F6B3D1C08FADC5CD7F9048032C78114A82A49419C07
                              SHA-512:D385AD9F1377307C48C4783287B09B789CF88863363C6B3305AAEC3D78D720C4DF89D06E5ADE2CDF4C4D199A956A4F6A7B956A19375696AFCEAC0E73C6F590EA
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.... replacement manifest for RS5, the original did not include the system default user keys -->..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-International-Core".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns="">.. Migrate system Locale data -->.. <rules context="System">.. <include>.. <objectSet>.. Locales -->.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language [Default]</pattern>..

                              \Device\CdRom0\sources\replacementmanifests\international-timezones-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3604
                              Entropy (8bit):5.066187014138938
                              Encrypted:false
                              SSDEEP:96:PU42Cg0NG077Rz8ilMhrkCMCrDos1PeR7y:b7HAPh
                              MD5:CFE661C9FE8E6A4B45DED85FA68EB800
                              SHA1:70EDDE6F5AAA218EF9F8CC38B07A4021064CAFA6
                              SHA-256:AE74A7760BB6236E19DE127C7E99AEE1ACD201E675C2E7FBAB4B192429679571
                              SHA-512:59F81CC6D739B1992B45AA56A506E336A2414AEDBFB9D3BEFAD8508327833EBDECCC1D48D582680E640957B612D0D1AFC95A716AE2ED24AF303A70B7FC04F76A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.. Replacement manifest to allow offline migration in Vibranium. This manifest file can be removed once upgrades from pre-Vibranium are no longer supported. -->..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-International-TimeZones".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. Migrate timedate.cpl additional clocks and DST notification -->.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Control Panel\TimeDate\AdditionalCl

                              \Device\CdRom0\sources\replacementmanifests\internet-naming-service-runtime-rep.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4699
                              Entropy (8bit):4.970571235375805
                              Encrypted:false
                              SSDEEP:48:22e8z2j+xtgf40LeI4JoJMNbXRVbH9p1bDPwMn7oQytHorRWkl8gOq2q6qEFoJTX:22X2qxV0Sd7nb97acsnq6qT1GHQ
                              MD5:6F55D0F64D9EF90687FE27E9127D70C0
                              SHA1:74E4A382D893E55A8093E82DFE8201480BDA6112
                              SHA-256:7C2A657F32D1775010F0325B7D0071EEC0B9BF14C9F98328E51274FE10A8F7E7
                              SHA-512:8FC80FBC1B722A04547C3ABA7A1B890FE25D88142B1282156EBC7C7D1627BE65892C74E3F4E94CB7E39C153DE585980B454661E8ACE1316F71AACCC3E9E87346
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Internet-Naming-Service-Runtime".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Wins\Parameters [WinsInternalVersNoNextTime_LW]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Wins\Paramete

                              \Device\CdRom0\sources\replacementmanifests\internet-naming-tools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):640
                              Entropy (8bit):4.908668841876057
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9lO2AgV6cj3whQzA0zAjkaKhIstScYfA0KOXd+FRZyuhURpz:q/Vg+xAg0cj3K3bjkFhIsotMPFhUf
                              MD5:7F0A4353730B68517FE8419E8194A376
                              SHA1:362031925DBB95B8AC917B3DCEA5494A2C984B17
                              SHA-256:CA95684C182E1321DF80EC0181EBD4F2FE92B52D93BA449AB95F9BE26F6512EA
                              SHA-512:B6546354EC4163FC76C5D18493B2CF41C5F44D4D87C8AC2B501DCB1B19B0A961BCA10A1D9C4F4AD9418537BBA5238F4EFD5D417DE10C3E663C3AC57D4306EFF5
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-Internet-Naming-Tools-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="WINS-Server-Tools"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [winssnap.dll]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>

                              \Device\CdRom0\sources\replacementmanifests\ipv4ipv6coexistencemigration-net-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3805
                              Entropy (8bit):4.963496490211477
                              Encrypted:false
                              SSDEEP:48:5+IdmQgwQNH1Y6QRm0bGHlNuaDAbshapgxUbyp1KMwMTLBuojcBc5hJyA:AIdwH1GReQ2poS1
                              MD5:0340618A79D2CA3B7EB5AF1D69A9A394
                              SHA1:FAEC9A6CCEE21DD7226AE279B94C0425C8DAF98C
                              SHA-256:10C014FBB83DB57413E36D914F34DFCA8B05A46E05757D377BF374C7CAB54E36
                              SHA-512:5BED51E0CD74CC15934673A8C1D90F1CDE753226CD68C14F8DAF26C97F20B75200448DE58CC5A330E000C0607222F6F04FDAED5ECA0171C33090EC3F136FEF73
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-IPv4IPv6CoexistenceMigration-Net".. processorArchitecture="*".. version="6.0.6001.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="1".. replacementVersionRange="6.1-10.0.17134".. settingsVersion="1".. >.. <machineSpecific xmlns="urn:schemas-microsoft-com:asm.v3">.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. Isatap settings -->.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\IPHLPSVC\Config [IsatapState]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\IPHLPSVC\Config [IsatapResolutionInterval]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\IPHLPSVC\Config [EnableIsatapResolution

                              \Device\CdRom0\sources\replacementmanifests\kernel-pnp-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1309
                              Entropy (8bit):4.880077026182801
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+NCg0cju3IjxQMEF4wQV0wvBX0FxE+NKg03IUK:22e8v+AgfXxQMY4N0cB2O+4gh
                              MD5:C0328E29C135D4521C2BBFAB5A64FC93
                              SHA1:FB12F1D897A40F2F67E569180F86773136792B83
                              SHA-256:FCEB03E4055B014F6174E86A577B035EDCB879D2B7CCED689DEF1DCA6E641861
                              SHA-512:0C73A319529B9C6685BDFA9A345716925F7C7234885CA4844FDC2947FC92D4B725127230BD1343769DDB5683868BDE2342F1709499B787097F1CCA79115BBC1E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Kernel-PnP".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration replacementSettingsVersionRange="0" settingsVersion="0" alwaysProcess="yes">.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\DeviceOverrides\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. <supportedComponents>.. <sup

                              \Device\CdRom0\sources\replacementmanifests\kernel-server-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1203
                              Entropy (8bit):4.91746210540713
                              Encrypted:false
                              SSDEEP:24:p/Vd8+Clzg0cjh3N9ENgwfAl0bvwfARwXdw4ewExJXMFhUK:a+CRgf5IgJOv1adRebJuX
                              MD5:1192943BEBFD06AAB945C9F7046B1A2C
                              SHA1:23AF89B2D9656C854F31FA9A4F5EFAC3073A0061
                              SHA-256:7E4C40C0455BDCCF6E2B57375AE2A8A61325721BE66FE08D507E0FF212127755
                              SHA-512:AC9FA19D13091140C03ADA5B3693D7A168D42BB529974BA3DEDB469FFDCBB4474139973F1D83B4104A2D495AF096304022DDB72C9059A277DD34C76507AE0694
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-OS-Kernel-Server".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel [DisableExceptionChainValidation]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel [SerializeTimerExpiration]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager\LastKnownGood [Enabled]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\I/O System [DisableDiskCounters]</pattern>.. <patte

                              \Device\CdRom0\sources\replacementmanifests\kernel32-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):896
                              Entropy (8bit):5.032284733814976
                              Encrypted:false
                              SSDEEP:24:p/Vd8+N9yg0cjh3uEENgwwV2EEwwV2EUkOwwV2QAJXMFhUK:a+igfhIgfWfWf9AJuX
                              MD5:3DC8BD1FFECF87366901C7C1EF106CFA
                              SHA1:322E0B712360D026BF0DC027E80303BA1642B773
                              SHA-256:54B8CBC3BFA3E48D2CA44CFFDEB7DE38C9C00C94BDE54234EAC33E3B719660B8
                              SHA-512:1D987093BE7D529DA63A883A70EEA3DC3B760F62FD3D538C9F233BF5A22B752DEC6A5D429FE8BD187EDE28C134EC56B3888A6E6062CBD4BD29965098D442C43F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Kernel32".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="1".. settingsVersion="2".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [LoadAppInit_DLLs]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList [DWM.exe]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\kernel32-server-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):657
                              Entropy (8bit):4.902403308799488
                              Encrypted:false
                              SSDEEP:12:MM3ii175dgF+9r2zgV6cjfo0QzAazAUSck7fMfWqNal6F+V2/+Gazcvpm6/eNnAJ:p/Vd8+NMg0cjh3N9ENgwwV2EzceJXMFX
                              MD5:AA7D932E26DB20CB32332517DDBF8806
                              SHA1:4BD4C7A22417A0567B7CE8CDC0302C0FD4606B21
                              SHA-256:0DF49CC11E5D42CF8660F45C895A203E2F850DB6871591A81D0AABF321402BAB
                              SHA-512:9A58CE08F6C619534E3622479142F5AA6BFAEEBAF2997514F1577CF9C628960A6566A6A3B86863611689364E7C7837598F360716AF28BC5BEC36FE5F14471C34
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Kernel32-Server".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [RequireSignedAppInit_DLLs]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\keyboardfilter-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1095
                              Entropy (8bit):4.976174799333973
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+UX6g0cj3+3A63sDEF4wwVpQwuoMBX0FCUK:22e8v+DgfLUwY4fcZB2A
                              MD5:ECC51190BD585AB376691BBDDF2A638B
                              SHA1:84DE01CF25B71C0BC4D16FAF65BE1589E385EAF0
                              SHA-256:6F15C7E90A3C414BEAD4C1C50DC5E7CAB987D72E2F49953B717A879D7745038C
                              SHA-512:C0626F92BD934A3C5295EA32D63910C3F51E0A47CB6287C698C0DF7EE66C1D1A1867FDE10F824BD7514566C69CD2DA16571D3F0DC56FE9DE39D13F89DFE2A02A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Embedded-KeyboardFilterService-Client".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <machineSpecific>.. <migXml xmlns="">.. Per-machine state -->.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows Embedded\KeyboardFilter\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\MsKeyboardFilter [Start]</pattern>.. </objectSet>.. </inc

                              \Device\CdRom0\sources\replacementmanifests\legacy-sapi-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4788
                              Entropy (8bit):5.010920958586404
                              Encrypted:false
                              SSDEEP:96:/2C4xO45IBtL7LGausAkTqaOJa5mas1kasKGBtL7LGausAkTqaOJacFL:W5A5sDsNy
                              MD5:05B661D2418501CDE06FC1FA0EE1302F
                              SHA1:71143C3EEA5343DE0716BA4F4A3B1A9B1F02C08F
                              SHA-256:C520AC4978A0544D235C9032A0A5E3693FD248885AD3AA90E5C9780B7ABA1800
                              SHA-512:AC17DB0530EB47A636396E297C06E86601CA069F7ABE67607D2D2BBF538D4F9366BE08A843A453D5AF4268C354F90327EFF3BA19D950AE9A1E47EDDB1F388780
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-SpeechCommon".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Speech\Voices\TokenEnums\* [*]</pattern>.. <pattern type="Registry">HKLM\Software\WOW6432Node\Microsoft\Speech\Voices\TokenEnums\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\S

                              \Device\CdRom0\sources\replacementmanifests\mdm_migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):25564
                              Entropy (8bit):4.970479467142424
                              Encrypted:false
                              SSDEEP:192:7IL/0rEaBhddpDzWWvQ3tI8o1oMwoaFQF9J5t11aQOve16vRavoR5Ct+sPg03NmT:m0rEaBBpDzxZqEzuD5mAt0I
                              MD5:EEB1A32C393C50BD5247C4D61873DDA5
                              SHA1:98BD3E2E4AB1FB5D39F04CF78AFC97793A021160
                              SHA-256:33CBF70392E26C8D17B2E57DD5D38AE7EC1E74EC55FD2A0BE41FFABF794D1A12
                              SHA-512:FB4C3C31805AA4DF0B42677B6E5B8EBB6D88D4159DF6E609D24E8212033EB759150C01F7EEA80925309005A7A533F2D0A9291E788D5014DD569BE2EB77319352
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-DeviceManagement-Migration".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2-10.0".. scope="Upgrade".. settingsVersion="0".. >.. <machineSpecific>.. <migXml xmlns="">.. <environment>.. <variable name="PROVIDERID">.. <script>MigXmlHelper.GetStringContent("Registry", "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MDM [AuthorityName]")</script>.. </variable>.. <variable name="ENROLLMENTID">.. <text>B92E7305-9462-4B48-AE6D-57D9D09FD698</text>..

                              \Device\CdRom0\sources\replacementmanifests\media-settings-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):993
                              Entropy (8bit):4.965595446132204
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+VGg0vj3gi3m6jENgw5VMTJXMFhUK:22e8z2j+VGgSQ3AIg6IJuX
                              MD5:DB70A8758118BB964379B3A405BD20F2
                              SHA1:C378110125923CE15EFAA8A6D94CBD8CFE0DCE3D
                              SHA-256:9BDAABDD5C56C8E786DC6388D027DD2804A8D24BF7D28778C0D71F6EE7BA64D5
                              SHA-512:1466707F570F27D86DF5730C10566D8389837E11E71089F09A0046A8C927748A1D70EC2FB4F0BAD6E441A454C9A5015EBD8BC4058F4EF077920DF19E9061F0D6
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-SystemSettings-VideoSettingsHandlers".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. scope="Upgrade".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows\CurrentVersion\VideoSettings\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\mfmpeg2srcsnk-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1030
                              Entropy (8bit):5.0835033098528655
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+jlYg0vj3gi3vUUDovjeENgwwV5vJXMFhUK:22e8z2j+jlYgSQHU0LeIgfXvJuX
                              MD5:37EA6D05BC8A8548DDBF08AE37DC8B4E
                              SHA1:EB86176B206DF634EE0C1B285DCBE95581E224EF
                              SHA-256:8166CA0D93CC8539E7423436B3FA4316D3842278B378328B0B371AD3A60AC536
                              SHA-512:E6E22154FD2292586312C1428FA9D8BB71CD04F5DFD3B5FDA9CC5DECA6ED4CA1FEB6581BD8806E6DE1C76579CE3140C9BF889E441DC44BB6A09870B2F531381C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-MFMPEG2SrcSnk".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows Media Foundation [EnableDLNAProfileID_KO]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.

                              \Device\CdRom0\sources\replacementmanifests\mfplat-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1090
                              Entropy (8bit):4.98782876850671
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+4g0vj3gi3vUU6jeENgwQVdw9wtVrJXMFhUK:/2e8v+4gSQHUGeIg/DDNJuX
                              MD5:2463FCED4E2E82AC21953710EB57B48B
                              SHA1:C64DA826E5F1B7FAA8630BA1BE3D32866A483B32
                              SHA-256:C72731A84D92020B2558EDB760EBF3D5BC0096D3FBC9C346EAFC322C875269F5
                              SHA-512:3E5A6C4E3960C20E6C8651AE3CAC4473E895DFE313A3208304F939714A3F479DF48FF71F78B3D08746BBACCAC172133542787A723BDB1157841EF0A092BBFF9B
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-MFPlat".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. scope="Upgrade".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows Media Foundation\HardwareMFT\* [*]</pattern>.. <pattern type="Registry">HKLM\Software\Wow6432Node\Microsoft\Windows Media Foundation\HardwareMFT\* [*]</pattern>.. </ob

                              \Device\CdRom0\sources\replacementmanifests\mfsrcsnk-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1164
                              Entropy (8bit):5.050722711217062
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+WYg0vj3gi3vUUDovjeENgwe4Eu3gwe4E9wJXMFhUK:22e8z2j+WYgSQHU0LeIgYD3gYGwJuX
                              MD5:BE7BDC6B2512A9B97B68A0EF77CB81E8
                              SHA1:604147E7C9913836A50D759DE1A229ECEE29C677
                              SHA-256:49AFC0344F37AF5E7B43FACFBB1EAEFD47FAB06ED7BFA30902EE5D41AE091D77
                              SHA-512:82181E340EFBBF980918BBB4E7AF67F13330CE9F55FFF7E8C49588CD88F9445552D0B2807858EFC5C502A6CF3926BD3937A18EA6AD46C3E9E08AB7BF84939C0B
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-MFSrcSnk".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Classes\MediaFoundation\MapAudioFormatTag\* [*]</pattern>.. </objectSet>.. <objectSet>.. <pattern type="Registry">HKLM\SO

                              \Device\CdRom0\sources\replacementmanifests\microsoft-activedirectory-powershell-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):703
                              Entropy (8bit):4.9571300909108515
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+S685QgV6cj3whQzA0zAjkaKt8kScYfA01jdFbP3JOH3d+FRZyuhUK:q/Vg+Sqg0cj3K3bjkFKbxOHNMPFhUK
                              MD5:B604BC38D23A7B95A4896D9A24BD3F0B
                              SHA1:4B40E43CF43631744079BE55326C80958A2F2C70
                              SHA-256:632FF0D409C6A30F2D34ACFFBAA6A2EB7D24D1BBD4C4DE8CB1C7741446B9ACBB
                              SHA-512:6EA649822F271E749E957B481C0FFE120DE2A77D93E9C2D686B01665E8349368C913176774355DD659475EED96AEC70E7D0EA4DC63C282D9D2D78FC5B85E45E5
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-ActiveDirectory-PowerShell-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="ActiveDirectory-PowerShell"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32\WindowsPowerShell\v1.0\Modules\ActiveDirectory [ActiveDirectory.psd1]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-activedirectory-webservices\adwsmigrate.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):103224
                              Entropy (8bit):5.824591286682594
                              Encrypted:false
                              SSDEEP:3072:lg9dIE7UHAsdW4tsSFFJ1uL/jpIILB7dOl:l0IE7UHAsdWBuFJ1u5h7u
                              MD5:36BDEBDAA676FBDC5A6BBF2E7D07F25B
                              SHA1:506EE1CFE284D7C7D920A58D201890227FD856F8
                              SHA-256:CDC76C51F3088E7CB851B5C3F03C24238F1E6E786E256C9650607B3AEECA2B55
                              SHA-512:C31E5C461934BE57093DF2362B7F5BE444EC0CA8561F9614CD315AA85F309B0F0686F16968016F50AA619CCA8725597CE81C015AABBEC71017868296E9A22F9F
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........dGMx..Mx..Mx..Y...Nx..Y...Bx..Mx...x..Y...Bx..Y...Lx..Y...Ax..Y...Dx..Y...Lx..Y...Lx..RichMx..........................PE..d................",................0................................................;....`A........................................PW.......X..........P.......d....r..8!..............T............................................................................text............................... ..`.rdata...s.......t..................@..@.data........p.......L..............@....pdata..d............\..............@..@.rsrc...P............h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-certificateauthority-enrollment-serverupgrade-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1941
                              Entropy (8bit):4.861537145678193
                              Encrypted:false
                              SSDEEP:48:22e8v+phDgrcHreIg/0xJ9U3C0gcj0kqIg/0xJuX:22CphPHyx0ruS0N0kqx0rQ
                              MD5:6F0056EC818D4FC20158F3FF190D6D6A
                              SHA1:9E2108FE560CC2187395C5EED011559D201CE45D
                              SHA-256:2F9596801DBE57D73C292BE4F93BD0C05F6D0A44C7A45F5F03FDBE35993B7DEC
                              SHA-512:72C193919EC4402D430CCBCC4F9A9B25DC9AAECBCCAEE666EFE20DA4133964D2382F1090EEB8FB0A3073ACAA7825AF7A62B59447D29F912A19BD4C04CDDF1AD1
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-CertificateAuthority-Enrollment-ServerUpgrade".. processorArchitecture="*".. version="1.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.*".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\ADCS\CES [ConfigurationStatus]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <detects>.. <detect>.. Detection of CES. -

                              \Device\CdRom0\sources\replacementmanifests\microsoft-certificateservices-ca-serverupgrade-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2089
                              Entropy (8bit):4.8768527172722544
                              Encrypted:false
                              SSDEEP:48:22e8v+p1c4grcHreIg/7BJPC7wcj70qIg/7BJuX:22CpGUHyx7bK7d70qx7bQ
                              MD5:AB903CADB005197B13766F52D136D806
                              SHA1:1FB2DBE67EFD361C480A290BD32E68A98640E818
                              SHA-256:E2E054121161DDAC20C9BAC9CE313A9DB38D9799F40C16490B5E34E933C79081
                              SHA-512:22CE6CA1B0C6C9DF6C7357D5AFF4A85323626F4666B9CFFF6F6CA1110FCEE9E08CF565EBC92EC7EC565337FADC55FE524FDBB1E1BB6DC6E72606696B534BE975
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-CertificateServices-CA-ServerUpgrade-Replacement".. processorArchitecture="*".. version="1.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.*".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\ADCS\CertificateAuthority [ConfigurationStatus]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <detects>.. <detect>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-certificateservices-mscep-serverupgrade-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2018
                              Entropy (8bit):4.898851377216509
                              Encrypted:false
                              SSDEEP:48:22e8v+p1hi4grcHreIg/zJdlCKcjSqIg/zJuX:22CpmUHyxtd0zSqxtQ
                              MD5:4D23A02F2A5AD3B52943F22ADA22D6EC
                              SHA1:ACB4D041297A045509E384BFA3C0924545512BAE
                              SHA-256:E0A2DBF5155406E5B129D4679499050EFE458DDC7E3EAFA7443382BFDF2507E3
                              SHA-512:8FF6B25D45EFF518A259DD2F5144011F88CC6B67B415334592A8E346540069141178A4C4114394A429F344964F5C8845A50E902A787E6BD67FA87BE55E1F982E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-CertificateServices-MSCEP-ServerUpgrade-Replacement".. processorArchitecture="*".. version="1.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.*".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\ADCS\NDES [ConfigurationStatus]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <detects>.. <detect>.. Detection of

                              \Device\CdRom0\sources\replacementmanifests\microsoft-certificateservices-ocsp-serverupgrade-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1959
                              Entropy (8bit):4.882392453792846
                              Encrypted:false
                              SSDEEP:48:22e8v+p1z4grcHreIg/0JrzCrcjJqIg/0JuX:22CpNUHyxYy8JqxYQ
                              MD5:5917EA1E41362C504661C305D2C040F4
                              SHA1:57429AF25C8EB72A66EE47744508C57A3F08EC50
                              SHA-256:216299198CD60A234170A0A8DB5069ACD61FD32FAA607B4615EC17052417FD4B
                              SHA-512:B9A201BF7838D97DBAD04EFAFB2876DDD3F28280B4D5687C11AE432A63392E2318FB12960D2C9EB7F17138AC714DC28FB3EE4C4F6A84CF308427AD4B0F6E0489
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-CertificateServices-OCSP-ServerUpgrade-Replacement".. processorArchitecture="*".. version="1.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.*".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\ADCS\OCSP [ConfigurationStatus]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <detects>.. <detect>.. Detection of

                              \Device\CdRom0\sources\replacementmanifests\microsoft-certificateservices-policy-serverupgrade-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1936
                              Entropy (8bit):4.869202117018885
                              Encrypted:false
                              SSDEEP:48:22e8v+p1iDgrcHreIg/9JYZCccjYqIg/9JuX:22CpQPHyxvRhYqxvQ
                              MD5:1596ABE6152DF38D6A595041738FE55D
                              SHA1:8E97DB53C8EC66276D63B4BB907D6D87288EBB92
                              SHA-256:033939DC192AA3B325F80BADA31638054E1DA3F6371D39D828A504C1DBE3D61B
                              SHA-512:2F55095ECCF77774621BC5D01235842A7273EDF6695A3D5AA3790ADFF8242FCF7A0528DAFC0B506712A2711E7C7D8D18E6B469EEEBC484489782EE8FACF5D607
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-CertificateServices-Policy-ServerUpgrade".. processorArchitecture="*".. version="1.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.*".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\ADCS\CEP [ConfigurationStatus]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <detects>.. <detect>.. Detection of CEP. -->..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-certificateservices-webenrollment-serverupgrade-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2057
                              Entropy (8bit):4.88521851805812
                              Encrypted:false
                              SSDEEP:48:22e8v+p1b6r4grcHreIg/kmJntYCkVcjk/qIg/kmJuX:22Cpp6rUHyxkKFkKk/qxkKQ
                              MD5:F5BD25D42A96EFD20CB965B288EB304B
                              SHA1:42F019E794B160C9DC1ABCE27660DB80B326BB67
                              SHA-256:255860291292C727E5E5D2F8424A853153F288767D6B40C4C214B8CC074F09BF
                              SHA-512:B6CAD2B83C34AFEC211CC6079E185BD90AE76F1A067BB2F97E6B82FD0D98FA720E3AE67E4B8A547DACFF12FCB701B5174AEB38AD0C68E1BBD880A7E799330409
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-CertificateServices-WebEnrollment-ServerUpgrade-Replacement".. processorArchitecture="*".. version="1.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.*".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\ADCS\WebEnrollment [ConfigurationStatus]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <detects>.. <detect>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-client-license-platform-service-migration\clipmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):246792
                              Entropy (8bit):6.299121402341905
                              Encrypted:false
                              SSDEEP:3072:gjw4G0QnxJCQhuUOh4m0/BSN00Oqhj+BzKsIkPS43o3S7zXLP7/5HEtK4zC:gM4G0MJCYuUOhQ/rxmuXn5HEtdC
                              MD5:06CAE5C853C0FB36CBE05B839A3D3FA4
                              SHA1:1EA6D91DB51EFBAEA7A98CE1B33723921B7A80C8
                              SHA-256:D77CB9FC506FB4849FAE72F927CA187A1E620019C7BED482E0B53AD586B6A0A1
                              SHA-512:2432DEE5B2D9C2C6EF20361B40B87B88E42DE513DCC0F08B56DF593993B7F8780E9B94439046903FFDC271A371FF10F0FC6DF7D0A6648169779DF4EC2B462EEA
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V..a...a...a.......a..b...a..e...a...`...a..`...a..d...a..a...a..i...a......a..c...a.Rich..a.................PE..d...O.............",.....................................................................`A.........................................p......lq..........@................"..........PT..T.......................(... ...............8...8....n.......................text...@........................... ..`.rdata.............................@..@.data................n..............@....pdata...............x..............@..@.didat..X...........................@....rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-edge-migration-plugin\edge.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):12288
                              Entropy (8bit):2.235017951585192
                              Encrypted:false
                              SSDEEP:96:uJSQ8wInU37eAwQMxL/A+L5IndxLkRMd:+SQ8U3OQMxJtIxIid
                              MD5:8B867CDACE52E32DCD0516FE32680768
                              SHA1:90A028F6CD7DFAF474A01B5E7D1A0753D6B2B8A5
                              SHA-256:1D9106035722D9A2CC76693535C597CC848323E7D8CEF0A3B3B7ACF1759A8139
                              SHA-512:FD943110B1598C0843F3FA36C7C6700C41C731EAFD20AD3DC7488AE4A4B2DE606450CDF4ECE7EBC62E85E8229900AF1E42143850BCF271ADB5B12053D75DDCF4
                              Malicious:false
                              Preview:regf............................... .... ......s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t.\.E.d.g.e.\.E.d.g.e...d.a.t.....Q.........:.....Q.........:.........Q.........:...rmtmR..fR.................................................................................................................................................................................................................................................................................................................................................W.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-edge-migration-plugin\edgemigrationplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):112480
                              Entropy (8bit):5.892486279154937
                              Encrypted:false
                              SSDEEP:1536:yPULoMyGa7E9hGDDqNCd9tK4dVVOWSrp3TkMiV8dj7aFUC0V71MYbKBrP8zud:jdfaY9kD8CDk4MWSrp38UC+71MYbKh0C
                              MD5:ABA94837F79BD2BE433F083F5B71A4B8
                              SHA1:D17D91E4B4EFE00005799B6BD3C8DEEBD8E86C95
                              SHA-256:EB39D91D4A5011D7E309955B5B5CD76EA28FDB55E29F9BBEDFD10206D9B4B0AC
                              SHA-512:E0AF8EEEFA583906A2A00A988007A39A5648C4E2F642A66B9EC1979EFD8BB201FFA53DA014165EFDC663FB726F1730F072AB04E850F2F435BA002D47BAC24C9D
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.......................................................................................Rich............................PE..d...{q............",.................................................................G....`A........................................`k......$l..........................`%..........0<..p...............................................p............................text............................... ..`.rdata..Rz.......|..................@..@.data................j..............@....pdata...............|..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-edge-migration-plugin\edgeupdate.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):12288
                              Entropy (8bit):2.8272292310753895
                              Encrypted:false
                              SSDEEP:96:9Y5MCASkVHOd/JAh0R0P8UFgRcQFHnb6qkqUHvJoFH+WqkqUHvz+5:1CAF180zFNHJeJH
                              MD5:D379E58A3B73DF3EE67888CFAA3E098D
                              SHA1:31DBF3B7E903F71441306893A28CA05953D0FDD2
                              SHA-256:BAA9C755C4C9FA2C31EEEFBF8DF2C46B0077BFF93A3F1D79D56C483651F19286
                              SHA-512:4D8008ED2F7247841E302B62310AAB44765C4AE5578E1BA9799F7EC58769638FE18EE76DF982F2939888F8CEB321D7B7F8A00833EFCB0F94CA06198386D07005
                              Malicious:false
                              Preview:regf..........D.................... .... ......o.s.o.f.t.\.E.d.g.e.U.p.d.a.t.e.\.E.d.g.e.U.p.d.a.t.e...d.a.t.....Q.........:.....Q.........:.........Q.........:...rmtm..?cR.................................................................................................................................................................................................................................................................................................................................................8.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-hyper-v-client-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1368
                              Entropy (8bit):4.703793069734045
                              Encrypted:false
                              SSDEEP:24:q/Vv+R4JjVg0w6jm3veHG0eMUENAlFi55eVIVJXkxdw755eVIVziFhUf:Q+0Vg7G/m0eMUIG0eWVJ0QeWVQ2
                              MD5:A155CE9221F2B4B152AB97D1F7ACF1A9
                              SHA1:3077F672DA791BE2234C791FED048C63CD44B741
                              SHA-256:700635A17309469658AED0A433FECE776A7CF878A9ED0405A695E3301767EFE7
                              SHA-512:162099C6C372658E6B265713501E158BF1DC0DD6E72FB2A9391EAD4A38166D511952FCDF311C18DF105AFE3D4B80D91D6D308851454366FD9D904FA6DA5CD6F1
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity name="Microsoft-Hyper-V-Management-Clients".. version="0.0.0.0".. processorArchitecture="*".. language="*"/>.. <migration.. scope="Upgrade".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1".. alwaysProcess="yes".. >.. This is used during in-place upgrade -->.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("File", "%ProgramFiles%\Hyper-V [vmconnect.exe]")</condition>.. </detect>.. </detects>.. <rules context="User">.. <include>.. <objectSet>.. Collect Hyper-V client configuration files. -->.. <pattern type="File">%appdata%\Microsoft\Windows\Hyper-V\Client\1.0 [*.config]</pattern>.. </objectSet>.. </include>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-hyper-v-drivers-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):634
                              Entropy (8bit):4.732725808698942
                              Encrypted:false
                              SSDEEP:12:MM3ii175dgF+RFgV6cjGyYDqfRD1SdOhFZURtIbjbN0QzAyBzArfG:p/Vd8+RFg0cjzYMqOhFAYvi3y6ru
                              MD5:7B639D9B86DE02CAB7AF203CDA0292DB
                              SHA1:D75E9644EEBD327E4EFD31C285206F43DF532F7B
                              SHA-256:E09F085A5453EAC829736C6DE3E8C1C1020D75F0150E4BA8656CF84BA5E037C0
                              SHA-512:1BB126101BAF8E627EE719E43EFB40B282EB4859D2D1689638E5C8B6F90E534800ED99704E1E89BFD8D645F2C5D86E4B286C55BC63D65B74E19267A9FEC07360
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Hyper-V-Drivers".. processorArchitecture="*".. version="0.0.0.0".. />.. .. This replacement manifest exists to ensure that we no longer run the gather.. portion of the old Hyper-V migration plugin when upgrading from pre-RS4.. machines. It replaces the old migration settings with these no-op settings... -->.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-7".. scope="Upgrade".. settingsVersion="8".. />..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-hyper-v-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5908
                              Entropy (8bit):4.832692830359352
                              Encrypted:false
                              SSDEEP:96:dyw72zBL2zNnZSAnVAwBfZD2GnTMYqaSzAFYP5jgSMXnz:KVK1frKGYJqXz
                              MD5:1F67E9CFE6A832AEED3E6ED0222C1F64
                              SHA1:A3FC912C5EB67EE746D8F224BA1AB76A9267AEFB
                              SHA-256:6BE8C118F8376B995ACF8C64BFA45BCC828216A8BDC42F691144229A3F3323DF
                              SHA-512:2C3095DD5BA2B7B2716CF1FEBD266BD9A818C80C695A07DA25FA3F0F1947ADE643A80093B28D4042EB563632D2D9D601D5FEC4273DC27DC76471C138C5D9DA8C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Hyper-V-VStack-Config".. processorArchitecture="*".. version="0.0.0.0".. />.. .. To ensure that matching rules are used during the "gather" and "apply".. phases of an in-place upgrade, the following attributes should be updated.. whenever a change is made to the..... .. vm\manifests\root\vstack\microsoft-windows-virtualization-vstack-config.man.. .. ...manifest:.... /assembly/migration/@settingsVersion.. .. This attribute should be incremented by one. Any new value must be.. mirrored in manifest located here:.. .. vm\manifests\root\vstack\microsoft-windows-virtualization-vstack-config.man.. .. /assembly/migration/@replacementSettingsVersionRange .. .. This attribute should be set to "0-(@settingsVersion-1)". For.. example, if @settingsVersion

                              \Device\CdRom0\sources\replacementmanifests\microsoft-onecore-tiledatarepository-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):918
                              Entropy (8bit):5.202010373158601
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+NFsg0Lmj36m3A62idNFB4EFhUK:22e8z2j+NFsgUKKzTidNFB4WX
                              MD5:9D5A3BD8C9D9F7B33D131ABE42A48A8A
                              SHA1:56B5FD559ED184BCEB051482BA13059B849BDEF8
                              SHA-256:5CD6D08C763F530AC3B993F160942BD1CD811B4440ADCE0847D7ED24A4BF5DB3
                              SHA-512:CDA903BB50E93D99363CF67D07A21B517DF876245F84C05F93A510438340BEEA68CCDF1CDC3B23BAD5FC71F504482E098E3B75835ABC6A163B867FE1AC400FF4
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-OneCore-TileDataRepository".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Upgrade".. replacementSettingsVersionRange="0-1".. settingsVersion="2".. alwaysProcess="yes">.. <migXml xmlns="">.. <plugin.. classId="{59735225-901B-4A9F-A7B6-52D7D5E0776D}".. file="Microsoft-OneCore-TileDataRepository\TileStoreMigrationPlugin.dll".. />.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-onecore-tiledatarepository\tilestoremigrationplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):126816
                              Entropy (8bit):5.994025814740343
                              Encrypted:false
                              SSDEEP:3072:uJSxwmMvbrgQOj9GYGhxk/h9TS7glH/uNeUGJ3NaU:uJewmMvgjjCAh9TZGNNGTT
                              MD5:2B166E6F87B5C6E083BE5A8176F1AFB6
                              SHA1:C51F6DBFC8205B920B65734965A062F9B9932AB2
                              SHA-256:DBDB17063945EF02A787DA668F769F4D1564B3A8B207197C6EC336CA4E7AF7AA
                              SHA-512:C212AD5722213B3E44EEF1F8167037E58EC6789C101782908194A1FEE7C16491BEACE94CE9991E20F6289E30D8AFB437A6B65A47188601D781F9DAE0856BA69A
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........ra..ra..ra.....ra...b..ra...e..ra..r`.'ra...`..ra...d..ra...a..ra...i..ra......ra...c..ra.Rich.ra.........PE..d...,Q8...........",................`...............................................E.....`A........................................0..........l.......p.......@.......`%......H....W..p...........................`6..............x7..0...`...`....................text...0........................... ..`.rdata...~...0......................@..@.data...H...........................@....pdata..@...........................@..@.didat.. ...........................@....rsrc...p...........................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-advertisingid-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1239
                              Entropy (8bit):4.916137376447766
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+6Yg0cjTi3O3ENgwQVFPwJXpENceEw5VFPwJXMFhUK:/2e8v+6YgfTvIg/wJ5Is6wJuX
                              MD5:89EDDBB96124F094FB2E4440B0EA0518
                              SHA1:EBC6E57963E475C8C01FFF32DCC565A7D81BE5DE
                              SHA-256:0CD988ED3C2618D4D3E5412B9057B986CE3B6130E2FFA79F7214C3C373C71A79
                              SHA-512:036D3105640D2F3E2294FF72FDDD5521A7A87BE1C07547148F57EA279E1A8543553019FFCDECE8B7835F9636D5E12FBF3E9B7C267DB845C2A773018001C8D670
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-AdvertisingId".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-2".. settingsVersion="3".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="User">.. <include>.. <objectSet>.. Desktop OS-swap upgrade will remove all keys under HKCU\S\MS\Windows unless they are specifically

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-appmanagement-migration\appmanmigrationplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1225528
                              Entropy (8bit):6.191136404676487
                              Encrypted:false
                              SSDEEP:24576:2Ellver5sCIEXbvFsM4ldosg2XbdKNwt5LDdV3yLEq52a/OQgevm:tI6BELvz4led/ONeu
                              MD5:E826925DEB16AF91FA8E59F88360EAE2
                              SHA1:24000BD3F281D71C40FED8B311F04D5E3B56BBEE
                              SHA-256:B33F5E1B557D05EAA8633C8529DCF048584DF87F0CC520C9F4622DF112EFAB90
                              SHA-512:FDD0DCB676B62929863D298368037650BD3D7A76D1F5700A44151714AC9611285C6058937DA6DF8372FD5CE113D4CAA6FA560A6CE08D052AB240C6DB42C8AFBD
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v/'j2NI92NI92NI9&%J81NI92NH9.OI9&%H8!NI9&%L8$NI9&%M8rNI9&%I83NI9&%A8uNI9&%.93NI9&%K83NI9Rich2NI9........PE..d.....%...........",................."...............................................G....`A.........................................i.......i...............0..D.......8!..........`...T.................... ..(.................... ..0............................text...L........................... ..`.rdata.. ...........................@..@.data................x..............@....pdata..D....0......................@..@.rsrc................x..............@..@.reloc...............~..............@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-appx-deployment-server\appxprovisioning.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (17075), with CRLF line terminators
                              Category:dropped
                              Size (bytes):20283
                              Entropy (8bit):5.371962536919824
                              Encrypted:false
                              SSDEEP:192:KkEaNZL6robFedoOvjKgWMCYe9O6J5KHJ4PyseBeB/64PkYBh/hUUxPNrNaxNaDA:C4TSvfkPNrNONUQPX40jLXqg
                              MD5:F8D804C300ADA4D0C4F7AD93AC195FB2
                              SHA1:9E003D3FD5B019539349B354687FA3BF21D68A8C
                              SHA-256:248CB09C5E0FE549463FF87E61AD88410B4E328F22F578E2A681D589879FE669
                              SHA-512:0FBB3241EC283C77E1AE0E6D4736A34048215FE53C82B29AD6B01BB0FFCCA5022309D87995207DA5E6199FE21DC6B053C144F9A377D1D43F69AC2FC8B646354C
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="utf-8"?><AppxProvisionList xmlns="http://schemas.microsoft.com/appx/2013/appxprovisionpackage">.. <EndOfLife>.. <Package FamilyName="Microsoft.Camera_8wekyb3d8bbwe"/>.. <Package FamilyName="Microsoft.Bing_8wekyb3d8bbwe"/>.. <Package FamilyName="Microsoft.Alarms_8wekyb3d8bbwe"/>.. <Package FamilyName="Microsoft.Calculate_8wekyb3d8bbwe"/>.. <Package FamilyName="Microsoft.Windows.InsiderHub_cw5n1h2txyewy"/>.. <Package FamilyName="Microsoft.Windows.FeatureOnDemand.InsiderHub_cw5n1h2txyewy"/>.. <Package FamilyName="Microsoft.SoundRecorder_8wekyb3d8bbwe"/>.. <Package FamilyName="microsoft.windowsphotos_8wekyb3d8bbwe"/>.. <Package FamilyName="Microsoft.PPISkype_8wekyb3d8bbwe"/>.. <Package FamilyName="Microsoft.BingMaps_8wekyb3d8bbwe"/>.. <Package FamilyName="Microsoft.Maps3DPreview_8wekyb3d8bbwe"/>.. <Package FamilyName="Microsoft.BioEnrollment_8wekyb3d8bbwe"/>.. <Package FamilyName="Microsoft.Windows.ShellExperienceHost_8w

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-appx-deployment-server\appxupgrademigrationplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):475472
                              Entropy (8bit):5.988999297531153
                              Encrypted:false
                              SSDEEP:12288:aoCf0yx+jI+XegCE7QgtI/H5eVDjhvTCjLmVP:dVyMHVI/H5eVDcPmVP
                              MD5:8FC153D4463B0DED7CAB1658540DD235
                              SHA1:39A9013995AD80E481389A0D6A904AC230D9E02D
                              SHA-256:97014EE2DFCF08BB1205E82A05D7F11E9280267F06289B67EE4474A584CD3863
                              SHA-512:14E43696AC5748763CDAEF7531B4707B0515A258A23F50D3013B6DE75061BB1270908E2FDF1B640FC7D3C65B65578E9BAC8B2052BA983DFC34F1BCC83315D72D
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......fDc."%.."%.."%..+]..v%..6N..!%..6N../%.."%..*$..6N..+%..6N..'%..6N..#%..6N...%..6N.#%..6N..#%..Rich"%..........................PE..d.....]...........",................p........................................`......z.....`A................................................ ........@..X.... ..L.......P%...P..........p...........................p................................................text...\........................... ..`.rdata..TR.......T..................@..@.data...............................@....pdata..L.... ......................@..@.rsrc...X....@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-appx-deployment-server\microsoft.windows.secondarytileexperience_10.0.0.0_neutral__cw5n1h2txyewy.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1692
                              Entropy (8bit):5.2205530219999545
                              Encrypted:false
                              SSDEEP:48:cj4AOAN4PAO2+bU92ZDJ0TJ1xx4DqDerp0jjqhoQ:K4AOAN4PAOp494DuFCDkerlmQ
                              MD5:4F5C64296C14735C1E28458A9EC1EF2B
                              SHA1:1ABF4A6A97C32A5D489C358752CA7086C2D8B829
                              SHA-256:16AF54322C32AF6CEDD2CCD715B286F67D874EC7779136C726E469F0ADE43E23
                              SHA-512:F39D2D0137D112B0BFE2C9C0E88FDCFD831E7A92CB9D7F9FE7D010DB1EE0ED202551BF7A5AB911F2D979C9106BD681D8129742C0E4A996FFCD540A91E17044CD
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="utf-8"?>..<Package.. xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10".. xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10".. xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest".. xmlns:wincap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/windowscapabilities">.... <Identity Name="Microsoft.Windows.SecondaryTileExperience".. Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US".. Version="10.0.0.0" />.. <mp:PhoneIdentity PhoneProductId="8F6C1F18-5A7A-4E49-B8C2-4A67596288E9" PhonePublisherId="ecb99882-54f5-4c51-adc3-e27619164fde"/>.. <Properties>.. <DisplayName>SecondaryTileExperience</DisplayName>.. <PublisherDisplayName>Microsoft Corporation</PublisherDisplayName>.. <Logo>Assets\StoreLogo.png</Logo>.. </Properties>.... <Resources>.. <Resource Language="en-us"/>.. </Resources>.... <Applications>.. <Applic

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-appx-deployment-server\windows.miracastview_6.3.0.0_neutral_neutral_cw5n1h2txyewy.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1498
                              Entropy (8bit):5.126150860454683
                              Encrypted:false
                              SSDEEP:24:2djq4+AtV+AN8tNhDYzxr2ZDJ05QarXDJ11RfSIYqrXxJgsfitFfo6Rbikg6ZCBM:cj4AOAN8tNhE92ZDJIzrTJ11RfZhrXxu
                              MD5:68BA9551B8D2BD2CC5C8D71E678CA3AA
                              SHA1:43299FEDFBC072C82077B8A03DE13EACCC282614
                              SHA-256:BC4647D41083139697D7770AE9F52A89CA02CA66B68B7202C3263B0CF28000BA
                              SHA-512:B0236A91E511DFBB371B056261DB0FEBDA7EEF6743348B3ABA87AF99471F7CD20957B6507D647F432B8B2531E20AFED9F1833B11EDB868EDBC915211E10C44D0
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="utf-8"?>..<Package.. xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10".. xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10">.. <Identity.. Name="Windows.MiracastView".. Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US".. Version="6.3.0.0".. ResourceId="neutral" />.. <Properties>.. <DisplayName>ms-resource:DisplayName</DisplayName>.. <Description>ms-resource:Description</Description>.. <Logo>assets\logo.png</Logo>.. <PublisherDisplayName>ms-resource:PublisherDisplayName</PublisherDisplayName>.. <uap:SupportedUsers>multiple</uap:SupportedUsers>.. </Properties>.... <Dependencies>.. <TargetDeviceFamily Name="Windows.Universal" MinVersion="10.0.0.0" MaxVersionTested="10.0.0.0" />.. </Dependencies>.... <Resources>.. <Resource Language="en-us"/>.. </Resources>.... <Applications>.. <Application Id="Microsoft.Windows.MiracastView" Executable=

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-audio-mmecore-other\audmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):71992
                              Entropy (8bit):6.003311723242842
                              Encrypted:false
                              SSDEEP:1536:XFTLYNMi9o7em1J1tG1b2x2o7cvNCSwqkMjvM/7uP8:XpEva7d1vkQCCskMreu0
                              MD5:BC00A2006DD8277305B0CD18BB1977B4
                              SHA1:0BDDBCE477F124EF9F002A0F107B68C826086901
                              SHA-256:08DCC1980CDF146BD8C0D79CDFFA5FA434DE10B32E7CE827E17FC88AE0C74C2E
                              SHA-512:2692F77B66C5A21A74EEF47FC979D750EB8063C960CB3408785BE8464F3EE054C3A220C0D9B2641B4DDDA49C4B7226887CAAB2B0610C8456775FAEC0380EB115
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9S..X=..X=..X=.. ...X=..3>..X=..39..X=..X<.iX=..3<..X=..38..X=..3=..X=..35..X=..3...X=..3?..X=.Rich.X=.................PE..d....%............",.........`..............................................P.......B....`A........................................p.......(........0..0...............8!...@..........T..............................................8.......`....................text...`........................... ..`.rdata..0@.......B..................@..@.data...............................@....pdata..............................@..@.didat.. .... ......................@....rsrc...0....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-bth-user\bthmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):114704
                              Entropy (8bit):5.909778317642524
                              Encrypted:false
                              SSDEEP:1536:g8UfjCAYEtoCdzLrx1gk/kOq0c9L+86+8iaA5cIzdn+Gzzn8kfSCsPu:JUf+9qZ1pg+gLa6F+Qzn8usG
                              MD5:A3EE699B6A289CE26F28102E57270340
                              SHA1:8D470469AF950F94C46C5D9B34A8821986B5B395
                              SHA-256:C47B7AAEE2CD0D3D26241D07A9F2F05137AAE95C22DB2FD6D63941A88FD3FFB0
                              SHA-512:A0B85234B0A992C671A1B22C066115CEED65D729B1F8BA4F18D27B21178FB301B0FD9A46BE7E9DEA8E852680C87A37053A711C0DA31ABB3164115F2768D767E2
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)d!Um.O.m.O.m.O.ynL.n.O.ynK.c.O.m.N...O.ynN.x.O.ynJ.k.O.ynO.l.O.ynG.y.O.yn..l.O.ynM.l.O.Richm.O.........PE..d.....V...........",......................................................................`A........................................ ..................0................"......T...pt..T............................................................................text............................... ..`.rdata..f...........................@..@.data...............................@....pdata..............................@..@.rsrc...0...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-com-complus-setup\commig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):161792
                              Entropy (8bit):5.414397135527631
                              Encrypted:false
                              SSDEEP:3072:h+KFbtjH7gRWMNb0hOTp9YV5dbj5aNCFD:hfjbgpkOTpYFaU
                              MD5:C151C66427B592C84D897B421EFD6162
                              SHA1:0C9B3D95410C066E2349A93ECD29E67F1A15BFA3
                              SHA-256:728BAEE181199E07F56E73A8F703AC99A9E7B7531C17021D6D45538554C6B42B
                              SHA-512:EF42A02EDD8CED1CB67D2A24ABC157EE7660EBEB3466FD702CF3BD7AE8480B81060B9FC6BA96659B16778C861BEB2355C3BBA62DC364007E58AACD9F11B7C848
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@..@.z...z...z.......z.......z.......z...z...z.......z.......z.......z.......z.......z..Rich.z..................PE..d....].5.........." .....j..........@f....................................................`A....................................................................4...............8.......T............................................................................text...^i.......j.................. ..`.rdata...u.......v...n..............@..@.data....p.......h..................@....pdata..4............L..............@..@.rsrc................V..............@..@.reloc..8............t..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-container-manager.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8334
                              Entropy (8bit):4.911132296544331
                              Encrypted:false
                              SSDEEP:192:mKSZBZhZZBZxNLxbLxRLxbLx1sVBaYaJSobSxdoaPi7fuOGuubd3DHpWAckMVZZ:mKSnZhZnTzx3xVYa1+IaPi72OduBtMV7
                              MD5:6F7AFD097434D60D1CAFCB59C152188F
                              SHA1:693A9034CA4ABB36AC9774A3986541537EC80482
                              SHA-256:222855F438DF6707CB8F5DC3702B87EFB2BC1E463E0954B7E416BFE5F3F2B088
                              SHA-512:4651F34E7721E997534670B913D265C7D6A0F2293973FCAC30F1D9CCD969AD03AD07A5D50793FCFDAE86303EBE6F5A7A9249C6D1A154F86DCED7E6848457902B
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Container-Manager".. processorArchitecture="$(build.processorArchitecture)".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="$(build.version)".. versionScope="nonSxS".. />.. <dependency.. discoverable="false".. optional="false".. resourceType="Resources".. >.. <dependentAssembly dependencyType="prerequisite">.. <assemblyIdentity.. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-Container-Manager.resources".. processorArchitecture="$(build.processorArchitecture)".. publicKeyToken="$(Bui

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-credentialmanagementrole-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1954
                              Entropy (8bit):4.955455721782411
                              Encrypted:false
                              SSDEEP:24:q/Vg+FIg0cj3cMG3zjUFoSgE1Xs9jhWNGLRExOEx8ExS4ExdP3ZLp2MPFhUK:Z+FIgft0UFoSg7oG1HLcUPH2MNX
                              MD5:EF918B53087F2FA87F6A82E6C17B2A50
                              SHA1:75F5244FFBCAD3BA82E4FB0DCA7016B34543F4E9
                              SHA-256:9AEDACC2D4BB32B573FBA089F7B858DBF57F5B7FF51B884B01FBFC0452E2DBAF
                              SHA-512:CC30760E3AA38210203BF2C31644CA275D6BE0B468E781436C2F8A765019FDF10E387D87EB0DD79358D8A850268B7DC106729A88F52194BA67DE41A9DA97C527
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-CredentialManagementRole-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="ADCertificateServicesRole"/>.. <migXml>.. <detects>.. Install ADCertificateServicesRole component if one or more of the role services are installed AND the OS is Windows Server 2008 R2 or below. -->.. <detect>.. Detection of CA. This is consistent with -DL manifest for CA. --> .. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Security")</condition>.. Detection of NDES. This is consistent with -DL manifest for NDES. -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\Softwar

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-credentialmanagementrole-tools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1326
                              Entropy (8bit):4.895323030257631
                              Encrypted:false
                              SSDEEP:24:q/Vg+FHWg0cj3u3Vj4FoigL39ckiExLvExK93ZLp2MPFhUK:Z+FHWgfs4FoigL36U/9H2MNX
                              MD5:5074B1CD69196301B644CD281B7AD01A
                              SHA1:E9666C44351CDEE2136A998B7D4C1C57EFBE4141
                              SHA-256:65002175219658185AFEF7AECB9478420904EDCBC436A5A7717E50761FF576F4
                              SHA-512:BC772E30D9929E164D3884D102C65285DE0E0FEE0A94EA40CC8FE832314D33351F92540A1C60280F84C3E0BFE543913648EE0FCED0D6261494AD6FDBC293C560
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-CredentialManagementRole-Tools-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="ADCertificateServicesManagementTools"/>.. <migXml>.. <detects>.. Install ADCertificateServicesManagementTools component if one or more of the ADCS RSAT tools are installed AND the OS is Windows Server 2008 R2 or below. -->.. <detect>.. Detection of CA Management tools. This is consistent with -DL manifest for CAManagement. -->.. <condition>MigXmlHelper.DoesObjectExist("File", "%systemroot%\system32\[certmmc.dll]")</condition>.. Detection of OCSP Management tools. -->.. <condition>MigXmlHelper.DoesObjectExist("File", "%systemroo

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-deployment-services-admin-pack-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):672
                              Entropy (8bit):4.914881560081254
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9bLYgV6cj3whQzA0zAjkaK9+9bWXScYfA041Xd+FRZyuhURpG:q/Vg+VYg0cj3K3bjkF9+oMPFhUK
                              MD5:A3098DAC42EE08E65B2070EE080AB51A
                              SHA1:C90C55C6548C5F7F713C44720E9602D3011DE1BA
                              SHA-256:5D514494E319FD8426F45712748EC1A2D72E4A2F9E54DB3205CF50BE0D2D9F7F
                              SHA-512:E4B2DD9DEF63B1AA80F9B2AEA09825F9435A44DC28B904BB2E5E6DD801D867D0275E345716728C6D3268CA693A1DEDAB09129EC672423741DF1A3E6121BF72AE
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-Deployment-Services-Admin-Pack-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="Microsoft-Windows-Deployment-Services-Admin-Pack"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir% [WdsMgmt.msc]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-deviceaccess-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1421
                              Entropy (8bit):4.916561773328
                              Encrypted:false
                              SSDEEP:24:q/o2e8Yg+4uQg0cj33OUUENvRwwVdSX5IJXguENGwZVdIJXvDNgwZVdAzFhUK:/2e8l+4lgfNUIZfzDJZIGazIJbNgazAp
                              MD5:634EC6315691508F47C524853C0F7EC8
                              SHA1:7CECD5719DF67C59AB3A5D6361689893A904F9B6
                              SHA-256:39D388D94EA0A480F3C6D519934405B0AD23A3E41B078F9BF4759102FAABA46F
                              SHA-512:1C221871D7A7AD72B2B719BF86F9890820911A7A87F0EE29D13F4C5A20E808F2D6DE30E5106DAEAE4192135D2D9CA6106098DF9A00B3B284FEE3F8845A21E4DB
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0">.. <assemblyIdentity.. name="Microsoft-Windows-DeviceAccess".. processorArchitecture="*".. version="0.0.0.0".. language="neutral"/>.. <migration.. replacementSettingsVersionRange="0-2".. settingsVersion="2">.. <migXml xmlns="">.. <rules context="system">.. <include>.. <objectSet>.. OEM customization to enable region-specific access policies -->.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess [ActivePolicyCode]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="user">.. <include>.. <objectSet>.. Consent stores -->.. <pattern type="Registry

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-deviceassociationframeworkmigration\dafmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):252216
                              Entropy (8bit):6.244359858748323
                              Encrypted:false
                              SSDEEP:6144:cXd4dA5fo3AJrFTKG94UzuERyLUaLe1YoX:cXN5folG94Uz8m
                              MD5:E5EC21042EBD4EA41856BDFE29106BD4
                              SHA1:B2E53C039F708330BD4F78C0D546852B2B0312EC
                              SHA-256:137A318FE4797D5E63435D93276620C0B3627FF44ABB39E1BD55954CBE6C292E
                              SHA-512:577161B348DE986142FA559232C5553C5CF3AE31DDAC16803C1EC017D072F20318DC7B3163734A8792B9AE013544A69D1B6B1F1D4F0D50D945BFED879DD9CC23
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.=...n...n...n.h.o...n.h.o...n...n9..n.h.o...n.h.o...n.h.o...n.h.o...n.hLn...n.h.o...nRich...n........................PE..d.....2...........",................@..............................................._:....`A...........................................................H.......0.......8!......<....j..T.......................(................... ...x.......`....................text...l........................... ..`.rdata..R...........................@..@.data...............................@....pdata..0...........................@..@.didat..P...........................@....rsrc...H...........................@..@.reloc..<...........................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-directoryservices-adam-client\adammigrate.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):131896
                              Entropy (8bit):5.729363174968244
                              Encrypted:false
                              SSDEEP:1536:AQ/P3Zh7JqPM++lXiV2rfUUCUIIb8TrnGsLI2q3IJXQE0wkPG:l3H1qPT+oV2YUCUIhTLJYIJXQEjk+
                              MD5:D2CB2B521B61D3F26628CA40E5BD05E9
                              SHA1:2548FF2A9AAFAA6BC9589861182D75C550406F7C
                              SHA-256:8AB723907D3EF21883A956F40E6DD9138BE0983D6731F2D9EEEF9FD54972B759
                              SHA-512:B9EBF22AED2BAA145A7E1C9958FD7915D1A7FCD8C9F26BE90226D39548D9CEA77CDD627FB4D3E89AE8D406BBFFF1140F154780033DF909C7AAB8AC5636816A33
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~..~..~...}..~...z..~...._.~......~...~..~...v..~...{..~.....~...|..~.Rich.~.........................PE..d...#._>..........",................`........................................ .......(....`A................................................L...........p.......X.......8!...........d..T....................(..(....'...............)...............................text............................... ..`.rdata...... ......................@..@.data...@...........................@....pdata..X...........................@..@.rsrc...p...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-enterprisemgmt-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1433
                              Entropy (8bit):4.588787372492834
                              Encrypted:false
                              SSDEEP:24:p/o2e8pZ+Ug00jp33UMqj4C2QwQVIwQVqpXRElQw5VQpXkFJUD:22e8H+Ug/mM24C2Q/m/cphYQ6ipmq
                              MD5:4EF1048C92E18656586DC590BFD1E4A0
                              SHA1:1F2F390CF603E0759A4E11131F1FA784A476DDD8
                              SHA-256:F8D3B2113D45EFAFDC70A29973F181375071FE217DFD878E55DB302148178C7F
                              SHA-512:70FA7CB16A993E245658766EEAEFB8FE5273D772D4F13FE7C5C6097A9F6807F0F1B51B0F95AC932077DF7393D415679F59E1266A1B03F3AB3857FD4AA0A78DCC
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-ManagementRegistration".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. scope="Upgrade".. settingsVersion="0".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include> .. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\MDM\* [*]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\MDMPolicy\* [*]</pattern>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-errorreportingcore-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):16645
                              Entropy (8bit):5.066010120218812
                              Encrypted:false
                              SSDEEP:96:22930XRW69oNsE6HoFjfWxMKy1k8CdHia+dEh4w+LklHjaR4uWpQoGRLkFW69oNo:eXloEoKTGfYctIHMk
                              MD5:F719573C4B1EA83DA539CC33021F062F
                              SHA1:90A2766A06F6F20D8A6A2F41709FF09F74EB931B
                              SHA-256:BDFE32F71C70DC80BE32A7BF045DC2BDA01ECF69914B4D6D9963A04C38482B83
                              SHA-512:F644EA526BA8D68A267695FF95FA3FDC6167A60FD073D444B7E47C233A7D17CECF910F3D6451D1B87F0F7B019BE18035B2C3398DAA83C6941FF16D09BA0D9165
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-ErrorReportingCore".. language="neutral".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0-1".. scope="Upgrade,MigWiz,USMT".. settingsVersion="2".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="system">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting [DontSendAdditionalData]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting [Disabled]</pattern>.. <pattern type="Registry">

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-errorreportingfaults-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1298
                              Entropy (8bit):4.934844168081858
                              Encrypted:false
                              SSDEEP:24:q/o2e8Zg+JSg0cj3u3ODoHdKENgwMMQwe8JXpENgwZVTJXMFhUK:/2e8G+JSgfL09KIgtMQt8J5IgaBJuX
                              MD5:31D51E819BDF332B8B6EB5DD12196756
                              SHA1:4E3A68ADC5ED759C9A26DD16E534EEB1BDE3B8D1
                              SHA-256:0B497AEABC6649E6EE98B0D4D16C2E6E62D996C5710C919AF2CF6E867BE6A345
                              SHA-512:BA33415BA9540952924CBD6A03E0C4021C3CBAA6CACA483FC01317D06CFE418EDD7B2ABFEC10C8507A548B06522FEC1E28B5B9BC53E7419F739A75FA1CD79D3C
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-ErrorReportingFaults".. language="neutral".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. scope="Upgrade,MigWiz,USMT".. settingsVersion="1".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\CrashControl [LogEvent]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\CrashControl [MinidumpsCount]</pattern>.. </objectSet>.. </include>.. </rules>

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-failovercluster-adminpak-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):657
                              Entropy (8bit):4.87825247173309
                              Encrypted:false
                              SSDEEP:12:MM3ii175cF+9LhA+YgV6cj3qbN0QzAazAjlK06pOScYfA08Pd+FRZyuhURpG:p/Vg+/JYg0cj3gi3Nj85OMPFhUK
                              MD5:5149BE0603DE9C9288877420368C2B9E
                              SHA1:7034EAFA5955A46945DBA40CE2A18B5CF1D6B981
                              SHA-256:310E5E3AC8ECEEB22143AA0B61D54617D0971B89EE6BFEF47D39122C19E4A31C
                              SHA-512:309266515E72AEF47B645BD80B607415BABB058BBBCB31D6D37D89BDBC498E18223EBFB307037E8782AC5B49B1ECBD4242F4E13481E6D19FE33E3429EBD24CEE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-FailoverCluster-AdminPak-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="0".. >.. <registerSDF name="FailoverCluster-Mgmt"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir% [CluAdmin.msc]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-fax-service-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3998
                              Entropy (8bit):5.1047809676365565
                              Encrypted:false
                              SSDEEP:96:22X2qu0bmJ3tJGFxWrJSihnKqntpSbbUMh400:moK/gYrQSVOfUMw
                              MD5:6790EBEE8AE248C89210B69F70BDB534
                              SHA1:CE76AA9402ECA5DA954E550FA0EA407F5357B751
                              SHA-256:B550DCFB74B44B4807874D5044D315B8C66B56BFD49AA5D9620A03194E25321A
                              SHA-512:895BB0513D7B66C265D09B9EB08ACE8ECFE7BB8F84F0A8A0E577D6A1E1867CC369209F7FB646133D065730CA6FC705C27FC08D8D43C4DC3F30CE6447E8790F48
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Fax-Service".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1.7036".. >.. <migXml xmlns="">.. <environment context="System">.. <variable name="FaxService.ARCHIVEROOT">.. <script>MigXmlHelper.GetStringContent("Registry","HKLM\Software\Microsoft\Fax [ArchiveFolder]")</script>.. </variable>.. <variable name="FaxService.ACTIVITYLOG">.. <scr

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-feedback-service-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1444
                              Entropy (8bit):4.986641337308831
                              Encrypted:false
                              SSDEEP:24:q/o2e8Zg+Eg0cj3u3ODoHdKENgwwV6pwwVspwwVcoowwVTJXpEuXMFhUK:/2e8G+EgfL09KIgfQpfWpffofBJ55uX
                              MD5:28A2CAFDB74032DD89F39F6EA02BB986
                              SHA1:19245D1DEFD17F5A24C54726647E1A5680E8C048
                              SHA-256:E463E414A704939D9879F3F180487133DA282CC804E7D36A6032C0030AACD017
                              SHA-512:4FABC861AC4FA0A0D36319720F96BF572CD71BB62DE2BCDBFB4F3B9518F1E9D9CAC43FC6245030C3D7CE504745F32221980297525B8C22EF20F82AE0C22BEA34
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Feedback-Service".. language="neutral".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. scope="Upgrade,MigWiz,USMT".. settingsVersion="1".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs [TerminationTimeout]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs [LongTerminationTimeout]</pattern>.. <pattern t

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-flighting-settings.replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4920
                              Entropy (8bit):4.794349965776482
                              Encrypted:false
                              SSDEEP:96:22C7emJbbJOTA/UTQTy/Uix0wjbLEhBRovsTZGnuZoIrQ:sLRn/cZ/jNt
                              MD5:B5875EA1118609D6EBB5D613755E8CE5
                              SHA1:29E1A164F658325000B20D2BC06DFAABEF534FD9
                              SHA-256:8B6357037DE339F616C37E7A890154EB1522B0D6BA51B94BADB356F69382602B
                              SHA-512:7174473D9742334448E96AFDC54B0BB3314099AC222C5D5B4AFC0DFEBBCB095D34AB464DFD4BEF50D5E154B708A7BD56674B75AEBA29C66321988031BFB0E8F9
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Flighting-Settings".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. Since these keys were previously managed by a different manifest, alwaysProcess is needed to add this migration section to older versions of this manifest and keep our keys.-->.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-3".. settingsVersion="4".. >.. <migXml xmlns="">.. <environment context="System">.. <variable name="Ring">.. <script>MigXmlHelper.GetStringContent("Registry","HKLM\Software\Microsoft\WindowsSelfHost\Applicability [Ring]")</script>.. </var

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-geolocation-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1884
                              Entropy (8bit):4.839191599630749
                              Encrypted:false
                              SSDEEP:48:5+qUgfT3jPICSfa/iJpetIplXG7rSCJFYIlzBHX:Aq3PhAhs+GnNFv3
                              MD5:08515AC6EA657AD60C1A1B1891D1AAC4
                              SHA1:A6E5A9474655D71CA6D12E684265CC18E55E91B7
                              SHA-256:8590B9EF5B3778566EFE061E8D8EEEEE5A93A6652B249EE50310187ED0BB3A25
                              SHA-512:C1F41D9B2640BF760A604A7FC51AA3FD0C7A2226E0F212D22032E80555F875EF69C95457A44B77B732073D04F5116BB7E384C68757F18628919A3F579DC89BF9
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Geolocation-Framework".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <migXml xmlns="">.. <rules context="System">.. <conditions>.. rules for the pre-Win10 systems -->.. <condition>MigXmlHelper.IsOSEarlierThan("NT","6.3")</condition>.. </conditions>.. <include>.. <objectSet>.. Gather pre-Threshold master switch reg key -->.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44} [SensorPermissionState]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <conditions>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-identity-foundation-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2149
                              Entropy (8bit):4.950840268587995
                              Encrypted:false
                              SSDEEP:48:22e8v+4CVgv0Losu4DC6RFqFLMKIgUH9J0gUH9QG+4agB:22C20KRKFqFBWHv6H8q
                              MD5:D3141470A7C0A7B082E69E7A296CB6BE
                              SHA1:6165E477581493FB33E582BF1E4E17591FD9B005
                              SHA-256:21B43CA0B80BD35CEF75E86621B348CFFEBC30B0118FE5CD8EC422DDFC70774F
                              SHA-512:8C28408FD04EC5AEB8089E7236F25A14F31E82A3247570F55FE0EC26E38C2C40C7DAF4F83C2F5B47EFD6955847E676A78CACE85ADE959A1A0ED3FC181649F7A2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Identity-Foundation-Migration".. version="0.0.0.0".. processorArchitecture="*".. />.. <migration.. replacementVersionRange="6.0-6.1".. replacementSettingsVersionRange="0".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. alwaysProcess="yes">.. <migrationDisplayID>Microsoft-Windows-Identity-Foundation-Migration</migrationDisplayID>.. <registerSDF name="Windows-Identity-Foundation"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>.. MigXmlHelper.DoesObjectExist("Registry","HKLM\SOFTWARE\Microsoft\Windows Identity Foundation\Setup\v3.5 [InstallPath]").. </

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-ie-adminkitbranding-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4228
                              Entropy (8bit):5.109999102886146
                              Encrypted:false
                              SSDEEP:96:22COk8puJm1JOgIh9teJcL7vkJIaNnzLK:7ncsc6i
                              MD5:DD32AB4A6FFB54B8979275FA22A4BCED
                              SHA1:4EC8AB39F8EAB2773B6CD3F197FA57DCEBFEF865
                              SHA-256:36786D03B670A8B6E6E5A34BAFEF4561A9E729ED61A4842687CF91821CB55A5B
                              SHA-512:6025D645325078E6B89A84DD66F8F262E6894F38E671B2E33148A5EA098D2960EB173F7056AB68F640ED8EFCA1CAE7CD6AB57CCB43681F9F8BC5A867E13E717D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-IE-AdminKitBranding".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade".. settingsVersion="2".. replacementSettingsVersionRange="0,1".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <environment>.. <variable name="IEAK.BrandGUID">.. <script>MigXmlHelper.GetStringContent("Registry","HKLM\SOFTWARE\Microsoft\Internet Explorer [BrandGUID]")</script>.. </variable>.. </environment>.. <rules context="User">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExis

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-ie-clientnetworkprotocolimplementation-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):19519
                              Entropy (8bit):5.009647932153986
                              Encrypted:false
                              SSDEEP:96:22CD57ywF3LMRZaoYLAFZUG7zW/KT+AHZOz3kZnufOj6qZo3NNZtFcAywc5+MowA:uFkd4wC0GvSgxiBQVUG
                              MD5:B4A42B7F10E6F9737C1363051651D71D
                              SHA1:2A46EEB6DF79A2C5CAB94A65ED81E68671819088
                              SHA-256:7D0DD979D2E9016EA2674A9AB6B635B7EB4535E319FF75D5332EFD709358A1C6
                              SHA-512:332095530109D1A0D041723CCDB227FD4AB028FDD13E1EA173FE04198BE2B22B97547F3B44182E552712872A4DF3FEE99FA113DF97560907D9EAC6C036DFE027
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-IE-ClientNetworkProtocolImplementation".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-1".. scope="Upgrade".. settingsVersion="2".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Classes\AutoProxyTypes [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings [AutoConfigURL]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet S

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-ie-internetexplorer-repl-2.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):19986
                              Entropy (8bit):5.139978464262948
                              Encrypted:false
                              SSDEEP:96:/2Cb0EudptobvRaYtq7l4L0t/NZyyfBcG96UDtqLQYabg/L5bwQ3S3XbvRaYtq7B:2nD3YrSAGCnyZvnc
                              MD5:786990469F5DD68D1E255A92906AA8DF
                              SHA1:4ADD6701CD2C38CA9829884356338F176AE8E36E
                              SHA-256:B1E34E419DB314419AFC5107E77DC1CC37CB90D7FD88593F1FE113ED450E0F81
                              SHA-512:4131C55B011F8E25BAC8D11FC9201BA5B19B8BBA3E3C573359ED505C1FC145F3BA181A5CC844A1D45740920ABC1B4F5695F488790FD4B02AB97538251F8DF2E1
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-IE-InternetExplorer".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. scope="Upgrade,MigWiz,USMT".. settingsVersion="4".. replacementSettingsVersionRange="0,1,2,3".. replacementVersionRange="11.0.10120.1-99">.. >.. <migXml.. xmlns="".. xmlns:auto-ns2="urn:schemas-microsoft-com:asm.v3".. >.. Gather and apply rules for current version -->.. <environment context="System">.. <variable name="InternetExplorer.BrandGUID">.. <script>MigXmlHelper.GetStringContent("Registry","HKLM\SOFTWA

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-ie-internetexplorer-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):16859
                              Entropy (8bit):5.113672341553152
                              Encrypted:false
                              SSDEEP:96:/2Cb0hdptobvRaYtq7l4L0t/NZyyfBcG96UDthqLQYabg/L5RSb2wQ3y49heCHI7:GbD36heAGCn/ZvxDEH
                              MD5:B05F356C3B9FE5FF3C781A858E61D162
                              SHA1:723829A0FE2B91AC270869307A7E7CCFF1E99A20
                              SHA-256:A4B89B0F1EEE0FAE0D172DA443B1890EB8DFBD9E35F16FA5B0726099C11C74B7
                              SHA-512:9C3191499DB3297060BB1075AAADBA8188DD312A284B6678A974DBABBD667F27C23BE2CE35D8B202DCB4FF61C97EC7E0F2100888EF03A602225CCCC7446D9CFE
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-IE-InternetExplorer".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. scope="Upgrade,MigWiz,USMT".. settingsVersion="4".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-11.0.10120.0">.. <migXml.. xmlns="".. xmlns:auto-ns2="urn:schemas-microsoft-com:asm.v3".. >.. Gather and apply rules for current version -->.. <environment context="System">.. <variable name="InternetExplorer.BrandGUID">.. <script>MigXmlHelper.GetStringContent("Registry","HKLM\SOFTWARE\Microsoft\Internet Expl

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-ie-pdm-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2848
                              Entropy (8bit):5.240921739733686
                              Encrypted:false
                              SSDEEP:48:cA+hVgxHJbg2vUhgbIgRvUbJRvUhgbIgVvUbJIgbIgOJ0gbIgSJuX:AQbnUgbDyJUgb3yIgbo0gbUQ
                              MD5:05EAC0FEFF8609ABDAA226B027B6530C
                              SHA1:242F875E848A70E99A2DCCE26485CBDB20C29CE2
                              SHA-256:1827176A68B68ECAC8E06B681BDF162A393EF2F222F2222C8AFE5AEBF65FB0A2
                              SHA-512:7297EA6FD51B0A324FEA749F1D328AAFCB8BA63652B2818784C3640F61A0D977CE198914D091C20F83268139156A05728F583664FC17E711606B4F2F5C9983FE
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-IE-PDM-Configuration".. version="0.0.0.0".. processorArchitecture="*".. language="*"../>.. <migration.. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1".. alwaysProcess="yes".. scope="Upgrade".. >.. Migration rules when moving data across machines; these rules also apply to in-place upgrade,.. except when there is an explicit condition statement blocking application during upgrade. -->.. <migXml xmlns="">.. <rules context="System">.. <conditions>.. <condition negation="Yes">MigXmlHelper.DoesStringContentContain("Registry", "HKLM\SOFTWARE\Classes\CLSID\{C5621364-87CC-4731-8947-929CAE75323E}\InProcServer32 []","\Internet Explorer\")</condition>.. </conditions>.. <include>.. <objectSet>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-iis-rm\iismig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):377704
                              Entropy (8bit):5.7890084537276145
                              Encrypted:false
                              SSDEEP:6144:YYKGQo3a+16pjIynwKU8UsJI9ooWYBHFsGZkhu+GuvAks48Fe4cEFyANJHWiKwiz:YAr3a+16VIywKz4ooEss4bFyAbj1ib
                              MD5:042E14845467BC3265D86FB97FE263AB
                              SHA1:D15847AD7E17AB064D1ACE7EA0E70E5CE8CEFE1A
                              SHA-256:2F7ADC362D586722DD41D912FB1ED6D3DA4AFEDB39673AE76B7BE0C4308B2AA5
                              SHA-512:3A93C1E146279E9F4BD4D5B5A8CA54385FDF5FA10E26466C2565CA57BFAA45008077FF6180A9EA5B7F2479680FEE8780438690BA4F38FE8E741EBFBBF49498BF
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............fg..fg..fg...c..fg...d..fg..ff..gg...f..fg...g..fg...o..fg...b..fg......fg...e..fg.Rich.fg.........PE..d....A............" .................................................................6....`A.........................................].......]..@...............(.......h%.......... ?..p............................6...............7...............................text............................... ..`.rdata..*H...0...J..................@..@.data...(!...........f..............@....pdata..(............|..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-mapscontrol-migration\mapsmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):106808
                              Entropy (8bit):6.012236279033335
                              Encrypted:false
                              SSDEEP:1536:keGA3t6WNrk71LGTetE5erkoAQVtdJ6NZJOfZ7AHmEC+CsVOH097NDAE7/Pbk9PD:ikghYt0rkEtdGZMBsH4+rOHgRAEDA9r
                              MD5:DC8D73FEC3991A99A66F360124551A1B
                              SHA1:32D1BEC2AB914DCEA890D5240337942055108009
                              SHA-256:B37E491DB4EC1C959A62A902763DFE8C6BE40EA00C6895FBBD66BD46ACF7B93F
                              SHA-512:9C728EAE9F4115D7B939D7BAFFFEF328F4B27D37835FA2CBE6CA2B2428F44FEAB5F91258B9FE075CB3773062A5D1D2681C5957F8A9268FC82A5200979B36016D
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........].;.3W;.3W;.3W2..W..3W/.0V8.3W/.7V+.3W;.2W..3W/.2V>.3W/.6V2.3W/.3V:.3W/.;V1.3W/..W:.3W/.1V:.3WRich;.3W........PE..d...I5BK..........",................@.....................................................`A.........................................V.......V..........@.......l.......8!......d....:..T............................................................................text............................... ..`.rdata...j.......l..................@..@.data...(....p.......`..............@....pdata..l............h..............@..@.rsrc...@............v..............@..@.reloc..d............|..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-mup\mupmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):107008
                              Entropy (8bit):5.799652245468601
                              Encrypted:false
                              SSDEEP:3072:ePtft1mOa/2vm9fXB5epNmmGl8SGB8aDw7GOPyX2:ePtjmOa+vybeHmmGl8Jw7ByX
                              MD5:A46DDEA2AAD77DDB74345420698ABF11
                              SHA1:D533BF750D35396F71AA3FE1043E81BBA4C12F5D
                              SHA-256:DFB10635D366E55F758C74B9F33B098F7D710DA625E07C2D4002BE290ADCF750
                              SHA-512:52728D8F025E49C29C74AD1B84463E0E9D0E8D9EBA877744D97D48F1FAB50D0E79398A026F76A562BF91EBC013E528A953E93F123A68258CD9A4B81230156509
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.XO+.6.+.6.+.6."..'.6.?.5.(.6.?.2.$.6.+.7...6.?.7.(.6.?.3.<.6.?.6.*.6.?.>.'.6.?...*.6.?.4.*.6.Rich+.6.........................PE..d.....|^..........",.................................................................|....`A................................................l...........h...........................@a..T...........................@9..............X:...............................text............................... ..`.rdata...f...0...h..................@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-netfx35cdfcomp-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):911
                              Entropy (8bit):4.744629011503716
                              Encrypted:false
                              SSDEEP:24:2dtwx6ttpBkvRv+bjXg8KDwjcm33rMPFhUf:c64tt8N+/Xg8K0RrMN2
                              MD5:46D2A27D2CE887C31B83CD9AFE212979
                              SHA1:E7B6D0ADF1CFB10BF4B9AC9F61E22F1D6D87A9C6
                              SHA-256:DEFEF0AB1639FCCA6C3E3251CAA4966A0E3285A61C22B8BC990DA072AE9BB66B
                              SHA-512:A66B11FA87BBDDF963525647F4C37F6DEC8FE5631E4BD426523860C116AA1CB57F66D22301149FCD6FA654132E4D21A267CB38115F97AF7B54C5D4CC08BB6C3C
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly>.. This doesn't actually replace the Microsoft-Windows-NETFX35CDFComp component... It's just here to provide a dummy MigUnit so the post-apply step for CDF runs.. if NetFX3 OC is enabled during migration. -->.. <assemblyIdentity name="Microsoft-Windows-NETFX35CDFComp" .. version="0.0.0.0" .. processorArchitecture="*" .. language="neutral" />.. <migration scope="Upgrade,MigWiz,USMT" .. settingsVersion="0" .. replacementVersionRange="6.0".. replacementSettingsVersionRange="0" .. alwaysProcess="yes">.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSLaterThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-netfxcorecomp-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):45739
                              Entropy (8bit):5.243140131547303
                              Encrypted:false
                              SSDEEP:192:/gkHGcU9BsdKD+NnQPvnJPQICSZWpO2PEjMKQmM/Lh3yyysFAMrQd:lFiCEgKo/L5LysFrQd
                              MD5:2C83A46078CBCC8055A777F4EE028DEF
                              SHA1:A10A019E6ADA755F1D13829F3EFBA5ADF56BD02E
                              SHA-256:A07AEAE6366B54C38C782A3C610279B82E9853E2A68D03C77E173557FF501BAF
                              SHA-512:5F68AD4B46B2E9E06CD6F4C588A23A3F8C4AC5F5CD06A3016034F1C7C3AB68442E1FA3C4B140E3BAF3A82722992028044D398F61E9B1C3198268F2B74E8F9A92
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. description=".NET Framework component".. displayName=".NET Framework Microsoft-Windows-NETFXCoreComp-Repl".. manifestVersion="1.0".. supportInformation="".. >.. <assemblyIdentity.. name="Microsoft-Windows-NETFXCoreComp".. version="0.0.0.0".. processorArchitecture="*".. language="neutral".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml.. xmlns="".. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. >.. <rules context="System">.. <externalProcess when="apply-success">.. <commandLine>%windir%\microsoft.net\framework\v2.0.50727\ngen.exe update /queue</commandLine>.. </externalProcess>.. </rules>.. <rules c

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-network-setup-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):884
                              Entropy (8bit):5.056040962963878
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZFvl+3wg0cjvm3VQJuzQozUOWFCUK:/2e8zd+3wgfeQJusozbAA
                              MD5:BE00C2E7C7118E22CDB5B4D55B5B0A79
                              SHA1:1E94A8A14B2347BD98DBA791230748347CC6962C
                              SHA-256:7E49871C24A4E2D909D8E189616CDBD6747AB361F21C7D20B3CD24D4DC44ABEE
                              SHA-512:8CC3B46590D7112711F2D2A8D585D205CA5B9E8F8BEA91FE275BC40452FE396C8FE5F0ABDDE298C6064AC08E86FAB272EDD695D8066E2FBCD90B79ED3ACE1B69
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="*".. language="neutral".. name="Microsoft-Windows-Network-Setup".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. settingsVersion="4".. replacementSettingsVersionRange="0-3".. alwaysProcess="yes">.. <machineSpecific>.. <migXml xmlns="">.. <plugin.. classId="{3A689360-B0EE-42CE-A9BE-47474B43A3EF}".. file="Microsoft-Windows-Network-Setup\NetworkBindingEngineMigPlugin.dll".. offlineApply="yes".. />.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-network-setup\netsetupapi.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):146448
                              Entropy (8bit):5.8054385174962
                              Encrypted:false
                              SSDEEP:1536:ZyVdnaAmFbJ/i7m1uUnaNlk9kbqywTBJAaMKxh8s9cdPt+JZTl2qJjBrh1aEU/5B:1J/s68nblwVJAa/nytt+PTlvdrhXaE
                              MD5:F35F0AE390F30D6F95290C573EA88125
                              SHA1:E9BF3CE3769681721CFCBD5744AAB11F4FABC70A
                              SHA-256:E30D048369935CF09D90DFC6B5CD2E606C73E3F82AAB991CF9854AF5344E8A21
                              SHA-512:46031ABA28050E9372722554E0C6201C2F0F50EB8E9A00A5635A7E2083722A165CF6A40C5C8F044D2EEA4FE45CAFD1B0A8BE9BBDAA2760C738FC3EC9A720E00F
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[\'Q:2tQ:2tQ:2tXB.tO:2tEQ6u]:2tEQ1uR:2tQ:3t,:2tEQ3uV:2tEQ2uP:2tEQ?u^:2tEQ7uT:2tEQ.tP:2tEQ0uP:2tRichQ:2t........PE..d...i.I..........." .........................................................`............`A....................................................|....@....... ..@........"...P..$...0x..T............................I..............P^...............................text...v........................... ..`.rdata..&....0......................@..@.data....H.......>..................@....pdata..@.... ......................@..@.rsrc........@......................@..@.reloc..$....P......................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-network-setup\netsetupengine.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):808248
                              Entropy (8bit):6.063734625829876
                              Encrypted:false
                              SSDEEP:12288:9q72xeq9H8onLpmlI2AWRhScnNYmFTqjfdX6cMfG7rzRfHuV4:9q88UlmhLScnasOfYcYK5fHZ
                              MD5:2DE8AC205645E4D8A638CDE962FE5C78
                              SHA1:D2DC15DF7A3EAE9E4EA40492282871D2D558967E
                              SHA-256:C6994FD06CFE3BC4DA8566D5822FE2F588B263DDAFD2C64C9A0B3A4122C47616
                              SHA-512:9998329F0E910CAF6CDE195909EF674F6F199C41B61E3F77DCF2BC138D392B319C7A3CD26A2DA1A395D743124F66D0C5F29A15E0A66755D0FCD3E1D3E280B975
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U..B..............@.=...............................................C.............,.............Rich............................PE..d................." ................``....................................................`A........................................ ...X...x...0....`..(.......`u...4..8!...p..........T.......................(.......................@............................text..."~.......................... ..`.rdata.............................@..@.data........ ......................@....pdata..`u.......v..................@..@.didat..`....P......................@....rsrc...(....`......................@..@.reloc.......p......."..............@..B........................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-network-setup\networkbindingenginemigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):344888
                              Entropy (8bit):6.131252130687319
                              Encrypted:false
                              SSDEEP:6144:TR8jeGaURRvzvsSQiqz9zxSrpQoa6L3mYs07km8R879as0Ug4tFTfvS8bkKWDd/3:iR00pQP6TmR879as9tBedio
                              MD5:F7C9FC48498B6752BD0F6822F3B3FDF4
                              SHA1:9226247D5E88C886A670A319A8D22F63108E3FAF
                              SHA-256:AA521177AB2D906F3558C86E62C70280BD59925218C2437E049AABACE194E690
                              SHA-512:68F20A243B05390E5ED74BD7466FF1F7F47C833B86CA7C2C03EDD9E0C6E9CC1A946D398474C86F1DA943EAE02B5E4E695BBE2CD4D1B0F2214BA31685AFCD7591
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'T..tT..tT..t@..uW..t@..uE..tT..t..t@..uG..t@..uU..t@..us..t@..u_..t@.:tU..t@..uU..tRichT..t........................PE..d....,............",.....t...........*...............................................w....`A........................................ ................`..p.... ..L,..."..8!...p.......<..T...................X...(...@...................(.......@....................text....s.......t.................. ..`.rdata...b.......d...x..............@..@.data...............................@....pdata..L,... ......................@..@.didat..x....P......................@....rsrc...p....`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-networkbridge-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):744
                              Entropy (8bit):4.681028333746412
                              Encrypted:false
                              SSDEEP:12:TMHdt/5v+9pW2jVgVNGzAjV0QzAc0dGxd5/RSDuMc9LId/ocXiEdO8ryuX3lDyUK:2dthv+y2jVgpjq3VexPItuyFwUK
                              MD5:0DC316E5312834AF642B018E3419E9C3
                              SHA1:0EAE34ACD081F99FD28A15B993DE108CB8FF155B
                              SHA-256:17876996165D66FB4FE8C8B2FA8C67691251B50D45E09F396DB1246C076B5E63
                              SHA-512:E9C715A1C4AD66908296E2D278140026B7C0594D32AE7C9D589FC37FC7CA20C5A59987A01AEFAEDABF8DE40F40E701DC7A863F911A16D9703DBEB68A934C8265
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly>.. <assemblyIdentity name="Microsoft-Windows-NetworkBridge".. version="0.0.0.0".. processorArchitecture="*" language="neutral"/>.. <migration settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.2.8180".. alwaysProcess="6.0-6.2.8180">.. <machineSpecific>.. <migXml xmlns="">.. <plugin.. classId="{ee036dc0-f9b7-4d2d-bb94-3dd3102c5804}".. file="NetworkBridge\BridgeMigPlugin.dll".. offlineApply="yes".. />.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-offlinefiles-core\cscmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):145720
                              Entropy (8bit):6.28959757304556
                              Encrypted:false
                              SSDEEP:1536:rKxbFDL1fA7iK5r+tBOgNA7Q9UyAJo8CqsAJ/ZY6prJ+b/toIMwm4f+aGsY0MUOJ:EFZA71r+tTAciu8psNGl4FnEF9iAOmoK
                              MD5:76D975DE389D0737A694930071964651
                              SHA1:4AD2A079637402AF81924BC1C8E9C82EB8BB3BEB
                              SHA-256:D1B7F0EDF0B4614D6FFC45FC33E5C1725835C28FCC337DA32A52181AB3EEA8D5
                              SHA-512:D69334CE21697703F6E5AEEA67487D8C92DDDC0B90754727C460304E1DCACFA4A367ACEA79E2A418C63C99AF37E119A5E594001997429ABA783428D256BE85A0
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........j.9.9.9..8.9..8...9.9X..9..8.9..8...9..8.9..8.9..s9.9..8.9Rich.9................PE..d.....h4..........",.....V...........I.......................................P............`A........................................P................0..@.... ..`.......8!...@..\.......T............................w...............x...............................text...,T.......V.................. ..`.rdata..x....p.......Z..............@..@.data...............................@....pdata..`.... ......................@..@.rsrc...@....0......................@..@.reloc..\....@......................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-offlinefiles-core\en-gb\cscmig.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3072
                              Entropy (8bit):3.2850229599246124
                              Encrypted:false
                              SSDEEP:48:yLRlhFrd1Hx7F+N9tnZWXHLueTy5WwHg2:4RlvJ1R7F+N9XW3buWw1
                              MD5:D94C04BC66AFF06CA7844B97E6FB0076
                              SHA1:47BBDC3BB8921CD9A4A482077FEA742932E4D2A0
                              SHA-256:AAB9CEEA3EE55EE735591DF0BB7E3A1272B44ECBF09E3434C40560894F985CA3
                              SHA-512:A9FA7F68C32870770AC5086E1279AF2C278E53D0CD2C6B6284D59CD9AD01891CEBAAD0D4B491F617387D84AF08472F22A8BDB88D47B14F11AF8A0EDC01CB1604
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0.......9....@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....&.b.........T...8...8.......&.b.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ...EV..&rT|...XR\..T..Y.X.x*.&.b.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-offlinefiles-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8102
                              Entropy (8bit):4.793645439788273
                              Encrypted:false
                              SSDEEP:96:AyKJVFH0SQWgxVKYx05xBmOx0nIBgon3vtXiSO+D5hAFOoQB0gjP4+b:sudFRKHUEHhAOr
                              MD5:2AFD025CB5DF944F90201DF19BD4C2A3
                              SHA1:EE41008C0CC0518AA5FCAE605AA764A57A9EE68C
                              SHA-256:F87A08249E0C6588C0D4D84AD88A1816FD755C64D0EDCADBBFAC935A69CBA6A3
                              SHA-512:A40068C1E67DB24B08E619AD7BBEC7B7083325E52B50ADB691FF0E9A6134743F30BBA3A7291975336499184A618D7C4865E730E7104287B75CD81077E2B35E93
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-OfflineFiles-Core".. version="0.0.0.0".. processorArchitecture="*".. language="*"../>.. We handle upgrade differently from migrating data across two machines to help.. increase the speed of upgrade. On upgrade, we will let the migration wizard.. engine rename the cache from the old location to the new location rather than.. doing the file-by-file migration. This has the additional benefit of allowing.. us to keep the full cache content on upgrade and not just the dirty files.. (which is the default behavior)... .. There can only be one migration element in an <assembly>, so you will see.. a set of migration rules (<migXml>) wrapped in the <machineSpecific> element.. that apply to in-place upgrade, while the other migration rules apply.. to cross machine migration..... This r

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-parentalcontrolssettings-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1311
                              Entropy (8bit):4.940024796062216
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+y7g0cj3s3It2ovnpI7djRYHGFe2Y6+yLgL7ZAKWEUW:22e8v+y7gf6ovp8jRYQe27+yLgL7Gw
                              MD5:042F4411E9721DBB2066D8907FACD080
                              SHA1:A5FAAB4C407E3C6ED4ACF1B0A86D1C7230CA0589
                              SHA-256:7A12568262D6E825AED3E0205EBED59905223FDE36CAE391480C974FAA539651
                              SHA-512:07F001CF7EEE098082EEAE60E44DE80AC856F181D974BC5DFF1D4498EB48AF801B1A5BC355D5AC6A4E043EA14E58F50C7787BE1BA890FA033223AE70E9A25254
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-ParentalControlsSettings".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. replacementSettingsVersionRange="0-9999".. settingsVersion="2".. >.. <migXml xmlns="">.. <plugin.. classId="{0B6EC5B8-039F-4B11-8C2B-B8FD0F83462A}".. file="wpc\WpcMigration.Downlevel.dll".. offlineApply="Yes".. />.. </migXml>.. <supportedComponents>.. <supportedComponent>.. <supportedComponentIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-ParentalControlsSettings"..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-pnpmigration\pnpmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):399376
                              Entropy (8bit):6.2326191901279815
                              Encrypted:false
                              SSDEEP:6144:gcrrWyzXgnBPqAQZAMp6bSODv9eP4mmhBQ/rzjwY+zQd2zjDA5l8ZiclzYh:oyzXgnBPqTZAMp65Dvw4mi1
                              MD5:8093E37E00AFE5FE1F13EDB546EECECD
                              SHA1:5A94DB4E913D2E41E6E29AC00C3FE822F85ED9A4
                              SHA-256:E5F28971FB669C68023A94007BFA66989B8E4BBBFCE8C8D3EB96BAD2A7D9B333
                              SHA-512:C2CEC1C1E6B6EF54EEE4C6F82E93316AECC1C750FD781610D4F60FAA06A72A43A9627274C630C2EC6383C4D809BA5E914ED218C882FD78897B65687092177684
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............M...M...M...L...M...L...M...M...M...L...M...L...M...L...M...L...M...M...M...L...MRich...M................PE..d...Y.~m..........",.....>...........0....................................... .......Q....`A........................................@...................................."..........@t..T............................................................................text....<.......>.................. ..`.rdata...{...P...|...B..............@..@.data...............................@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-pnpmigration\pnpmig.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):25354
                              Entropy (8bit):5.299663789233523
                              Encrypted:false
                              SSDEEP:384:VKjZPMdhDz69QE3Bq9vLx6gqUJUI1ttcV0VCYiVo:VKjZPMdhDz69jyvLIgqQl1tuCVFiK
                              MD5:032F9AA72F7F32E1F7839CFD64042246
                              SHA1:1F46E1C96FC4984A55F65B1386E4E1A4C637424A
                              SHA-256:4DA09F87DDFFA760C655D65D51F5D7ED797981292E1F7F1885A17EC1C91DF8A3
                              SHA-512:EE8C622E88E495035814B6D89CF0D81610187D3B7456FCB658C542B9D4230938C33175CDE2DE23A14B1AC5EA55F5FB2AD87251C818EB4529A06736D86F8C9000
                              Malicious:false
                              Preview:[Version]..Signature = "$WINDOWS NT$"..Class = PnpMigration..ClassGuid = {8ffff596-d7f4-4afa-82a2-28a0a63b90bf}..Provider = %MSFT%....;----------------------------------------------------------------..; Device migration..;----------------------------------------------------------------..[Migration]..; Migrate device classes with additional filtering..MigrateClass = %GUID_DEVCLASS_SYSTEM%,System_MigrateClass..MigrateClass = %GUID_DEVCLASS_PROCESSOR%,Processor_MigrateClass..MigrateClass = %GUID_DEVCLASS_MONITOR%,Monitor_MigrateClass..MigrateClass = %GUID_DEVCLASS_MEDIA%,Media_MigrateClass..MigrateClass = %GUID_DEVCLASS_HOLOGRAPHIC%,Holographic_MigrateClass..MigrateClass = %GUID_DEVCLASS_NET%,Net_MigrateClass..MigrateClass = %GUID_DEVCLASS_USB%,Usb_MigrateClass..MigrateClass = %GUID_DEVCLASS_HIDCLASS%,Hid_MigrateClass..MigrateClass = %GUID_DEVCLASS_PORTS%,Ports_MigrateClass..MigrateClass = %GUID_DEVCLASS_MODEM%,Modem_MigrateClass..MigrateClass = %GUID_DEVCLASS_BLUETOOTH%,Bluetooth_Mi

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-powershell-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3673
                              Entropy (8bit):4.851991772435249
                              Encrypted:false
                              SSDEEP:96:22X2qBqVjoLiBxBaP8jaC7muRRHuRfuOeBGuun:m/ZZ6C7muRRHuRfuOeBGuun
                              MD5:D4CEC25DE2E272958A269F94BE4D3DB4
                              SHA1:8693CB0F16DE465B1528CD4B194363D5A611A58D
                              SHA-256:20BF518B28C377F2606E91647A199117B341299E8DC509621FD39DB11B952A0C
                              SHA-512:B146E0DFFBF00D201B354D4F494AE093FD67E7185241525CCFF000386C5E7B5FDCE353713D2929B45656D406ED696DE0A8703922E1431A9BF02B3C43F4276977
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-PowerShell".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration scope="Upgrade".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-10.0".. alwaysProcess="yes">.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment[PSModulePath]</pattern>.. </objectSet>.. </include>.. </rules>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-powershell-ws08-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1161
                              Entropy (8bit):4.956840015099689
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+N8g0cj3pnxmjq3VyZF9+UWgMPFhUK:22e8z2j+WgfZxKVZF9+YMNX
                              MD5:E234D5275B2257026252854F93225765
                              SHA1:7ACCAC980610DA751455B56018240DD155632BF7
                              SHA-256:3C64683C699911E8A093A8A0C634E169CC5F62712DC202251DA9706BEB40227F
                              SHA-512:966042DC0F836BA777FD6EB505A7D800BF3767396CC21B4E98BB42A6BC504FA2BDFA9D5FFD982766E39706769E0C4208EDDF344397FAE5205EBA67D6A14E47DD
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-PowerShell-WS08-Repl".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. our scope is to only support upgrade. We do not intend to support PC to PC migration .. or USMT since that is not supported for PowerShell overall-->.. <migration scope="Upgrade".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. alwaysProcess="yes">.. <registerSDF name="MicrosoftWindowsPowerShell"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-powershellwebaccess-commands-powershell-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):874
                              Entropy (8bit):4.768912170085008
                              Encrypted:false
                              SSDEEP:24:q/VR+NY3g0cj0mG3NjovtMKENgGFJXMFhUK:Y+Mgf0hoFMKIgwJuX
                              MD5:6A3409DD80DC5D13C7854590F76B4D41
                              SHA1:4914AA334E5029943B99D2A56CF727776DC930CD
                              SHA-256:8C80C2D0D6E16E585F025DED9AEF76B3EEE6C7A096CEF27E9F2C076436D95F8C
                              SHA-512:949CC0798184B89FA23BCE5F7D9561DA52C7A375B14AFA8A6315ED99FFB9C64B6216B7882ACB3BE2991CF77D655C8CB81104B5618A2B449D7BEA1ADD3FFB961B
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-PowerShellWebAccess-Commands-PowerShell".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade".. replacementVersionRange="6.2.*" .. replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT", "6.2.*")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\Web\PowerShellWebAccess\data\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-rasapi-mig\pbkmigr.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):69944
                              Entropy (8bit):5.997250083159163
                              Encrypted:false
                              SSDEEP:1536:DZ0oi5UQFFSUV8Kbd7LespOJDzuSbavOphDP+:1Ri5HHyKbZrpuuS+vO/DG
                              MD5:AA5C4BAB9662DEA2BF958734065EC794
                              SHA1:2A496D9E155626EAD8DCFD50ED7C8213F2024108
                              SHA-256:FEA6463CAF0664A51350DD1B2E9A8B39A02B73C4AAA20D1CC8B4748153620665
                              SHA-512:9102F8F63359078B1021296CAF49545331F6011C5AADC4946C04FF1C99079B7BA22B4B62C1DB244CA296D39A21615F99991D906CDB07DB0E53DBEFF14CBBE6A8
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+...E..E..E.uF..E.uA..E..D...E.uD..E.u@..E.uE..E.uM..E.u...E.uG..E.Rich..E.........PE..d....c...........",.........b...... ........................................P............`A.........................................................0.. ...............8!...@..........T...........................@...............`.......H...`....................text............................... ..`.rdata...A.......B..................@..@.data...0...........................@....pdata..............................@..@.didat....... ......................@....rsrc... ....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-rasserver-migplugin\rasmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):540168
                              Entropy (8bit):5.908416600550986
                              Encrypted:false
                              SSDEEP:12288:A8XNpcZRlTTQKXHWde60DqdZo3QYECIF0Z96wxPBj9:v6pEKXHWdCDqnwHIF0Z96oPBx
                              MD5:E2F15BC291F93E522101CCB32DF0AA74
                              SHA1:917020936005E3C45A3EDB39FE59C0432DD9DEC3
                              SHA-256:AE9F53BBB471FB9374EAAC67A34F630FF3F7E72C8DC1696E2FAC5769ADB096D2
                              SHA-512:8AB8F38BC26C495FA8B89DF1ACDBDC6E0C6C81F020D8E8325E6A555A0AFE323F8E2BFDA9948DAE5A8CE982FB72FFD309962E3E8B0FBD98E09A5CE95A22735CE5
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................|..........................................................................Rich............................PE..d.....{...........",.........D......................................................Q]....`A................................................\........p.......0...!......."...........}..T........................... ...............8.......@........................text............................... ..`.rdata..............................@..@.data...($..........................@....pdata...!...0..."..................@..@.didat..8....`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-rmapi-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1708
                              Entropy (8bit):5.192810267651551
                              Encrypted:false
                              SSDEEP:48:22e8v+HgfTgeIguyJJFj0Ajjuw0imuHumiX:22CYEyD9Djyw0oO7
                              MD5:A8DB1A8191E50B06EE864DEC61EE83F1
                              SHA1:3B61224F76844F05238F68A2FA0353EE40C37A32
                              SHA-256:D52D6C142BB71F52E88B3C6D12EF7971F0937D674E67C2826B442CBE6F04E15C
                              SHA-512:E473F109E4D360225D5B43A515A48BA9A5F38F55A01BEBEE4C1945EDD6D85A20CC71D177ADE464D648A4D4E31A561466FC534E1657F9354EE204AF9B7DA609A7
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-RMAPI".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\RadioManagement\* [*]</pattern>.. </objectSet>.. </include>.. Exclude in-box providers that will be managed by Windows. -->.. <exclude>.. <objectSet>.. Bluetooth (drivers/wdm/bluetooth/user/BthRadioMedia/BthRadioMedia.MAN) -->..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-securestartup-filterdriver-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3852
                              Entropy (8bit):4.985632057357852
                              Encrypted:false
                              SSDEEP:48:22e8v+VgQgfD0pf0xynChSoPgYXLkaG6dbdp6p58TK0aULbF5KRBpYlw6CB2A:22CSkR0s0SthCApw+b
                              MD5:298A0D64C5F10FA0C2FCE9511C8881C8
                              SHA1:FC2424F2413B0B0D159A387921E3822B6C5A5ADF
                              SHA-256:9452BBDEFD57842755CA0A3771DD9D7819F6329EC449333BBE2DB42AAFD65551
                              SHA-512:2E9B98C190CD90C9F808FF235A7AFDE9C9955DB15C8FDDF6D4AEAFAE345F2657D16627D87185E23DD9C9C6D90FDEADCA4ECDBE3CF8F420E5CE2531DB0D056BD3
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-SecureStartup-FilterDriver".. processorArchitecture="*".. version="0.0.0.0".. />.. Up through Windows Blue late MP, the BitLocker manifest did not contain.. migration rules for performance settings specified in the <configuration>.. section. These settings are important to carry over from Windows 8, since.. they are provided by the OEM and are tuned according to the particular.. characteristics of the SoC. This downlevel manifest will ensure that.. these settings are migrated... -->.. <migration.. replacementVersionRange="6.2.9200-6.3.9400".. replacementSettingsVersionRange="0".. alwaysPr

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-security-ngc-credprov-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1766
                              Entropy (8bit):5.268447566421784
                              Encrypted:false
                              SSDEEP:48:22e8v+VbgfAIIgfbrD4jifbrJ0JmgfbrD4zWYgfbrD4jWQvA/:22CNIRj5pYDjRjl
                              MD5:7F4A8A5AF370314211C41F0C4D956736
                              SHA1:723F53335A6EB9C094AD4B7DD40C401064040935
                              SHA-256:285AFC5271839996FDDC1E6FE8E8D95DE60B94996151FD9C02103D2AE23EAE4B
                              SHA-512:17470FA021865527E6A198B84DB784234B1E7788982158C9CF9D8EACAF154F2973696B01FECDFEED88B024632A3640FE0329EB0012DBF3FE0A28237AA50E2FBC
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-NGC-CredProv".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. offlineApply="no".. scope="Upgrade".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\$ [LogonCredsAvailable]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Preboot\AccountInfo\* [*]</pattern>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-security-ngc-ctnrsvc-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1274
                              Entropy (8bit):5.02382272539419
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+Vjzg0cj0kv3eMEF4C1j+YeYBXs4C1j+YeYLKF42dlJUK:22e8v+V3gf0PMY4CQDYB84CQDYw42b/
                              MD5:BE01A5AA9023CC66AFB2F2EE898FFA7A
                              SHA1:B3E4E3107F82DF01B056D46B71E5C415D8C2A937
                              SHA-256:03331646C70A6ED9EA6D8597195B8C5CC8DB8DAFF73A27A148CD31BF0938771D
                              SHA-512:7E504B747B61F116D165936A9CDF6B55C6058FC10F242D466F75BF8D9FA097F0890848B823018C5BB613C433091D5A2A7E00C6C5E5368178C3C9E102F7033D42
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-NGC-CtnrSvc".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,Data".. settingsVersion="1".. replacementSettingsVersionRange="0" .. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%SYSTEMROOT%\ServiceProfiles\LocalService\AppData\Local\Microsoft\NGC\* [*]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.SourcePriority()">.. <objectSet>.. <pattern type="File">%SYSTEMROOT%\ServiceProfiles\Local

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-security-ngc-localaccountmigplugin\ngclocalaccountmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):93712
                              Entropy (8bit):6.0573935855068
                              Encrypted:false
                              SSDEEP:1536:1CWs2G5U3/H0KkLih/l6eZdJhK+KAeBNdPOwbVflhZH0B4DzprZqgSuNMPViLeaj:49e/zkmNlZdJhK+KAOd2WVdrvSoMtiLl
                              MD5:BF4401C55740ECBE3E8886F258DB5BF6
                              SHA1:391324050B9D47124C6121E3E549020547BB2C76
                              SHA-256:5D39B1DCD670C142A6D56603CE18C7D4561FA0D6817225892FCAAB4D2F31F1BB
                              SHA-512:77CF0214A3111B63C4FC4F900DDA9C933F7FBC29D11A2603DA4AE484EE77944846FEC1E6DA579AACF540FFF2572A4917C4D2C02D97B85819D799ECD260830521
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Sm.e=>.e=>.e=>..>?.e=>..9?.e=>.e<>Be=>..<?.e=>..8?.e=>..=?.e=>..5?.e=>...>.e=>..??.e=>Rich.e=>................PE..d...f.$...........",.........r.......................................................|....`A.........................................-...............`.......P..x....L..."...p..........T...........................................(................................text............................... ..`.rdata..XK.......L..................@..@.data........@......................@....pdata..x....P.......6..............@..@.rsrc........`.......D..............@..@.reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-servermanager-rsat-featuretools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):686
                              Entropy (8bit):4.925673335325983
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9zyw4gV6cj3whQzA0zAjkaKpYScYfA0cyd+FRZyuhURpG:q/Vg+Vyw4g0cj3K3bjkFpKgMPFhUK
                              MD5:59301E1BF01BBE7BD2D27D9500521DCD
                              SHA1:9CAC5E8EB149928B22A60CD01CB524D11500FC84
                              SHA-256:232BC30195ED3F92A6EC0D488C82E567FFF1B3885ABEDE7A943619BD826543BF
                              SHA-512:C095BE7132BAA9297F22BE6A69EFD0179F4DA4B5A6760AB4AC8A9CEE8A965ECE286ECC9106D8A46AEFC28A0B98A5A3412435FE1AED1D9622B2258FDB1BDE039B
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-ServerManager-RSAT-FeatureTools-Replacement".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="ServerManager-Core-RSAT-Feature-Tools"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [servermanager.msc]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-servermanager-rsat-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):659
                              Entropy (8bit):4.9047923382219425
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9zydgV6cj3whQzA0zAjkaKphScYfA0cyd+FRZyuhURpG:q/Vg+Vydg0cj3K3bjkFpDgMPFhUK
                              MD5:E33810E2DA053609C8EB9AAECF611B74
                              SHA1:B7184A3A31D0D3A6DA7783D8860BF8CFC1228F29
                              SHA-256:D86BA5D51755312C62B9219FF34EF4608457BC803BB911D1399C44AE7A98DCC9
                              SHA-512:5FA7C36D74036A1FACEF78F3DA92B7E819575484DF63B6EA5EC03E5F8ADBBC024DD1A3193A1861DD8106AC7C2003B4049E5BA94698695B5131FDFEAD420F74A3
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-ServerManager-RSAT-Replacement".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="ServerManager-Core-RSAT"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [servermanager.msc]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-servermanager-rsat-roletools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):680
                              Entropy (8bit):4.921122004872507
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9zyDgV6cj3whQzA0zAjkaKpRUScYfA0cyd+FRZyuhURpG:q/Vg+VyDg0cj3K3bjkFpR+gMPFhUK
                              MD5:2D283B9A62A1BD0A93B931087B0AFD31
                              SHA1:8260EE1D81D28F8CCB01004FCC787B68C24A5C19
                              SHA-256:D0AF9CB528DE94429177AFF6E675208DE251C9DA6EFBDC77284C4EB8CFD301EC
                              SHA-512:EE0379C87898A79B0F010FFA5D7DE470C795AAE04A9712212A856800A066D109BD5405C0546B7CD2D418C1BEEA967870882E85375781FD6476964A9A51152217
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-ServerManager-RSAT-RoleTools-Replacement".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="ServerManager-Core-RSAT-Role-Tools"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [servermanager.msc]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-servermanager-shell-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):747
                              Entropy (8bit):4.929847252259464
                              Encrypted:false
                              SSDEEP:12:MM3ii175dgF+9zy2gV6cjfbN0QzAm0dq6MW2zAjlScm7fMfWqNalZduVd6/eNnAJ:p/Vd8+Vy2g0cjTi3vRMQjgENgPduVzJQ
                              MD5:B325C2F2E4742099D647CDADB7AD36E4
                              SHA1:E710E4B666F426FE0E66CAD69718E2004E9825F1
                              SHA-256:1F4CC06AA0DBD64167EE1A558406BFAAE816BE9A1C92FD0847C64AF2197A17AB
                              SHA-512:51794442B5AEFBC6CE313727D3F91C4FB151D5404FC05F96862F53FCECAF35362DF93A5D3AD085868AA7CC5AEAD9196A6A7F5DAEAD549351F4118F53932D5E80
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-ServerManager-Shell".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2-6.3.9400".. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Windows\ServerManager [ServerList.xml]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-services-targetedcontent-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):839
                              Entropy (8bit):4.790546651357188
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+Vykcg0cjTi3A6OENAJXmNATMFhUK:22e8v+VMgfT35IAJmAiX
                              MD5:D4DED91842105170AF3DE574F991C64F
                              SHA1:B5617A467ABD2DDE869E8CFE7C4430DAFBAFD4FE
                              SHA-256:6359B01202BBC11366B4D304A6D7E5DDE703BFDA8BE9C25580EC446D76CB5770
                              SHA-512:FD430AAFB91A006F4D8889441DBF546F64E7A0CEFC10F1DDBEF547B4C6681B128A7E037B1CD2613E6858A45CFC6F39D5AD4656FF382161FCE2BF9ACB24B34DA5
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Services-TargetedContent".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. </objectSet>.. </exclude>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-shmig\en-gb\shmig.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):3.5870453244052953
                              Encrypted:false
                              SSDEEP:48:yOLX0Q8b848v8+5J28kF8aL8e8298HGQWUM+4qZW+cumbK5WwHg0:D6gzUM3V13S+jWveWwz
                              MD5:B70366FE07767DA1E6EAE90E9769C7BF
                              SHA1:30A94BF8673F8BF6D0320CD41EC034D3264FE0A2
                              SHA-256:CC59FE2AE68B29BCB8A19236478B3138B2D4763F90F9AB4CA9BF9DCEAE738E22
                              SHA-512:4FE18FF1F13A00BE2B741F859C5A359AA947F8913811F15D27D03BC7111FA7AAA0158D79ADCD0396844CCD725642CEF257EC0E164EF163B617E379A9645C3C8D
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@..............T...8...8.................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... .......^.~ ..7WM._.&.o.r.r..d?..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-shmig\shmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):209208
                              Entropy (8bit):6.130394719450308
                              Encrypted:false
                              SSDEEP:3072:O8i7efGKyraw2wcWk7wN5WnLdGF8J9W5EKVDmVNQORiyJ0w:Oz7efGDc5uQLQOFKGuORi8
                              MD5:58C5225A78B17B080336A5380E96F3D3
                              SHA1:F8E93CB87403B98BFFBF676959AD56B6E1405369
                              SHA-256:17EEF1A3238637A6714573DF39B2991F49B571B111061493CF2D8C75E4FB2FFC
                              SHA-512:35C25E67EB45D7B2B0585788B5FECF325E80D5B7EFB020C719ACD086C3F18FBCFBDEB87EEF2B3C821C5CAC5C569AA63CF044F1199516BCC4A5AA45EFB6B03163
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................7.........................<.........Rich..........................PE..d....t.e.........." .........................................................`............`A........................................P...h............@..........$.......8!...P..........T............................%...............&...............................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..$...........................@..@.didat..p....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-slb-mux-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1965
                              Entropy (8bit):4.89340727170758
                              Encrypted:false
                              SSDEEP:48:22e88+VMgftr09Vg4vnwG+qY4jVxBl44jVxwX:22zHw93nw8rlk
                              MD5:2DE559632B430212CC04E5767C136DF4
                              SHA1:F3C7DF1F30C7D88657E4A30EA074DECBD3EC1052
                              SHA-256:2645BB493ADC67852D9F537B28C1727CDDCAE58402AEDFA80A2D1C1242B1AC26
                              SHA-512:B7E3D1468C1FC41F36D6E57E7B5A0B4E8A4F96758D458FD5C1C4CD41428985EDF826ABE98168311E5EFE1DCB4E9BB1F7DECFD34B93402114133808E5CA07679D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-Slb-Mux".. processorArchitecture="*".. version="0.0.0.0".. />.. .. To ensure that matching rules are used during the "gather" and "apply".. phases of an in-place upgrade, the following attributes should be updated.. whenever a change is made to the Microsoft-Windows-Slb-Mux. This is.. because the new setting will only appear in the uplevel manifest but.. the downlevel manifest is used during "gather"... -->.. <migration.. scope="Upgrade".. settingsVersion="0".. replacementSettingsVersionRange="0".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <incl

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-smb1-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):932
                              Entropy (8bit):4.927496761474225
                              Encrypted:false
                              SSDEEP:24:q/Vg+V6qAg0cj3gi3Nj8odoJowmq3jJCoG2MPFhUK:Z+V6qAgfQg8odoJoXq3goG2MNX
                              MD5:67585D61917DA40E8A088384C6FD4705
                              SHA1:4A810B9D0574EAD1608E7649CF85D150DA3F0621
                              SHA-256:DB94929CE395035C274A5B94DFECF9B6A7BE5ED8D84CAE3222A232C91259A8C4
                              SHA-512:9DA6F3E5DC263E73737E4B351B3EE27115148CAB6DB2BA594EC2C2A09DF931F268F9A8F9CFE061667DEFD3749110544787B1DE61B56135307FAF65C728157291
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-SMB1-Replacement".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="0".. >.. <registerSDF name="SMB1Protocol"/>.. <registerSDF name="SMB1Protocol-Client"/>.. <registerSDF name="SMB1Protocol-Server"/>.. <migXml xmlns="">.. <detects>.. Multiple <detect> are AND, multiple <condition> are OR: -->.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "10.0.16220")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("File", "%windir%\system32\drivers [srv.sys]")</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-softwareinventorylogging-scheduledtasks-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1059
                              Entropy (8bit):4.953661042050857
                              Encrypted:false
                              SSDEEP:24:p/Vd8+VYnJ6Yg0cjTi3v40QjeENgwwVKefuZnJXmNgwQVKk1TMFhUK:a+VYnlgfToQeIgfsefuBJmg/s0iX
                              MD5:2586BBF141E18CE12FA9B610461239EE
                              SHA1:288C64C6DDE9B543E53F89D82BE0DBBA01143ADE
                              SHA-256:478AE9D0D8A023C8F801F39B920452C226995086ADEC9E4A80F0415F5CA5E2D8
                              SHA-512:924A1CD5759D8CE733AE81C105188994717067F86604D7D34BDD7FDCBE7D1B226345A7859E37C05883FADA692965006956343C19F66239433C35362E0E3DACE9
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Microsoft-Windows-SoftwareInventoryLogging-ScheduledTasks".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.3-6.3.9712".. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\SoftwareInventoryLogging\* [*]</pattern>.. <pattern type="File">%windir%\System32\LogFiles\SIL\* [*.bmil]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\SoftwareInventoryLogging [Identity]</pattern>.. </objectSet>.. </exclude>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-storagemigration-od-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1533
                              Entropy (8bit):4.826163423317435
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+VNdg0cj3s3NjoLRW5Ybw8R0uRq7VEF4wuRqiBX0FCUK:/2e8v+VNdgfSolzRRC7VY4uiB2A
                              MD5:7C3746FEC1B2874DCF88BFDE072370CC
                              SHA1:88C76150202E6F2AF3FAF51E0E339DB5FB59556B
                              SHA-256:F630F14A8F97D180DF94A9F68C586A78E05D9A280FEE6EEC8A12FBB75AF344D5
                              SHA-512:67F42A8F492AE0E1B7439582CD6F417AEA8805E0CF9877AAC7328DF37DA99B97BDE95AFD2128AFFAA9792CD3FC5BDF6DE9E161240FF97F3F857375E51283CC50
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-StorageMigration-OD".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="Yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <conditions>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.1.9999")</condition>.. </conditions>.. <addObjects>.. <object>.. Disable PATA enumeration optimization by setting below registry -->.. <location type="Registry">HKLM\SYSTEM\CurrentControlSet\Services

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-storagemigration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6200
                              Entropy (8bit):5.262639193225541
                              Encrypted:false
                              SSDEEP:48:/2e8z2j+VN7gUKHolMYpM+RV4+pf+3+lH+fqC7m6P+jdJhuBiRptLGpj3Vi18pIX:/2X2qf3MKRVsviMu8tRzKqWwazb
                              MD5:4D6C8E7690A905DA3CBAEC779850C9FC
                              SHA1:3A347549AA388CED5AC5F13EBA343A0002E98606
                              SHA-256:1D8AFFB7D3C0D853741A5E58BF02670D17CB7D870663B391A0B00A49C67E8C2D
                              SHA-512:208D6CE66A9231D8BC0C3C7D294B92961CB2B961FC6CD13A8E35A7D4ADF5C6E0F558C7E63B8CF48563EF32281D8832E1533E6BFF25977E43C26CD8BBEBC8F7AC
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-StorageMigration".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-10.0".. settingsVersion="0".. alwaysProcess="Yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. SCSIPort Global Settings -->.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\ScsiPort\* [*]</pattern>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-sxs-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1306
                              Entropy (8bit):4.920022912166165
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+Vgg03bmjhzh3NjkJjturqjE2FN+VYg0/bZIUK:22e8v+VggCbKdkJhuWAgN+VYgibw
                              MD5:A8560D32D529435742430BE56D479D70
                              SHA1:ACE7BF462ADDC814836C9590CDC1CFD280FB4B2C
                              SHA-256:4B12302FC0BBEF829D994C3908C932F0F1F31307A0857B612E54756B69D9F3FF
                              SHA-512:42330557DEB1BBA671E16A2F85798232D7764F1294E09EF456CCDF9F843553B12E5D012B5AC2AE38CD26EF6BE0042B1E4908EC626479C48B318CEF3FEB776CD4
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Sxs".. processorArchitecture="*".. publicKeyToken="$(build.WindowsPublicKeyToken)".. version="0.0.0.0".. />.. <migration.. replacementVersionRange="6.0-6.2.8000".. replacementSettingsVersionRange="0".. settingsVersion="0">.. <machineSpecific>.. <migXml xmlns="">.. <plugin.. classId="{d2caca93-9eef-4c24-9790-61cdefd255d4}".. critical="Yes".. file="microsoft-windows-sxs\SxsMigPlugin.dll".. offlineApply="Yes".. />.. </migXml>.. </machineSpecific>.. <supportedComponents>.. <supportedComponent>.. <supportedComponentIdentity..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-sxs\en-gb\sxsmigplugin.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):2560
                              Entropy (8bit):3.3153154447799005
                              Encrypted:false
                              SSDEEP:24:eH1GSAwL09WCHMtDdNZW0UTIiNuc+CtJiSlbc35WWdPPYPNyP:y9AdODHZWnTzuXSJy5WwHg6
                              MD5:78CAFADBD60BE1F7088E60B7E8DA1CE4
                              SHA1:781F6FF5AAD92328CF65C30B1D10C06BB1A50D4B
                              SHA-256:77ED052B42F7EA718BB3A933C1AABB85AF079F7332DF4C21AFA260C65A45C52A
                              SHA-512:6A555A1A329CD5C485882DAD61B229BAB9EDE692BBFFE6062FEFAE23AA7C768581BB3E760BE2A8D8E80A3403105BE4D721A9A95418053B41D7704974189FDCAB
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0............@.......................................... ..................................8............................................................................rdata..............................@..@.rsrc........ ......................@..@................T...8...8...................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ..."...|....C...7Nv..6..#.5...............................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-sxs\sxsmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):133984
                              Entropy (8bit):6.2554042064203825
                              Encrypted:false
                              SSDEEP:3072:BzBt2svhMFUl6eC3HUVr1ynuUxo7krPN9dNtrCyfcpFjV76V:Basvh0GC3HUVr1ynuUxogzfc/V
                              MD5:1010AC5647746C613FA7D0846D143F6F
                              SHA1:1C34D364C27B18634974696ABC4707A57D0168D9
                              SHA-256:AE371EA2FF0F95FA6744E1AAF26444146273C0D51D37209DC27B99213D21F772
                              SHA-512:48D87CAEA60B657E0AE1CD68779BC4D7E3A24F8C18E7894AB9ECAB4C0A1FF10005BC01FC526BEFF3F513BDF4485A8145831A079201B9E7618D49E94E8C9CB882
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...'...'...'......'...$...'...#...'...&...'...&...'..."...'...'...'.../...'.......'...%...'.Rich..'.........................PE..d.....b...........",.....B...........>....................................... ......S.....`A............................................................(.......H.......`%......L...`...p............................g...............h...............................text....A.......B.................. ..`.rdata...~...`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc...(...........................@..@.reloc..L...........................@..B................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-tcpip\netiomig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):84280
                              Entropy (8bit):5.9748713131078315
                              Encrypted:false
                              SSDEEP:1536:lSFkjM622Nfh+tGGLuiYSDNoisC7wK+zdLAOom3N4I8agZkPnEicMVTANU5PISD:lS2NNQXhzDqib7wh1An84P6Pn9cMVYUR
                              MD5:5361151ADC10BB21E2A2680DFD36EF00
                              SHA1:BED2089F99CF03B25736526C44BC4E17FA744B1D
                              SHA-256:B2D80ECE5A2C445C527C3DA20870C345D90D78F661CCCCE128B2D7001B6416C5
                              SHA-512:14D8035C4FCA8D57F54ABC86365EF4277AD12E9FFCB9A3624651187232A819D91F61B73A41898413F75D5EF2725ECB5667C2FEB22A0963DE27563DEAA0BB9B27
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W.|...|...|....x..|.......|.......|...|..>|.......|.......|.......|.......|.......|.......|..Rich.|..........................PE..d....{............",.........|......`........................................p......".....`A........................................ ...........D....P.......0..P....(..8!...`......`...T.......................................................@....................text............................... ..`.rdata...[.......\..................@..@.data........ ......................@....pdata..P....0......................@..@.didat.......@......................@....rsrc........P....... ..............@..@.reloc.......`.......&..............@..B........................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-terminalservices-appserver-licensing\tsmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):102416
                              Entropy (8bit):5.758079007660651
                              Encrypted:false
                              SSDEEP:3072:ixX2X0lTvY/LW8AVcH6UuS+gILifZGdl1FRFcX:ixX00lTvYzwVcH6UVZfuF
                              MD5:0706B23BE7DD34EFE99D534F9ABBE133
                              SHA1:6B75F4E5FDE7CA7E105B12A7A96F5DD77F718FBF
                              SHA-256:0E5BBF14F98299A1606C8443FF5433219356849B60D20FB4F5A0663EF58020EC
                              SHA-512:D774E9CA5FD841DCC93B7F571D8D5F1E499DE213F9CE55976C05A71B6ED3D88136115292DC866B9ECF3FE2869215936AEBE804F3139E615C1591337F5691369E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(.D.F.D.F.D.F.P.E.G.F.P.B.K.F.D.G.9.F.P.G.K.F.P.C.L.F.P.F.E.F.P.N.O.F.P...E.F.P.D.E.F.RichD.F.........PE..d....r............",................0................................................q....`A........................................PG.......H..................P....n..."..............T...............................................p............................text.............................. ..`.rdata.............................@..@.data........`.......D..............@....pdata..P............V..............@..@.rsrc................b..............@..@.reloc...............h..............@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-terminalservices-licenseserver\tlsrepplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):116536
                              Entropy (8bit):5.770901871335881
                              Encrypted:false
                              SSDEEP:3072:qv+I/CPvLsGo+CclTHeJZuHRY6IV+2uD2wS3RrjsQgaRZW:qv+IqPvloJUeJZuHRaV39rjsQgH
                              MD5:88BA67D4B91761C993C9F344735D97FF
                              SHA1:3F15C1AF199D8BCD7DC494797B93ED77C7EAECD1
                              SHA-256:4486F865E15CEE10A73C6EC5390423971FBB34D0A49D115C9DF8EDC88575ECB0
                              SHA-512:93AECCC677C07C48DA63A081CBAA0AD9149483400921B45A4575F5CE8F2FBA6E82A0AFBFC8279FF107D0BE0F10415081677D328C9A8AE3AAB3DF27F02809D474
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......MM...,.D.,.D.,.D.G.E.,.D.G.E.,.D.,.D.,.D.G.E.,.D.G.E.,.D.G.E.,.D.G.E.,.D.G5D.,.D.G.E.,.DRich.,.D................PE..d.....<..........",.................................................................~....`A.........................................~......\...........P.......L.......8!...........?..T............................................................................text............................... ..`.rdata.. ...........................@..@.data...@............|..............@....pdata..L...........................@..@.rsrc...P...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\chxmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):139064
                              Entropy (8bit):5.853708886532449
                              Encrypted:false
                              SSDEEP:3072:LKLMX0oTtA98xvd7l7onGsT3F/2BXF9k/Kw0q+r9p3eFyzy8R:LKLMX0aA+1UWF9Uj0qu/3rzz
                              MD5:FC7AD6C953A8F4E159712E4B6E470276
                              SHA1:89B6ADBB04787C328156B850ED8D2B97D2F9B2FE
                              SHA-256:EAA1ED2EDEE782D835CDBF0F4145FDC160A3DEA8BD597F34F3E598D84420BE5A
                              SHA-512:8B987D59B2075574FC32BA2AC1C79477485AC04506911E8CB95F68670254AA93B5C2B87A9D37CC00E3959E1A79A3D5A30E6C13A134075257836D4355D705C753
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.R.B.R.B.R.B.F.A.Q.B.R.C...B.F.C.[.B.F.G.G.B.F.F.o.B.F.B.S.B.F.J.Y.B.F.S.B.F.@.S.B.RichR.B.........................PE..d....!L..........." .........................................................@.......B....`A........................................P...p.......d.... ..........`.......8!...0..........T...................h/..(...P................/...............................text...,........................... ..`.rdata..T.... ......................@..@.data...............................@....pdata..`...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\imjpmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):157200
                              Entropy (8bit):5.942596794330683
                              Encrypted:false
                              SSDEEP:3072:wQ93Bdc5VOKIB+QqIWax73LvI1Cq3knrM4isKaQuV8clqb+E/etzZbyx4QVCO62H:3VOVLIB+Dtus3BastetzNU7AvN/S6
                              MD5:D6532DE7C9CD8705ECE4615587323B4E
                              SHA1:8FBFB2FDCB503FA11741F5E613E45F98B32C5AF2
                              SHA-256:FC9DA67B7541CC329C322B278D4B174A31782837795E4533A90428FD64889F50
                              SHA-512:67C6C29942ECC1F3000DD5D38850932FFB58B214535DE5A0E46479A7788336D6C9C58F2F1E3F2B03D36A5C1DABD39F14CBBF9FD21FAD914C31FA977B439E5CAE
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'<..c]..c]..c]..w6..`]..c]...]..w6..r]..w6..w]..w6..]]..w6..b]..w6..v]..w6c.b]..w6..b]..Richc]..................PE..d......&.........." .....T..........04..............................................b.....`A.........................................)..p...0*...............`..h....D..."..............T...................X...(...@~...............................................text....R.......T.................. ..`.rdata..B....p.......X..............@..@.data........@.......$..............@....pdata..h....`.......(..............@..@.rsrc................<..............@..@.reloc...............@..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\imkrmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):112440
                              Entropy (8bit):5.919630970014868
                              Encrypted:false
                              SSDEEP:3072:nQrYJxw24GSa7eIJVXjiKL4gaS+QGLNZ1akYb+9Piz2uQnF:ngOFpzU8GLNZ1a986Xa
                              MD5:BF11FC46C87031B1041F2B06083A51FF
                              SHA1:4E19CFB0D3003A44BD5A0B4349932C975B8DCD32
                              SHA-256:863F0285A9E75B4EE4539795D686651216BBAD310C9908D428623D2569BD1AF9
                              SHA-512:DD2DCE1ABF5CF75BEF86BD74D98F8E2DD7098B684356498D9EA606022B0B082AA042C1C260D2CB467244B1DBB0F91E817F4D76B6D2E95956F0D1C5C2550EBB7A
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\..N=..N=..N=..ZV..M=..N=...=..ZV..G=..ZV..[=..ZV..s=..ZV..O=..ZV..D=..ZVm.O=..ZV..O=..RichN=..................PE..d....cm.........." ......................................................................`A...........................................p...@...d...............4.......8!...........e..T...................x...(...`................................................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..4............~..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\msctfmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):199696
                              Entropy (8bit):5.928211815789884
                              Encrypted:false
                              SSDEEP:3072:j28atJGDM8MZIyjoMlpzj+Ue8jnFhGvCnWuEEMu71SG6ySocW6ET1n1f:SvtqM9ZIyjowpv+4FogEEz71SDU
                              MD5:A71E0FA1EAC490BE1E0C60C3BD1ED4E2
                              SHA1:62DA89E5D40A36DA7A4C71C1CA504F330A5E283F
                              SHA-256:DDABA8285ED193853EE4A0F517E5A060E185F62AE2B9DEA1F762B62F596DF38B
                              SHA-512:73136F21206E7AFA9C1F5A191EC91B886ED2F9383A6B7E7D33E0B424A4420D5C3E9C3666C2240069B9A43B7BE4FE882B95F7522583DD23552D0F5D9E29C21B70
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n.^.............d~.......~.q....d|......d{......dz......d.......dw......d.......d}.....Rich............................PE..d....j.]..........",.........P......0........................................P......Ev....`A........................................0...$...T........0..(................"...@.......R..T............................................................................text...`........................... ..`.rdata..............................@..@.data...`C......."..................@....pdata..............................@..@.rsrc...(....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-textservicesframework-migration\tabletextservicemig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):77624
                              Entropy (8bit):5.833241132580845
                              Encrypted:false
                              SSDEEP:1536:eXewMwwldDz39949F46wuMwK8hvs8fKrPj:BfV+dE8hvs8fKr7
                              MD5:BC7D0520259F7E9FB5A2AB7EC3D47B7D
                              SHA1:537C4A97055D7C1F204C0B222C0EF3AE4D983A01
                              SHA-256:C014A21DC22D8489E3992B6947D37052F075B12887CAD1C309B9F067A0C75E8E
                              SHA-512:BD8DC4FEC50A3166068846B22558380C1BD012C2F3E30E84B67210FAADBA1390C9B6C5B000AA5C8264379C44A4384BB0843973BD603BEA7BE698BF0B877C7F0D
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........'...t...t...t..u...t..u...t...t..t..u...t..u...t..u...t..u...t..}t...t..u...tRich...t........................PE..d....S!3..........",.........~...............................................P......l.....`A............................................|.......d....0..`.... ..X.......8!...@......0...T........................... ...............8................................text...k........................... ..`.rdata..T\.......^..................@..@.data...p...........................@....pdata..X.... ......................@..@.rsrc...`....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-virtualization-vmswitch-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1970
                              Entropy (8bit):4.809677363350112
                              Encrypted:false
                              SSDEEP:48:Q+DLVgW8epj9OZc0w8DNWfQemGMMzOhIcFIgDnJu2:DxX990bIoLGwvFVJh
                              MD5:7F6ABB2682CDEFCCEE365F868FC50CED
                              SHA1:AB1CEA3334697C9CB0E1C4AA523ACDF3E3C44E64
                              SHA-256:7A04231D5551A8A1F8E069A9DB9390C6F0ED1F1C2658ECD8C02E3AA1A5707868
                              SHA-512:D5948B4F4FECDCF9F754D3B34327024E207BD7F8187B47C6B05DDCCFD08B239BB68FF76505053097CC88BCE291FD6A3F640BAF3BB3CB03629BE7E933DE9B5F49
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity name="Microsoft-Windows-Virtualization-Vmswitch-Migration-Replacement".. version="0.0.0.0".. processorArchitecture="*".. language="*"/>.. .. To ensure that the correct plugin bits are loaded during the "gather".. phases of an in-place upgrade, the following attributes must be updated.. whenever a fix is made to the "gather" code in VmSwitchMigrationPlugin.dll:.... /assembly/migration/@settingsVersion.. .. This attribute should be incremented by one. Any new value must be.. mirrored in manifest located here:.. .. onecore\vm\dv\net\migration\manifests\plugin\Microsoft-Windows-Virtualization-Vmswitch-Migration.man.. .. /assembly/migration/@replacementSettingsVersionRange .. .. This attribute should be set to "0-(@settingsVersion-1)". For.. example, if @settingsVersion is incremented

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-virtualization-vmswitch\vmswitchmigrationplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):257848
                              Entropy (8bit):6.091476581302608
                              Encrypted:false
                              SSDEEP:3072:nbQ32ZaUawq6hk7Tuur+G+R4dRJNjVRTlaAdhbHraDUMKtwjLxmzIeBmcezKyzJU:nbQ32Z5awlk7TufGx3jjfkZM98c2K
                              MD5:6BAC9A384C84ADFB4E6808045A87861E
                              SHA1:34DC8F9C3BBEE0F2F26C7347088A3400F96D7907
                              SHA-256:4E2AFEC0788B6726FFA55D2C11313F12A858FD5C4A48AB435006C78F39195582
                              SHA-512:9F14DD90146665A73F7A1399FD61EDE48FD8D4DBCDFEC8569D42FFD8DC451686D77A8CF6C60E996020DE7A130EAE5248B290591610A2B14B81F993B90107FC83
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V_.x8..x8..x8...9..x8......x8..x9.Xx8...<..x8...;..x8...8..x8...0..x8...=.`x8......x8...:..x8.Rich.x8.................PE..d....j............" .....R...................................................0......d^....`A...........................................................8.......| ......8!... .......4..T.......................(....................................................text...#P.......R.................. ..`.rdata...2...p...4...V..............@..@.data...P+..........................@....pdata..| ......."..................@..@.rsrc...8...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-wcfcorecomp-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):865
                              Entropy (8bit):4.737909574387341
                              Encrypted:false
                              SSDEEP:24:2dtwx6wpBJvRv+OjXgMDwjqm33rMPFhUK:c64whN+SXgM0/rMNX
                              MD5:EE0EC7F764F187F81264F621D79065AD
                              SHA1:432150B1233159AC7A49CB422E81A0F3968D6AE5
                              SHA-256:921F25DCF7A826DCEF8F2DA573A120337711F7443BD99095BB3D52DCAECE833C
                              SHA-512:C8991221304088EACBABF2B7D380490BC40BA6F9F3FAF5563EE427BC907992499AE156ECA8A054AD1EB6DC2BCE3C4AD9AA24A4B79C737262A2DB937A33E15BD5
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly>.. This doesn't actually replace the Microsoft-Windows-WCFCoreComp component... It's just here to provide a dummy MigUnit so the post-apply step for WCF runs.. if NetFX3 OC is enabled during migration. -->.. <assemblyIdentity name="Microsoft-Windows-WCFCoreComp" .. version="0.0.0.0" .. processorArchitecture="*" />.. <migration scope="Upgrade,MigWiz,USMT" .. settingsVersion="0".. replacementVersionRange="6.0".. replacementSettingsVersionRange="0" .. alwaysProcess="yes">.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSLaterThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\microsoft-windows-workstationservice-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1265
                              Entropy (8bit):5.03760269999925
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+Mg0cjCU34ENg8wI1F2WsawOQrwOBwuDJXMFhUK:/2e8v+MgfUIg8X1E0wTBJuX
                              MD5:9137017C848A0890E586B17BBE7ACA1C
                              SHA1:4105EE99CF4D17FDA273E8683AFE8FCBF33CB7A0
                              SHA-256:B24D059033E9F0E22AB9F0096A29A831CBEBE2B9AE830E076FC2EB06CD7F5E47
                              SHA-512:A1DA4CC7D6F5A66575DBE8F533EDA9B69290692BC04ADA3903623911760F8133E6E41881D0F73AC54D8B6D7DCB677CC1FBCDD7555EC56662A3331E01622AFC3F
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-WorkstationService".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration settingsVersion="1" replacementSettingsVersionRange="0">.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\debug [netsetup.log]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\ProviderOrder [LanmanWorkstation]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters [*]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\mrx

                              \Device\CdRom0\sources\replacementmanifests\microsoft.windows.com.complus.setup-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1940
                              Entropy (8bit):5.044310165919173
                              Encrypted:false
                              SSDEEP:48:/2e8G+FmwgfrNNFkwIgSf6fKEJmgV9ewYgSf6fKEQv2b/:/29Fm3nFzeoKIydoKe
                              MD5:8A38C090A12154F502B81E5A960AAEFA
                              SHA1:2271CE160A85A81D62D3903BB3F0331EE199C34F
                              SHA-256:E6DA5EF3B5B263301D17B2DC0C51C6CC16FDA40C9866EFEA7B971E886C9B03DC
                              SHA-512:A0A591E7058F7881234D7F4540315B638F79E16C89D502F33431455B51AE956AE4446016CBD18EE98E1B856BB993A260FE650D4F41C2EE39A7461AC247DFB232
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-COM-ComPlus-Setup".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. />.. <migration.. scope="Upgrade".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <plugin.. classId="{AB1D4748-682E-40AE-8CFA-6E3F8A5ED6BC}".. file="Microsoft-Windows-COM-ComPlus-Setup\commig.dll".. offlineApply="Yes".. />.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%systemroot%\Registration\* [*.crmlog]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\COM3 [*]</pattern>.. <pattern type="

                              \Device\CdRom0\sources\replacementmanifests\microsoft.windows.com.dtc.setup-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4456
                              Entropy (8bit):4.9555424047788
                              Encrypted:false
                              SSDEEP:96:AFCV0bhQ6XwwhHhxkGFr6BlQTBmRO+xwxigJ0cjb:sCebhHwwiGgO+KUR4
                              MD5:F79E793A7FB09B61402E33E99D5D7F4D
                              SHA1:15FA9A090EF3E4C4A1D67391FD0B19160A134651
                              SHA-256:DB97551E81433577692AFD67270E095DAF60D9499DA89D03099E08C992BA16BC
                              SHA-512:5944C88503CBED3045942BE5F4FF4588E7928FD8CD4969FE8462CD7B25E0688CBCCD998C6D2B9D4645F1D2DFC6126B548F6EF963CDAF2BB62FDD1B7C7E0EEE3C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-COM-DTC-Setup".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. replacementSettingsVersionRange="0".. settingsVersion="1">.. <machineSpecific>.. <migXml xmlns="">.. <environment context="System">.. <variable name="CidGuid">.. <script>MigXmlHelper.GetStringContent("Registry","HKLM\Software\Classes\SVCID.Local\488091f0-bff6-11ce-9de8-00aa00a3f464\DefaultProvider []")</script>.. </variable>.. <variable name="LogLocation">.. <script>MigXmlHelper.GetStringContent("Registry","HKLM\Software\Classes\CID.Local\%CidGuid%\CustomProperties\LOG\Path []")</script>.. </variable>.. </environment>.. <rules context="System">.. <include>.. <objectSe

                              \Device\CdRom0\sources\replacementmanifests\microsoftwindowsdefragcore-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1508
                              Entropy (8bit):4.8485090730957
                              Encrypted:false
                              SSDEEP:24:p/ouG8tHjF+dg0coRNMpMVPFJPY23UX67U03lNVMEF4wwTBXOF4wwRbL0FCUK:2uG81F+dg/ENMAJPD3UX67U0VMY4fTBV
                              MD5:6841D2882AE30F4B7894B8365497E005
                              SHA1:64BA83599BA17B0CC41C208F30B89F6B59181BD0
                              SHA-256:0839F0D5293D6C407B91F1FC1E2760A548C10BD9A7D270502777DD895DB373BA
                              SHA-512:4B6A4B846F6052DC8211527F9B790887E60D14466B87C431390FBDC02B2A4DA0A78D85AC8EE6A2CF4E9EDEDF419B6DD0641AD20F0013BF32DF528049DE2004F2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Defrag-Core".. processorArchitecture="*".. version="0.0.0.0".. />.... .. Migrate volume statistics during in-place upgrades.. Gather: This manifest.. Apply : This manifest.... The machineSpecific element informs the migration engine to limit our.. participation to inplace upgrades only and to not include us in PC-to-PC.. migration scenarios..... This replacement manifest is to migrage stats from builds that does not.. have the change to migrate statistics... -->.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">

                              \Device\CdRom0\sources\replacementmanifests\mmdeviceapi-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (694), with CRLF line terminators
                              Category:dropped
                              Size (bytes):2190
                              Entropy (8bit):5.399424566185527
                              Encrypted:false
                              SSDEEP:48:22e8z2j+qgSQKGeIgfxfFJRi4FMKTX8iahLgfZef7iVX:22X2qQBRZXZHmsma
                              MD5:AD5DB304D8D9511014B8F223BB9F2493
                              SHA1:479380304FEE50E5950C1D71C05084654EA68215
                              SHA-256:B3933CB802F2B1107FF957AC87E6078CCE6E8B17BB4087A82C23EBB98B17CB7D
                              SHA-512:4EC04D67CE8C28FF04E4AB64D039F01CFBAAA0D03A3463925D6F1B7ED893759B9D098989CDC562ABC372039ABCC3FE55029E2BD7B8B7078A5299090F572D4DE2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-MMDeviceAPI".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-10.0.20000".. scope="Upgrade".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\* [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\Current

                              \Device\CdRom0\sources\replacementmanifests\mmsys-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1376
                              Entropy (8bit):4.959966347315368
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+Dg0vj3dDohU3NjovkQMUENgw5NSJXkgw5NSziFhUK:22e8z2j+DgSN0kovMUIg6NSJ0g6NSQX
                              MD5:4126A0D1FF20161C77E3A229B8CAD93E
                              SHA1:A5C67DA04AC4C27910F822AA30C86236705A6C7E
                              SHA-256:E29562B8ABFA3E4E82E241E3DFD1F731F59118D604784945DB74978D1D0EEF37
                              SHA-512:61B3E3DC0FFB2F0AC61C295E587AC62C7904BF40CD7798C5F166EBE9B69EE85DCAF869D3B57C5CD98685422868CCB16CBCD13AB037CC471EFA799DF0FE8B17E9
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-mmsys".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. replacementVersionRange="6.0.*" .. replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT", "6.0.*")</condition>.. </detect>.. </detects>.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsof

                              \Device\CdRom0\sources\replacementmanifests\mpr-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):770
                              Entropy (8bit):4.922238365843601
                              Encrypted:false
                              SSDEEP:12:MM3ii1o2Mf8ior5QgF+9zgV6cjfwzAm0QzAUScm7fMfWqNal6H/v6/eNnAMf2/ZV:p/o2e8ZR+lg0cjvv3jENgwHdJXMFhUK
                              MD5:F3AAF50EBBE5CC1EE010B21480F81EEF
                              SHA1:265304C83DDE4277CD9FDBBC3E841D9E7050F709
                              SHA-256:5B40A51844B48E02485DA35D7730340712BBC3E2F132E3457B8544A51D8409A1
                              SHA-512:09F8018AD4D54E5826B0A7ACCAF338FF8F79D7E7F5D90950FF6055522F64BC5F261C6832968B49BA1CE21BF0C5869845E87C97E130D312A6C3AE8FE3C403BC80
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-MPR".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. settingsVersion="1".. replacementSettingsVersionRange="0".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Network\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\msmpeg2vdec-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1210
                              Entropy (8bit):4.994299709124934
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+vg0vj3gi3vUUDovjgENgwZZuJXLENgwwZuJXMFhUK:22e8z2j+vgSQHU0LgIgasJ7IgfsJuX
                              MD5:EB83E1151DA906E53BDFD08E83957167
                              SHA1:1A9059C075A4137708B766C192D0C1DD061EFAB9
                              SHA-256:3F3A5354BE36C08CB7D5E1660CAF1CFC9DC49936FE1DE1F06A2692BB7E375562
                              SHA-512:BCDCD2D31D920A9C6C8E6E8636D02FA1467100FFA54B4D25C51629B426728CD704153B3C1FC36CE4AB4B04778281A9131686E649D1AD1F9B3D6678EF15AAF8AC
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-MSMPEG2VDEC".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\SOFTWARE\Microsoft\Scrunch\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <include>..

                              \Device\CdRom0\sources\replacementmanifests\muisettings-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1676
                              Entropy (8bit):5.017765047335379
                              Encrypted:false
                              SSDEEP:48:BVU42e8v+1gfN0nIgbvRJ7IgTrvTBJuRW+:PU42CQ0n5j7prrb6
                              MD5:5CCE3B56D7267C6BAABE3C95D8C9C8DD
                              SHA1:422D93D8553C55010500FEB9411D02DA24A608A2
                              SHA-256:C4B2443268B21738C5F23F7AF28F43B654E439B6D605C5B75FF44C2321D6A4DB
                              SHA-512:B8F6544CBE0DA15B72AF9B9E2A5D0CE051CA8AEF54E0A92D8D40B29ED798D807D9948194D1B83611069834DB771F9E6888FE4096C6A2522BF0A97B18DC51FFEE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>.. Replacement manifest to allow offline migration in Vibranium. This manifest file can be removed once upgrades from pre-Vibranium are no longer supported. -->..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-MUI-Settings".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Control Panel\Desktop [PreferredUILanguages]</pattern>.. <pattern type="Registry">HKCU\Control Panel\Desktop\La

                              \Device\CdRom0\sources\replacementmanifests\mup-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2518
                              Entropy (8bit):4.9953244718272565
                              Encrypted:false
                              SSDEEP:48:22e8v+vwgf+yFMY4bB1b31Ea31NG31ADucIXwxBu431Es31EL31Ejy31Eyq3i43v:22CvXMNXhE+Acb7ZEQEREjmEt38O
                              MD5:B477E197EEE62DD7DC7F4461D90EAE66
                              SHA1:A03E4EB59E68EEDD1E7F83EDDF80007BEA46C5F0
                              SHA-256:12441C8D5E80D969ABAD70744DEE398777F27DDE9868BAD6651F19AB4CCFED35
                              SHA-512:A46E139AF0153428529228F8FCD0F4922436A647FE5CB6958379D1B8F7033407C4865000E2E30DE615A93F9FAD1D03401728FBA134BCC77A6D4BBCF238A660C2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Mup".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. settingsVersion="1".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1-10.0".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths [*]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\NetworkProvider\ProviderOrder [*]</pattern>.. <pattern type="Registry">HKLM\System\C

                              \Device\CdRom0\sources\replacementmanifests\ndis-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2986
                              Entropy (8bit):5.068734994067316
                              Encrypted:false
                              SSDEEP:48:22e8M8PvSgMW8XTPvJ8+AgStkMIg7HEeXze8eXIIeg8nyY3eyYSzeyYbeyYSIIej:22o8PvSgMW8DPvJP9MtaIcCIS8kSIOvu
                              MD5:4907591945DFEAE471E6795A82434218
                              SHA1:6227A621FA90DCB77B5D844704BE635CE45D45BA
                              SHA-256:29180A5F2392D217DDF5C4746E46F54DA7EE73053134D9D5AF6421A5210D71DE
                              SHA-512:9124AAAD8E36B7B09B31488622D105878302AC886F1BB5BD1B45B76E844C5C2DD6B76BA03B1B3E1A90155BC616FE62F0F343438CF12FAAD6136586B50970973B
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. authors="".. buildFilter="".. company="Msft".. copyright="".. creationTimeStamp="".. description="NDIS replacement manifest".. displayName="NDIS replacement manifest".. estimatedSize="".. lastUpdateTimeStamp="".. manifestVersion="1.0".. owners="".. supportInformation="".. testers="".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-NDIS".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementSettingsVersionRange="0" replacementVersionRange="6.0-10.0" .. settingsVersion="0">.. <machineSpecific>.. <migXml xmlns="">.. <rules contex

                              \Device\CdRom0\sources\replacementmanifests\netfx-wcf-http-activation-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1848
                              Entropy (8bit):4.974849828209178
                              Encrypted:false
                              SSDEEP:24:q/VnRg0cj3gi3NjmrQ8b2FPaPsJBPIKzJ5Q2fIvmp4SJcDYcftYc8zsgm8aFhUf:8gfQgexr4BPI+qCyYCYugL02
                              MD5:A008B7017AF6183E767EC590BE1B6F96
                              SHA1:B81FE9A05866E2772F90FC7D8C7744EDC752C203
                              SHA-256:77A3B31FC4F8DB2D7523EBC206AAFBBCE02AC2FC6729EDEEC44D1A9F567F84CA
                              SHA-512:1FEA683B6323284BA42C6C1EB513BEFB9188C2878D97CBED62855667469EC7A7DF8536CCD727F92A3A1E5A3CB60CE6B5BA5D9BBB7B7D128D8B895BB44C9A02BB
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="WCF-HTTP-Activation-45-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="0".. replacementVersionRange="6.1".. >.. <registerSDF name="WCF-HTTP-Activation45"/>.. <migXml xmlns="">.. We detect the presence of WWW by -->.. looking for the W3SVC service. We base this on the -->.. registry key for the service declaration. -->.. WSUS already installs IIS, and .NET4.5. -->.. So, WCF HTTP Activation can straightaway -->.. be installed, if WSUS is installed -->.. <detection>.. <conditions operation="OR">.. <conditions operation="AND">.. <condition>MigXmlHelpe

                              \Device\CdRom0\sources\replacementmanifests\netfx-wcf-msmqactivation-registration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1043
                              Entropy (8bit):5.165272741660117
                              Encrypted:false
                              SSDEEP:24:p/VL+bg0cj3gi3NjmrK8Bp2ce+teMMPFhUK:EgfQgeL2cxbMNX
                              MD5:6129E905CA875AC6A3A65AC0B0ACBF7D
                              SHA1:D771FAFF315473F7D5AD7A7BAD19DD049926DDAB
                              SHA-256:6A8A1CD41A2F50D240FFF369D190C485841092A916759742893330490CE972D8
                              SHA-512:BDBDBFA78C01419B90591314FDA302C88EA79309D85F92B5EFC0D8197467095D6E8D6B435D96A9014E7344769376D2916DB2C713542096CD20A3EEDB877F8C92
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="NetFx-WCF-MsmqActivation-Registration-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="0".. replacementVersionRange="6.1".. >.. <registerSDF name="WCF-MSMQ-Activation45"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF\v4.0 [NonHttpActivationInstalled]")</condition>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\CDF\v4.0 [NonHttpActivationInstalled]")</condition>.. </detect>.. </detects>..

                              \Device\CdRom0\sources\replacementmanifests\netfx-wcf-pipeactivation-registration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1043
                              Entropy (8bit):5.1511191144184085
                              Encrypted:false
                              SSDEEP:24:p/VLtqbg0cj3gi3NjmrEh8Bp2ce+teMMPFhUK:5cgfQgeEO2cxbMNX
                              MD5:0246D3BA1D1AEF11A2EA196F011C6575
                              SHA1:C1BB91382A82B87B1E3EE90355C1CDF7FA0DE3B7
                              SHA-256:431E33EC353483B7FEFFB481CA6A90AF27E5DC74046B6AD0AFA1C238EF5C0928
                              SHA-512:1D7B2E81FCC3568042359682216B5016CCD9A27525E5E261F9C69F89DD7CED9CE14D3A946A757814851BEA815A64DF9C587711E0B26C4385613D94D52B186EEB
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="NetFx-WCF-PipeActivation-Registration-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="0".. replacementVersionRange="6.1".. >.. <registerSDF name="WCF-Pipe-Activation45"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF\v4.0 [NonHttpActivationInstalled]")</condition>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\CDF\v4.0 [NonHttpActivationInstalled]")</condition>.. </detect>.. </detects>..

                              \Device\CdRom0\sources\replacementmanifests\netfx-wcf-tcpactivation-registration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1036
                              Entropy (8bit):5.169841986450516
                              Encrypted:false
                              SSDEEP:24:p/VLDbg0cj3Me3bjqN38Bp2ce+teMMPFhUK:rgfcMCk2cxbMNX
                              MD5:CB6D6718B7B425E09ECDE59D587B95B5
                              SHA1:6980CB15075936144FDC38D271EC5402A6644555
                              SHA-256:384876C3B47453DFF32E8E28A44C45A20931ED1741287E972A9720C50A2F9D5C
                              SHA-512:5E063F982F175E60E01A804AC404DD01C2E0B083C451FE5D43AEDCCC4D68D18BA09E2DD93B0A010B7304F36A0712C49414BEA787E16CAF3B11593DF34EA896F6
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="NetFx-WCF-TcpActivation-Registration-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="0".. replacementVersionRange="6.1".. >.. <registerSDF name="WCF-TCP-Activation45"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF\v4.0 [NonHttpActivationInstalled]")</condition>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\CDF\v4.0 [NonHttpActivationInstalled]")</condition>.. </detect>.. </detects>.. </mi

                              \Device\CdRom0\sources\replacementmanifests\netfx3-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):601
                              Entropy (8bit):4.840281405525467
                              Encrypted:false
                              SSDEEP:12:MM3ii175cF+9pugV6cj3qbN0QzAazAjlKofScYfA06Jpdqd+FRZyuhURpG:p/Vg+yg0cj3gi3Nj8Mp2MPFhUK
                              MD5:15739D1D4CFF6F9B097FDE84C5690841
                              SHA1:14970F7861061F711C841AFBEED65132C24A4488
                              SHA-256:7CA237C7D91EBE8DE15B8D671753B9AB75F64BDFD10029647E375DF2AD1EE827
                              SHA-512:BA04C8D74AE9ABB9A9C36799CF15AE5BCD2907DF6AD6A48804E41AADB33985B3D733F68C12C314935CD780D8D72032B467853D8E02471559602B9E50EFB91391
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-NetFX3-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="0".. >.. <registerSDF name="NetFx3"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\netfx4-policy-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):863
                              Entropy (8bit):4.844344544244615
                              Encrypted:false
                              SSDEEP:24:p/Vg+xg0cj3tDe3NjgXp2MKENgwwYEJXMFhUK:Y+xgfdQg52MKIgf1JuX
                              MD5:53DBBA8A23157C94649AB5EC2D7C2AF9
                              SHA1:01C812523474896FAFB3BB72DF29470A3B0123D4
                              SHA-256:314E857D257CD7C43A5CDBDE008D062187A51CD8BEF2EDE399EA2C66AFDFAA2E
                              SHA-512:AF3BB31FA441AF105A2D7D55762E0FA1E1B317AB17183A1BBE663CA916B7EC501BED08E427664523596190A62CF6FFC87FEC8ED36873595A0B9F7E94896CEE68
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-NetFx4Policy-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. scope="Upgrade,MigWiz,USMT" .. replacementSettingsVersionRange="0".. settingsVersion="0" .. alwaysProcess="yes" .. > .. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\netfx4-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):668
                              Entropy (8bit):5.005996817484964
                              Encrypted:false
                              SSDEEP:12:MM3ii175cF+9pvgV6cj3qbN0QzAazAjlKXScYfA05o+D0KHntd+FRZyuhURpG:p/Vg+bg0cj3gi3Nj8aYcPMPFhUK
                              MD5:191F93AC617668AD83E101FF6EDBB04E
                              SHA1:50544C1416073F991EC8D5D435924A80F84936F7
                              SHA-256:98E50F0221AD35697288F3258287FAB110AC3F1995D3D3F861D66F2E6F6725DE
                              SHA-512:DDB3151A8EE66777C600E061F3643F480DE9427DB78740D29E594C0D5B7F8887083474D828B028FC35B97A3BE31056BD8D96AD6047D81BE99D2E541EA36EEB3E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-NetFx4-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="0".. >.. <registerSDF name="NetFx4"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry","HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full [Install]")</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\netfx4-wcf-client-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1517
                              Entropy (8bit):5.041469920605277
                              Encrypted:false
                              SSDEEP:24:q/o2e8QFjVg0F5HB3NjoFppWcCEF4MHMxwu3wu9BX0FCUK:/2e8mVgUH/oFXWcCY4MHMxdnB2A
                              MD5:E54B79DD05B1B9EFD54B5E8EF0F7D695
                              SHA1:97838F533FC57A049A067188F729BFAAA8C64FDC
                              SHA-256:69CF102D86CFA2241CF5827BC0D44016CC12B6364657363410F054E17859AF41
                              SHA-512:BBBEB7844168D03846827DECF9D9F24FD0FDA53992AA7CA3FCEA6A6F804ADF5B4AD36497A84660B9A17629DF33444857748FB58650AF80693178C815D2177636
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. supportInformation="".. >.. <assemblyIdentity.. name="NETFX4-WCF-CLIENT".. version="0.0.0.0".. processorArchitecture="*".. language="neutral".. />.. <migration.. replacementVersionRange="6.1.*".. replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\Microsoft.NET\Framework\v4.0.30319 [SMSvcHost.exe.config]</pattern>..

                              \Device\CdRom0\sources\replacementmanifests\netfx4-wcf-extended-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1433
                              Entropy (8bit):5.026935581875683
                              Encrypted:false
                              SSDEEP:24:q/o2e8QPjVg0F5HB3NjoFppWcCEF4MZmI3MnmI3wuiBX0FCUK:/2e8AVgUH/oFXWcCY4MZmGMnmGwB2A
                              MD5:A2AA9EF22680C1BDCD52F827A3D8B73C
                              SHA1:DDCBB10B499DA1C1636625DCC5A66841271460D4
                              SHA-256:E07B3612EC2C44701AB099E967C17B18D65C0C7133BC842EC2FD1D6634FD5FFF
                              SHA-512:892F98B33B18B0073B6DE76B74DD2D173A6C434150EBA5470DEBEE577C7C2F34B281D2FB6B904938B4FF5C335796D29CE29880B99D4C56938DE7D665D9593529
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. supportInformation="".. >.. <assemblyIdentity.. name="NETFX4-WCF-EXTENDED".. version="0.0.0.0".. processorArchitecture="*".. language="neutral".. />.. <migration.. replacementVersionRange="6.1.*".. replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\Microsoft.NET\Framework\v4.0.30319 [Microsoft.Workflow.Compiler.exe.config]</p

                              \Device\CdRom0\sources\replacementmanifests\netfx4clientcorecomp-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):17501
                              Entropy (8bit):5.328484306552376
                              Encrypted:false
                              SSDEEP:96:22/sMK1r6gtSVqL/LATqVz0qLUob5k/lko+antnJFhFBx97V+V8hfJiVo202I40s:/sMuCkLZYGytg7xobiuD6TP3p
                              MD5:807FC5C892DA87CD3A000AD4FDF86457
                              SHA1:5F961994ABD24CB352668AB7D7618BE219BF59E7
                              SHA-256:5E2D4A13F99F597378284C20A3C4413BCE71BFB3B1DB76A861C71FB973AAFAAB
                              SHA-512:739432DAEC936E0E65101DA2A2D5088411BBDDE2ECC1C52BEFCC1BE6EC2716C3AE0D411A22F2C94BB08B9DFB818C170C514EDD07E9C5D2C860A62D8C7BEA6AC2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. description=".NET Framework component".. displayName=".NET Framework NETFX4CLIENTCoreComp-Replacement".. manifestVersion="1.0".. supportInformation="".. >.. <assemblyIdentity.. name="NETFX4CLIENTCoreComp".. version="0.0.0.0".. processorArchitecture="*".. language="neutral".. />.. <migration.. replacementSettingsVersionRange="0-3".. settingsVersion="4".. alwaysProcess="yes" .. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\Microsoft.NET\Framework\v4.0.30319 [aspnet.config]</pattern>.. <pattern type="File">%windir%\Microsoft.NET\Framework64\v4.0.30319 [aspnet.confi

                              \Device\CdRom0\sources\replacementmanifests\networkbridge\bridgemigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):110904
                              Entropy (8bit):5.8549454139318415
                              Encrypted:false
                              SSDEEP:1536:R5BlDF15mjQ0KLjHuZgLN+7LytXGYP0wrGes9zthH9CWPO2R:hlDF15gQ5GZgR+C2A0wruhtrCWDR
                              MD5:12B82393B0D64998F08B339695FCD6C4
                              SHA1:5444B0A4972675D2C57FB4461509F7DDC78D57E1
                              SHA-256:AFAC6370538DDA587E31F4EF9873ACBEBD9144E7D304B3CDE608E78FA8E04808
                              SHA-512:D7118596B36AB714485F878FB161DF5678E7606105187CF183C5F524F942D259E56BDD85C7EEDAE356BC6B02ED174AF8B3E825DC91A58CC9D2DD93F6C697C46C
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8Fg\Y(4\Y(4\Y(4H2+5_Y(4H2,5MY(4\Y)4.Y(4H2)5OY(4H2-5WY(4H2(5]Y(4H2 5WY(4H2.4]Y(4H2*5]Y(4Rich\Y(4................PE..d...]A.S..........",................................................................X#....`A.........................................v.......w..........@...............8!..........pZ..T...........................@...............X................................text............................... ..`.rdata..............................@..@.data................v..............@....pdata...............|..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\networking-mpssvc-svc.replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1581
                              Entropy (8bit):5.0140227919204285
                              Encrypted:false
                              SSDEEP:24:p/o2e8Zbnig0cjh3NWJQGF4wuCiawuC5yYLrEF4wuCEwuCWBX0FCUK:22e8tigf6JX4AiaA5yY3Y4AEAWB2A
                              MD5:D93657F2E96D6A427641286E3BAF51E9
                              SHA1:F9BFA904C0B4378DC122F8008704653C5E618F6E
                              SHA-256:2EB9E07DFA37C5EE7D088F65001D5CD65087563F85CFAEC67FE31447C6880E05
                              SHA-512:CFDCCFDBAA514DDFF055E9C12EB9482F1CA42E525A14C0C7C501B81F135A991365315275D7B31CD6BA37FD7FBABF68244C0C250DC7BA02E2CF67C5F00A218E1B
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Networking-MPSSVC-Svc".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns="">.. <plugin.. classId="{2f593f80-46a4-4da9-aad8-83a71d1f4333}".. file="%windir%\system32\icfupgd.dll".. />.. <rules context="System">.. <exclude>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Servic

                              \Device\CdRom0\sources\replacementmanifests\networking-mpssvc-svc\icfupgd.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):117048
                              Entropy (8bit):5.949810450867234
                              Encrypted:false
                              SSDEEP:3072:AysQCJypn59E5j06aANws+VVR7rioCHrTD8R:AysQCJyD9E5jfdeRS5HrG
                              MD5:5A8E4CF44D4464F7B33B42EBDCFDF5F8
                              SHA1:2C97D7F40266E2A63AE44C461DADA7EC0165DE74
                              SHA-256:955F3923B8BBADBEBD63F737524BA22D8EE85F845F1EA5F71F9B4C2286CA6F6A
                              SHA-512:3D4972AE8A53DF1A9A5F220B14D9E795B2EB1A8BB97D3D4571A079B4DA7D3CDEB528F57FE14A016801A460035B3B1F602BFC971140468DB5CF9E441B29A5C1C6
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J......L...L...L..9L...L...M...L...M...L...L...L...M...L...M...L...M...L...M...L..UL...L...M...LRich...L........................PE..d...\.n...........",......................................................................`A............................................................(...............8!...........b..T............................*...............1..@............................text.../........................... ..`.rdata...x... ...z..................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...(...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\networkloadbalancingmanagementclient-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):674
                              Entropy (8bit):4.92299584634672
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9pLqQgV6cj3whQzA0zAjkaKNTScYfA0rkd+FRZyuhURpG:q/Vg+3qQg0cj3K3bjkFN9MPFhUK
                              MD5:5AEA038D54512DE0ACA78B8E7E1F9A79
                              SHA1:5712B382AC1C8FB9F735A4D49E26B9A7C1EA2411
                              SHA-256:FC0597E0EBF94FCD1F8891890AB15128149F940797D33945235D449D6D262F6E
                              SHA-512:24554EA766493219C56E92ED779274F3D3708DDC4DBE85EBC82E2680409402A59584775374CCE81415E0DD8F2CCACA365BB40828CAC6151FE26F65E650A92CA2
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-NetworkLoadBalancingManagementClient-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="NetworkLoadBalancingManagementClient"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [nlbmgr.exe]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\networkloadbalancingmanagementheadlessserver-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):673
                              Entropy (8bit):4.954796384401431
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9pwrQgV6cj3whQzA0zAjkaKECScYfA0c4q3d+FRZyuhURpG:q/Vg+6Qg0cj3K3bjkFEAlNMPFhUK
                              MD5:AEBE07A8DB389F526A833498A3ACDAA8
                              SHA1:E5BEAC41853AE9023D2D78730ADAFDFA557FF21E
                              SHA-256:1A1953A9630DC4C9363ABD296D5C3DF2520AC5105DD75BFC2EBF83865B6F0E07
                              SHA-512:E3A572E5733E3BFD765AB251D82210EF89BD2EF69F4E0C041D84850F61FFF6EE7CC3BFED50214BEF7933CEDD9B8C1A0BD19BF9EB16B366B707E52B7C20C95F1E
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-NetworkLoadBalancingHeadlessServer-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="NetworkLoadBalancingFullServer"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32\wbem [wlbsprov.dll]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\networkprofile-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2131
                              Entropy (8bit):5.041009227870897
                              Encrypted:false
                              SSDEEP:48:22e8v+HgftfMY4fo2fodfoQvfoCYfd5B84fo2fodfoQvfoCYfd5wA:22C+fMBRUtnZWNRUtnZW
                              MD5:E7BE1315A7BC3A7018E9A8E5CCAA284E
                              SHA1:84E7C6C52CBB688C0ECF5E27EC4D2E130A81AFAC
                              SHA-256:9DF392C8A8FC35489F3F2DDD9D7798FF31171EDA8C9F93CFB0408C8D7DCC3676
                              SHA-512:08D6B76EFA6961B24D51DEAF39C82F7EDD22FDBE5E24991C0DD761C19EFF00A860489D8DEF762EFBC5A9504F751CCB99D735E04DA1B78DA48A78B6AA9C410973
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-NetworkProfile".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration scope="Upgrade".. settingsVersion="1".. replacementSettingsVersionRange="0".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\* [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\* [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\W

                              \Device\CdRom0\sources\replacementmanifests\networksecurity.replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1149
                              Entropy (8bit):4.892193298767266
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+bg0cjh3NWMEF4wOX3BXnB4wOX3LKFCUK:22e8v+bgf6MY41BXB41wA
                              MD5:E277E6CA217473C96D3A5299034FB016
                              SHA1:043A4FB684984CF48C31EA67454B47354B0F3BCE
                              SHA-256:F8EFB99A08DCC9D3C7E48A732D9655DFA39FFAB6A113EE361DECB244BD13405E
                              SHA-512:69721F259622C87F86B3BF5AB5A688B4E43C6967E2207AC8B7B6429280C67BAAEC1B9E17DB51A46FF2274D92CB9A11886400E603DE8F8C566EF0A4081911DEB6
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Network-Security".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\* [*]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.DestinationPriority()">.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\*

                              \Device\CdRom0\sources\replacementmanifests\nfs-admincore-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1277
                              Entropy (8bit):5.0708506476472195
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+masg0cjCjc3N0MEF4wwfEiwwfEOpwwfE2wwfEnBX0FCUK:22e8z2j+masgfuzMY4fMifMmfM2fMnBb
                              MD5:6BEA51B863142F8B797E02DE3625FB8A
                              SHA1:CDD7DF2933AD1D8B618AF86C4C22890316788047
                              SHA-256:1D789C82BF95E307B9DC57930C66B7A1BDD0C322C786410CEEAB32399955A7FC
                              SHA-512:6AB330A56F465F17BC58750805504665A04A4A4CBD0B6C55D6EB61E8E8858E84969A21E29F0DD81F3FCD070228D12963DC5E759178A312F946609361FB16070E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-NFS-AdminCore".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration settingsVersion="0" .. replacementSettingsVersionRange="0" .. replacementVersionRange="6.0.*">.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\ServicesForNFS [Rfc2307]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\ServicesForNFS [Rfc2307Domain]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\ServicesForNF

                              \Device\CdRom0\sources\replacementmanifests\nfs-clientcore-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1199
                              Entropy (8bit):5.0529640327222305
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+mXg0cjCjc3N0MEF4wu71KgwwWnwwWwBX0FCUK:22e8z2j+mXgfuzMY4n7fWnfWwB2A
                              MD5:5B937C82B1EE7A46C7294FB6743D14D7
                              SHA1:C2CF04B2478B22A7B8C465AAB43CC89338947260
                              SHA-256:11F13EAC846F4377D93491BEEB6016A08F58D6BCB612B065D345AF194710B2BE
                              SHA-512:9D4900AD3EE79B0FDC6F62FC60527D2F6219DD1FD86B50ECDA34EEDDB4F222DA6A930D14D9B1D4F686CCBE65D31C353D6DA62186F7492171ABB458C0D30C5A4A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-NFS-ClientCore".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration settingsVersion="0" .. replacementSettingsVersionRange="0" .. replacementVersionRange="6.0.*">.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\NfsClnt\NFS LANs\* [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\ClientForNFS\CurrentVersion\Users\* [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\

                              \Device\CdRom0\sources\replacementmanifests\nfs-servercore-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1193
                              Entropy (8bit):5.0238718124732955
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+mDg0cjCjc3N0MEF4wuGwu/FwwHjORBX0FCUK:22e8z2j+mDgfuzMY4ItFfKRB2A
                              MD5:A9412350B4F5A0AFC23BCD02DDCFCA48
                              SHA1:B18226FA85DF862C5C4D610BE1E9E3B1A68981D3
                              SHA-256:875CF9CF90E8D3EE4705BF28A5E52F9540574DAB443DF7A4288632413500F15A
                              SHA-512:BF009C9C4DEF6E5F80EB5EDBD55AC7A00F71CE410111DBAB072C4E2CFA2DD6E5424381D9E4C4EBDB0ABD78BDA797000B0C6308D8201C54E03E774D8A43186093
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-NFS-ServerCore".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration settingsVersion="0" .. replacementSettingsVersionRange="0" .. replacementVersionRange="6.0.*">.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\NfsServer\Parameters\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\NfsServer\NlmNsm\* [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWAR

                              \Device\CdRom0\sources\replacementmanifests\nfs-servercoreupg-clientcore-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1095
                              Entropy (8bit):5.0307663412993096
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+momGg0cjCjc3NOFpPjMPFhUK:22e8z2j+m6gfulF5jMNX
                              MD5:701BD81726959DD30B309DABC60C9307
                              SHA1:F0FA1179D819FDCE8BB45818368C7E7F72264CB2
                              SHA-256:3A83C2ECB3E3130ADEA06FC5223B3ADDEFC1034913D256D0ED3479FF5B00061F
                              SHA-512:A6AB216B80ED14C533C7E1FE847AAAE68FBC504EA5313E686A1FE4CEC8BCA02D4F48949BE07ECF50A44EF5FB8F966007D47E1849C8E09464FEA6F3E357A8D793
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-NFS-ServerCoreUpg-ClientCore-RM".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration settingsVersion="0" .. replacementSettingsVersionRange="0" .. replacementVersionRange="6.0-6.1".. alwaysProcess="yes">.. <registerSDF name="ClientForNFS-Infrastructure"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [scregedit.wsf]" )</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [nfsclnt.exe]" )

                              \Device\CdRom0\sources\replacementmanifests\nfs-servercoreupg-servercore-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1094
                              Entropy (8bit):5.0346819870731085
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+mo2ag0cjCjc3NOFEjQPIMPFhUK:22e8z2j+mWgfulF1IMNX
                              MD5:7BF7A9D7DE772224D607716D7145CE4A
                              SHA1:DA35F907588219511BE992BB5FCC4D0B35207F7E
                              SHA-256:B80C6B14388D5C1E690F9C369BB7B5A8C5608840FB7148CCA641F6C8A06250FC
                              SHA-512:F6270E8FB52CB5A5ECF22FEB5C89D25EE4B01D8672294389FC8CF3C822F23D08ADB29CED009A873502566196B17CEC1230E1D42C2A0D87AF10D4D43187013178
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-NFS-ServerCoreUpg-ServerCore-RM".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration settingsVersion="0" .. replacementSettingsVersionRange="0" .. replacementVersionRange="6.0-6.1".. alwaysProcess="yes">.. <registerSDF name="ServerForNFS-Infrastructure"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [scregedit.wsf]" )</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [nfssvc.exe]" )<

                              \Device\CdRom0\sources\replacementmanifests\ngclocalaccountmigplugin-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1336
                              Entropy (8bit):5.0982632428380485
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+VjRlQg0cj0m3A626ENgwwVRr6JXmNgwwVRrRnTuFdVjRGvEFhUK:22e8v+VVagf0zT6Igfbr6JmgfbrpSFdf
                              MD5:61E1251B308F9D03FA903D123BE58458
                              SHA1:AD763A131B23278BDE30C0923FDBBD2708AF10AA
                              SHA-256:A48210C952EDF1688C5E9F33EDCA5748EA9A90C8DFAB5D2033CC43BA19F0372D
                              SHA-512:DE6BD00DF643A0B178BEF175D75B9D7E0F7DBC7B8A6E1A8559F82A471BCED2066C902391CF1FBECB6421BF041CE9572859435A850EF8136AAA14E6E32D43BC78
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-NGC-LocalAccountMigPlugin".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade".. replacementSettingsVersionRange="0-1".. settingsVersion="2".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\NgcPin\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\

                              \Device\CdRom0\sources\replacementmanifests\ngcpopkeysrv_dll-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):889
                              Entropy (8bit):5.016955029110262
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+Vj3Xg0cjAkt3QbENgwnwJXMFhUK:22e8v+VrgfAbIggwJuX
                              MD5:2948FF1C0804EC7DB473BB77EB3FBE4E
                              SHA1:98A97AFC0E4E2B09A17AA0746F455DFD24356357
                              SHA-256:2F6B99F5915A462CAFF60950839E1498F12C9F8194DB3DA02251C5BD2CAD700E
                              SHA-512:8393B3AE7D44A4DD85D05D48768F9123910E603C477A3CACC6BF12D03D464959EC01A293B0B3317B0F8470A76D71F695098AE211DD6200D8F7F21E1C757F4EDA
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-NGC-PopKeySrv".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. offlineApply="no".. scope="Upgrade,Data".. settingsVersion="3".. replacementSettingsVersionRange="0-2" .. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Ngc\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\nlasvc-replace.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):943
                              Entropy (8bit):4.9064017827468795
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+hg0cjTLG3m6jxMEF4wuDZmBX0FCUK:22e8v+hgfTXGxMY4NgB2A
                              MD5:D379086339AF83904B82AED98B4EBA62
                              SHA1:01000D15153671CCFFD84A165C27F0CAE05648FC
                              SHA-256:BCDD005F66486860E9814743362824A9E0413F56CFD0C9AF61A6A072BDC306FB
                              SHA-512:F35ABAA23E944EA72B38422C93FCBD87828ECFEABEBB7919EE654602839BA68CEAFA77A6F038BEB666F73862D810978419B6511B2CF40A096D424CBCD8F956B7
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-NlaSvc".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="Yes".. replacementSettingsVersionRange="0".. scope="Upgrade".. settingsVersion="0".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\notepad-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1041
                              Entropy (8bit):4.870018173714565
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+Xlg0cjh3AlkOENgw5tJXLENgwQtJXMFhUK:22e8v+1gfulnIg6tJ7Ig/tJuX
                              MD5:E9A1897EF6938D427723A06A6E425EAD
                              SHA1:8FF162F247DA0545A21B7B4952A4476C973220CE
                              SHA-256:391B01D6A13A2C45043F125FA02C71FED5DCDEE70B35F599B4A730E335411517
                              SHA-512:DB48A4613D443F5D344C936C798DBB5D1AE38949167003D73ED0C4E8794C96F48A9AB34DC7004839943C7FA6D8DDBD164A63DE993D37FDB4B285A8826EC9EF02
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-notepad".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0-1".. scope="Upgrade,Data".. settingsVersion="2".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Notepad\*[*]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Notepad\*[*]</pattern>.. </objectSet>.. </include>.. </rules>..

                              \Device\CdRom0\sources\replacementmanifests\npas-role-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):753
                              Entropy (8bit):4.987786988087474
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9pODgV6cj3whQzA0zAjkaK9XAXYfA0o3nKLah5Y5/yAd+FRZyuhUK:q/Vg+mg0cj3K3bjkFiRaMPFhUK
                              MD5:3469E841999D576580C09DB29A2ACFFF
                              SHA1:CA1B790AC7694770488E522D8142A65DDCF77085
                              SHA-256:B3D1B8830C95B678C6A8DA14F12D23E31445D885976557DF954FD18A95383B0C
                              SHA-512:F7A6B10C440DB4A3049A27BDB4467D83B6579A16AD36D87C87A4EEEFE606752E32B213067DAF1EF69032BD5DE3FF3603AB165F1C716FF3AEC043F4F8B217F9C5
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-Networking-NPAS-Role-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="NPAS-Role"/>.. <migXml>.. <detects>.. <detect>.. Detection of NPS (IAS) runtime via IAS service, both HRA and HCAP require NPS-Runtime to install -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SYSTEM\CurrentControlSet\Services\IAS")</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\npsui-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):633
                              Entropy (8bit):4.921477924460142
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9poPgV6cj3whQzA0zAjkaKMIScYfA03Kd+FRZyuhURpG:q/Vg+Kg0cj3K3bjkFQYMPFhUK
                              MD5:CDB3EE2165930037CF96ACBBA8F7DE2D
                              SHA1:466DFCA5263CBC1375BA64027E492E30840199AA
                              SHA-256:E468B952547269F2ECD39C4CA6BE2B87860E472CDAF306BF59C8F5D75013539A
                              SHA-512:C7AEEEA6D4191437A9B61B4498399E93D3EC7BE55BBF567B45A1E56AA32C643ADC4EA77B3AC8180E9B64535776D18ADC87DCC64F8A0E6497568847AA6E3B04C5
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-Networking-NPSUI-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="NPSManagementTools"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [nps.msc]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\odbc32dll-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):13893
                              Entropy (8bit):4.929753223890641
                              Encrypted:false
                              SSDEEP:192:G+yAgTAfxGVPFvnwVAppM+Qo/JMk0JeTeba:RyAgAfxGVP5CiuaOfJeTKa
                              MD5:154A0E5C657380AB5EC2CADF221B2CBB
                              SHA1:F6713298AB20258659B2D478FA0857FA2A9BF170
                              SHA-256:F4F3A04A92FE946CFB6856E3AD86B9F6DE52DB5F186D98CD81BFA03AE00DB363
                              SHA-512:025BEA6C1CD26F7622E3E0EB60F4940DD327A38B225EBDE6A6773E4277690C809E3B132F6C4E497DE8EB387905EAF4BF4896069BDD303A59E9E4035DE61FEE01
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. This is a replacement manifest to replace the faulty manifest for Vista, Win7 and early builds of Win8 (before 8156). -->.. This is because those faulty manifests did not take WOW64 entries into account -->.. This will support both gather phrase and apply phrase, since USMT can be used to migrate settings from Win7 to Win7 -->.. This will also support the gather phrase from sources machines of WinXP and Srv03, since those machines can still migrate to Win7 -->.. Currently, we only support 3 favors of migration: (x86 -> x86), (x86 -> AMD64), (AMD64 -> AMD64) -->.. <assemblyIdentity.. name="Microsoft-Windows-Microsoft-Data-Access-Components-(MDAC)-ODBC-DriverManager-Dll".. version="0.0.0.0".

                              \Device\CdRom0\sources\replacementmanifests\onecore_speechcommon-rep.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):11885
                              Entropy (8bit):4.8679273063411745
                              Encrypted:false
                              SSDEEP:96:/29c0x4AVQLVQbxVQslj6XXXt6yj6XXXu69xXds1XdNjPXSXM6NjPXSXb6jIXcsl:OxQubEQP9xTj41kdszsF4
                              MD5:4499802602EF033EEBEB2D709003FD56
                              SHA1:7AAD19AD588E8623E7031BF1481D6867C3708AB1
                              SHA-256:941C748AE25071935E2E89D89EEA0D8F8B166E4D39025FEA9F0F78800631C35F
                              SHA-512:F31ED5E71910916D035CBAEA1E9013B9410BFF217DB35BDF875F508105BB9D0198F104F1C9070A0003B233B991D85269ABEE5688D61A57D03242207679BC0435
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-SpeechCommon-OneCore".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. />.. <migration.. replacementSettingsVersionRange="0-3".. scope="Upgrade,MigWiz,USMT".. settingsVersion="4".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <conditions>.. <condition negation="Yes">MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization [AllowInputPersonalization]")</condition>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\PolicyManager\Current\Device\Privacy [AllowInputPersonalizati

                              \Device\CdRom0\sources\replacementmanifests\pcpksp_dll-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3825
                              Entropy (8bit):4.885855793353109
                              Encrypted:false
                              SSDEEP:96:22C8Srm6Q+Qht6MVeyHiR/dt6MVeyHiRD:imPHNHidNHil
                              MD5:A0536B19D5978E709DA25D1CEF234860
                              SHA1:F69A787FC3BA706731CB0EB72F262B967EFC3BDE
                              SHA-256:52A1845E007EDC8817B31382FFE7F8A2A814A8C135E11736640212E7B4A922D7
                              SHA-512:CE7E5A306D3B91E4C8C43F5BC46CD014EF4B5E98D8C14936346E285466A2A6A4CE00B6CD2294161E06408732E9BB48B7067BD6229B0433AD623DFC84E2AC1DE2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-ncrypt-platformKeyStorage-dll".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,Data".. settingsVersion="2".. replacementSettingsVersionRange="1" .. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_LOCAL_APPDATA%\Microsoft\Crypto\PCPKSP\* [*]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.SourcePriority()">.. <objectSet>.. <pattern type="File">%CSIDL_LOCAL_APPDATA%\Microsoft\Crypto\PCPKSP\* [*]

                              \Device\CdRom0\sources\replacementmanifests\peerdist-client-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6356
                              Entropy (8bit):4.838086888336113
                              Encrypted:false
                              SSDEEP:96:22wPm9LniENymbevHrxJV+JV8ghVtYRDvVcVV+S6cmvVVVcMFVgVbri:wPcLniENylvLxv+v8gXtGNox65DcmEbm
                              MD5:10099162B61CD169A5A702225852B34E
                              SHA1:BFF675D327583B53605EEC968E9ECE491F859E55
                              SHA-256:36844B6BC5F2B7FBF55AC7BED7EEF42BA23472BC742AA1DD4A2E8511313E0DB6
                              SHA-512:ACF23549639534B952F3D3517C3041808B74DBE82F66D1C3F9A4BA5BF79CF6D3619535B522EE39F3656EB5CF927DE463A762A650E15A5A58BD1144D3C7D7F1AF
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. .. The same manifest is used for both server migration and client migration... We must not change the assembly identy name of the manifest, or we risk breaking our link.. with the server migration tools... .. In Win8, BranchCache has two manifests with <migration> sections:.. PeerDist-Server-Migration: Covers all migration scenarios, with SettingsVersion=2.. PeerDist-Upgrade: New to Win8. Covers all upgrade scenarios, with SettingsVersion=2 for consistency.. .. In Win7, BranchCache originally had two manifests:.. PeerDist-Server-Migration: Covered both upgrade and migration scenarios for Server SKUs with SettingsVersion=1.. PeerDist-Client-Mi

                              \Device\CdRom0\sources\replacementmanifests\peerdist-server-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6363
                              Entropy (8bit):4.839803055265343
                              Encrypted:false
                              SSDEEP:96:22wPm9LniENymbeDHlJV+JV8ghVtYRDvVcVV+S6cmvVVVcMFVgVbri:wPcLniENylDFv+v8gXtGNox65DcmEbm
                              MD5:DD3115F127A00B46EE35814EC8A88559
                              SHA1:51515F92D6F9194AE8E17886B7E54D92A2746BE1
                              SHA-256:09B570C09AAC093471467C0A842A4C7FF8B3F3680CF305C6C7D94D4367A7A543
                              SHA-512:FB65AED1F7A032E7A529BCFEFFE013B6CFFDEE04403424ECAAE79F11BCBB642BE8649CDB5CF48AEE4A9463FB23CA019097C1A2182D67038E78C28597BB2E7A61
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. .. The same manifest is used for both server migration and client migration... We must not change the assembly identy name of the manifest, or we risk breaking our link.. with the server migration tools... .. In Win8, BranchCache has two manifests with <migration> sections:.. PeerDist-Server-Migration: Covers all migration scenarios, with SettingsVersion=2.. PeerDist-Upgrade: New to Win8. Covers all upgrade scenarios, with SettingsVersion=2 for consistency.. .. In Win7, BranchCache originally had two manifests:.. PeerDist-Server-Migration: Covered both upgrade and migration scenarios for Server SKUs with SettingsVersion=1.. PeerDist-Client-Mi

                              \Device\CdRom0\sources\replacementmanifests\peerdist-upgrade-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3261
                              Entropy (8bit):4.852867604495191
                              Encrypted:false
                              SSDEEP:96:22wPm9LniENymbemkcHURghVW6qvYWyC6d:wPcLniENyl4YgXW6kz6d
                              MD5:069112E6BA9BDAC71CCA2F6E5275D261
                              SHA1:EDE6B1044B93A3B80B8576832AB6ECE000440D5E
                              SHA-256:930158907475D1B4318E20CE7C2EB9F6C4AD09E909002A74FB4B58EAA3BAFEF4
                              SHA-512:E68FE427D39E3507A8B1C8E343FB4915A26745E6DCB8E84CE71D0D43D5C48C9A99528F5F893A3DB7D331D42A4DE94D13DABD430BD012C93C442055CA0917BB08
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. .. The same manifest is used for both server migration and client migration... We must not change the assembly identy name of the manifest, or we risk breaking our link.. with the server migration tools... .. In Win8, BranchCache has two manifests with <migration> sections:.. PeerDist-Server-Migration: Covers all migration scenarios, with SettingsVersion=2.. PeerDist-Upgrade: New to Win8. Covers all upgrade scenarios, with SettingsVersion=2 for consistency.. .. In Win7, BranchCache originally had two manifests:.. PeerDist-Server-Migration: Covered both upgrade and migration scenarios for Server SKUs with SettingsVersion=1.. PeerDist-Client-Mi

                              \Device\CdRom0\sources\replacementmanifests\peertopeergrouping-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):4.505137859377084
                              Encrypted:false
                              SSDEEP:48:4++WgHLB3E4PvR2L+ugLBqg5CzZQz/qVQdHz/qXY:ST3BPvR2CdZ5i4TiXY
                              MD5:48C612EE0834952C84E7C9A8687B0356
                              SHA1:B5D35BBD41E9E4EFF8A931C413F59CA5477A2AAE
                              SHA-256:E6046E70EE2CC565413423CF6EBA324AA4955868EB521C3E7B0232AF9B14DB0E
                              SHA-512:CE95BB1C67C79FA29B91AE6069AA3EE6170D2B0BBA2EEF8A942E100150A165292E4892162D2ADC9B42A2F356DA0AAB468D82231C8D07C6ABE39774046B48EFDC
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?> ..<assembly> .. <assemblyIdentity .. language="*" .. name="Microsoft-Windows-PeerToPeerGrouping" .. processorArchitecture="*" .. version="0.0.0.0" .. /> .. <migration .. alwaysProcess="yes" .. scope="Upgrade,MigWiz,USMT,Data" .. replacementSettingsVersionRange="0" .. settingsVersion="0" .. > .. <supportedComponents>.. <supportedComponent>.. <supportedComponentIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-PeerToPeerGrouping".. processorArchitecture="$(build.processorArchitecture)".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. settingsVersionRange="0".. versionScope="nonSxS".. />.. <migXml xmlns="">.. <rules context="System">..

                              \Device\CdRom0\sources\replacementmanifests\performancecounterinfrastructurenonexecutable-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1669
                              Entropy (8bit):5.130287048633962
                              Encrypted:false
                              SSDEEP:48:22e8G+SgfNIghIehIHJxOhIehIHBNghIMBX:229fshpHhhd4
                              MD5:128901A87399232B4E0F5644DE552FF5
                              SHA1:53D00651451A91385753BF5B4DC24657EA58B518
                              SHA-256:9FF6603F90A25D9BF3CF0BE6AD4DE47E0EE95889B0BACEFFB9B49C2042C64274
                              SHA-512:825DDD1B5997EC5051080B24E59F3A06BD65F27D8216D39DD67EBB4A99138A4FF69F78A53CC7D3BBD8F1685C7476D18E8435001707BF229AB9E2F0A96FD751E6
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-PerformanceCounterInfrastructureNonExecutable".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. ignoreConfigurationSection="Yes".. settingsVersion="1".. replacementSettingsVersionRange="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib [Last Counter]</pattern>.. <pattern type="Registry">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib [Last Help]</pattern>.. </objectSet>.. </include>.. <merge>.. <obje

                              \Device\CdRom0\sources\replacementmanifests\personalizationcsp-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1386
                              Entropy (8bit):4.852234874776962
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+Bg0cjzH5EBKjHt63/od6m9ucm3N1FsEF4wQVQBX0FCUf:/2e8v+BgfzH5EcHZ69cCFsY4/SB2R
                              MD5:910E029ED4C71242555AFEA47058B226
                              SHA1:39F2CBDC8783C6DD90A341D3A0205106F4FC2F39
                              SHA-256:E8A1E47BD169010F0F97D46C815351128A5D8C59DF0571DE23902CBE373BECC6
                              SHA-512:FDCDC9574B6F5BF6928A93CA5C38BB7F199D401DD7642A8D040327B22D1D2D68794B5DD952BDA6235EFDDD0F36289F012E14231219A6CCE112937C2809048825
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Personalization-PersonalizationCSP".. processorArchitecture="*".. version="0.0.0.0".. />.... This file is meant to migrate PersonalizationCSP reg keys when upgrading from a build that did not have migration rules for them. .. These older builds will have manifests tagged with settingsVersion="0", so we use that value as our replacementSettingsVersionRange... Any build that does support migration will be tagged with settingsVersion="1", and will therefore use PersonalizationCSP.man" -->.. <migration.. scope="Upgrade".. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="yes".. >

                              \Device\CdRom0\sources\replacementmanifests\pnpmigration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):982
                              Entropy (8bit):4.74398268405091
                              Encrypted:false
                              SSDEEP:24:p/o2e8p4+kg00jYN8V3Vj4FRXrgWtFiUK:22e8e+kg/U+4FRXrgWDg
                              MD5:C6EE3E8B510FCE4F9195D89E5C792F02
                              SHA1:AA26A9EC526B7AE627D5694BD144BE02F6D6B827
                              SHA-256:38CEC925D68F2E19187EC0134AFDFB2C795A0A9F04FD6E63FB639433788EE444
                              SHA-512:7731352D7B1F0956AD8A12F8012096B738B886E15BB59E1EB40E35ACB71231EA9539EC50A9400035C7D28BFD4CE77F544FBCEBC554C6292BB0E9B0A1555A1E83
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-PnpMigration".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. />.. <migration.. replacementVersionRange="6.1-65535.65535".. replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <plugin.. classId="{ff9c714f-b864-4f43-ae39-ec07d7385abe}".. file="Microsoft-Windows-PnpMigration\pnpmig.dll".. offlineApply="yes".. />.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\posproviders-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1303
                              Entropy (8bit):4.833056846733768
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR++NYg0cjTLG3N9ENgwQsJXmNlEH1wVwQu9VTMFhUK:22e8v++NYgfTkIg/sJmC1O/ujiX
                              MD5:ACCE499F8A1FC469E013E27DC1B1649D
                              SHA1:8C090A4D513C469BC213A440996C619866911F34
                              SHA-256:A9FC50FC6290B5F94FEA20C48E6DF725CBB304C6A3E5EBC0B6F8157ACA7D8DFC
                              SHA-512:D801F4895697B15A8D38D4E92FA1BD5AE79F3A82A40E624F0AF5FC1448C8AF21FE39DAE2066147367B4EC5B1D1FE468747EFFA4A597C181F8C38628DF32D43A6
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Devices-PointOfService-ProtocolProviders".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="Yes".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\PointOfService\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. .. To exclude sub-keys and/or values from migration add exclusion pattern(s) here and in posproviders.man...

                              \Device\CdRom0\sources\replacementmanifests\power-energyestimationengine-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6428
                              Entropy (8bit):5.039492449097593
                              Encrypted:false
                              SSDEEP:96:/2CVhRTv9Qz2yQb5FHwD8PYLEgo9TZ+iHdacZQERqHeXRBuxxYMZbCTTQ:z10aP/zoGM
                              MD5:1289972D7AE579675E686799D3597952
                              SHA1:AD5626ECB362A2A39364BF6DC2C7BE7BAE40DE8F
                              SHA-256:51EA62756C5A01C163EEDE4F1048ACD04C4F992AC71AC97FA17825A440552D03
                              SHA-512:9DBB610912E54D5899054B08C18BA47375C3F5D438529828EA3D34191E44BFFBB8B4FE54E3E944C17E0BBECE1735503542C9119FCCAA0D7F1894FCA73403E214
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-EnergyEstimationEngine".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="Yes".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power [EnergyEstimationEnabled]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\CPU\EfficiencyClass\$ [PowerEnvelope]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\Ener

                              \Device\CdRom0\sources\replacementmanifests\powercpl-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (337), with CRLF line terminators
                              Category:dropped
                              Size (bytes):2577
                              Entropy (8bit):4.987354238245289
                              Encrypted:false
                              SSDEEP:48:22e8v+Egf6cloH9cTo1fuj5N9+V+bcHEoeE3l9+FreIg/cJuX:22CicloH/1fmoZfjCyxAQ
                              MD5:CF583BAE5DC555BBC71C68ABBE05FC80
                              SHA1:53BE0C4392ECC656CA6ADC9E54B9E207A5095F4B
                              SHA-256:F8C3F190FC9F42627B71CB343C1C339DE8DF9F7C4AEB5F71DA03F2177333D3B2
                              SHA-512:E1A9818832E3101A3231D2A41605C9F26B2084D0C9A2002CC28CA0179419CE2613E16681567CAC3F55DE97134C8A1976711553A3496D0BEAAD7EA073305EE225
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-powercpl".. processorArchitecture="*".. version="0.0.0.0".. />.. <configuration.. xmlns:asmv3="urn:schemas-microsoft-com:asm.v3".. xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State".. >.. <configurationSchema>.. <xsd:schema.. xmlns="Microsoft-Windows-powercpl".. targetNamespace="Microsoft-Windows-powercpl".. >.. <xsd:element.. name="ContextMenuTree".. type="xsd:string".. wcm:handler="regtree(&apos;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\ContextMenu&apos;)".. wcm:migrate="yes"..

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-v1019h1.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6093
                              Entropy (8bit):5.062601767120085
                              Encrypted:false
                              SSDEEP:48:/2e8v+NgfjMY4xBxgxu7SobxwzaxYxQVLuQURBBEb33pgpDpsneOFB2bc5BuwBx+:/2CSMnm/sHiGebGZ/ozH
                              MD5:556B490E2CCEF93A61B4E20B08E13C9E
                              SHA1:95342D6F07D13086B96EFF01948C8C54D42AB4FD
                              SHA-256:559125FA8FB1A08FF7C3382DA3D2986882C2DD4558BB2996F1CECB6924EA15E6
                              SHA-512:46FB8BC21EB3B7B489845D8C3A39204B7682E05753F7ADC89D69FDF7EF3F75E12687B2B816FFAEDC5A75B44729866894718F3FE55A9EE21015839D44C34AD71F
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.10".. />.. version 10 (19H1) -->.. <migration.. replacementSettingsVersionRange="10".. settingsVersion="10".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvAcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvDcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\Curr

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-v1119h1.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5606
                              Entropy (8bit):5.088062689237854
                              Encrypted:false
                              SSDEEP:48:/2e8v+Ngf7MY4xBxgxu7SobxwzaxYxQVLuQURBBEb33pgpDpsneOFB2bc5BuwBx7:/2CiMnm/sHiGebGZ/F
                              MD5:484F3ED232A54B77888FAD0DC526CEDB
                              SHA1:8277E02B3C30CC8EE5E52FC0755C33037DB5F744
                              SHA-256:7E76B70505F4C0A671A6DCC974A4C5641F1398D8ADA4D90A926924C2D5F15E13
                              SHA-512:03D5D4333F2BDE2696860F49BFA90AD290EDCE4B3EA145BC8B9518F980BD62CCCDA37B66A4B8205ECD6C7089577BABB9C76715C9AEBAA138414FCED96E7EE049
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.11".. />.. version 11 (19H1) -->.. <migration.. replacementSettingsVersionRange="11".. settingsVersion="11".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvAcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvDcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\Curr

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-v12vb.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5611
                              Entropy (8bit):5.088215102653149
                              Encrypted:false
                              SSDEEP:48:/2e8v+NgfCUMY4xBxgxu7SobxwzaxYxQVLuQURBBEb33pgpDpsneOFB2bc5BuwB5:/2CLUMnm/sHiGebGZ/F
                              MD5:D4396DC7AFEC9AD38A7CEFFC04613E2E
                              SHA1:C04B4ED356A8C78A4D577CE7331E8DE15C5FF89E
                              SHA-256:02CE2D4E8C61FEFD5D8D4F9C75611306F1942DAD1296F2CD57C12774EBD15D2F
                              SHA-512:116BF25F1DD3C8835FA25CE703995E97B33A4217B87960BFC37173A1104218C495517D110004BC57EC489CF033106ACD546E5AEF2120B4059F2E92701EEB999D
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.12".. />.. version 12 (Vibranium) -->.. <migration.. replacementSettingsVersionRange="12".. settingsVersion="12".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvAcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvDcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-v4rs1.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4183
                              Entropy (8bit):5.089015501963241
                              Encrypted:false
                              SSDEEP:48:/2e8v+NgfQIMY4xBxgxu7SobxwzaxYxQVLuBBEb33pgQpDpsnbc5BuexFxwWxw3C:/2C6Mnm/QHTGbGmz4
                              MD5:4CE7E38E70A6A4E4DC3C37C5B0CF1BF7
                              SHA1:4D4047564A1C07198FD30D234930F8C6115561B2
                              SHA-256:4327C53BB9A9292B25CC122B5316105A3DA29C0E61ABFC31FE8289D8FA8D9BA6
                              SHA-512:AAF4E3CAC3655F1E250D3A8A0688EB89B7D84E8030FD68E54EF33B367A924D7880F6D05DA6F144C89E791D0CBF0E2280BE13FC68347F90B004A5360A16A2B3F6
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.3".. />.. version 4 (RS1) -->.. <migration.. replacementSettingsVersionRange="4".. settingsVersion="4".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvAcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvDcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentCo

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-v5rs1.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4183
                              Entropy (8bit):5.089545414756327
                              Encrypted:false
                              SSDEEP:48:/2e8v+NgfiMY4xBxgxu7SobxwzaxYxQVLuBBEb33pgQpDpsnbc5BuexFxwWxw3hM:/2CZMnm/QHTGbGmz4
                              MD5:8D308FA046B3A112854B981C5EACB567
                              SHA1:BDB70727B1B33A455C43431046218A6B898A907F
                              SHA-256:484170834E4003D27341F471DF555A4851F5F9DBFCB2160C54796E36C341F068
                              SHA-512:7CF12C23548D607F1F57FC4D784E391CF51B8D64655F8151F8DC9455BC8360942E84AE83ACAC38C7AC4CB568A29AEA93AAB1775C879FA217D72972DD286F4011
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.3".. />.. version 5 (RS1) -->.. <migration.. replacementSettingsVersionRange="5".. settingsVersion="5".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvAcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvDcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentCo

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-v6rs2.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4183
                              Entropy (8bit):5.089352799298215
                              Encrypted:false
                              SSDEEP:48:/2e8v+Ngf2MY4xBxgxu7SobxwzaxYxQVLuBBEb33pgQpDpsnbc5BuexFxwWxw3hM:/2C1Mnm/QHTGbGmz4
                              MD5:5556A8964D5443C679FD8D169C2B8304
                              SHA1:D485357020C4CE8E55C00C51C6D4E6800084C280
                              SHA-256:06784475916915B75C120C40CECEA342A9F018BB6CFF0144E030C9433F52CE3F
                              SHA-512:907D15051C0480B91CD4F241063F6297E329CC11DE60D0E949DBB84D8E0BC16AC8FB377B33198E34C35688B7970F9BAB61E6F3DD1BB6ED21831AD3780FFD191C
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.3".. />.. version 6 (RS2) -->.. <migration.. replacementSettingsVersionRange="6".. settingsVersion="6".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvAcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvDcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentCo

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-v7rs2.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5453
                              Entropy (8bit):5.06868275514491
                              Encrypted:false
                              SSDEEP:48:/2e8v+Ngf1MY4xBxgxu7SobxwzaxYxQVLuQUBBEb33pgpDpsnFbc5BuwBxwY/587:/2CmMnm/+HiGxGZ/jz4
                              MD5:1848DB6B0D5B1A5F3AAEE9069D3BC919
                              SHA1:9396BDF08134D58BE112720175608F9E924DE5CB
                              SHA-256:5CE40ADE03AACB2755A6560EABCA45C671BB0E7D8407218B5E1F660C5D1B418C
                              SHA-512:39D03347525F989610B43B03A36A112284195A946388E15981958031E4EF0BA32638AFADCB17E8E757F3B8CB080EEC90519F6BB61DDA246DC8A2A7D9F92D0CEF
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.3".. />.. version 7 (RS2) -->.. <migration.. replacementSettingsVersionRange="7".. settingsVersion="7".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvAcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvDcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentCo

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-v8rs4.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5953
                              Entropy (8bit):5.062523194900978
                              Encrypted:false
                              SSDEEP:48:/2e8v+NgfvMY4xBxgxu7SobxwzaxYxQVLuQURBBEb33pgpDpsneOFB2bc5BuwBxO:/2CwMnm/sHiGebGZ/jz4
                              MD5:180DFA3FC35880C540517913472F2977
                              SHA1:413176CEF0C42BCE04B67579317FC4641E61B756
                              SHA-256:D5D36E7BF776988D7C91D134A12D90B8BEFB91D7471E43DE04B686475D0D8D7B
                              SHA-512:4F47D0C30ED2D785C085666F1791456A7B75A48F192017E797463C5C379E9633C8FEE690F5DB5D3820D70AC8B0C2D51D7852A47C76C09B400FCBE5202CE6853A
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.8".. />.. version 8 (RS4) -->.. <migration.. replacementSettingsVersionRange="8".. settingsVersion="8".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvAcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvDcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentCo

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-v9rs5.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6072
                              Entropy (8bit):5.061618844652029
                              Encrypted:false
                              SSDEEP:48:/2e8v+NgfwMY4xBxgxu7SobxwzaxYxQVLuQURBBEb33pgpDpsneOFB2bc5BuwBxd:/2C/Mnm/sHiGebGZ/c3z4
                              MD5:274D52D8FCB21581BBE83EF081D524AE
                              SHA1:9353AC514C20C1A5ED6C98AA1501CBDF5FF7B2FA
                              SHA-256:0410BA3D8845E3F38122B67F6273C276E412BAAB5298DC0AC6FC8B295E89FB01
                              SHA-512:0662E5392E92C0B2BF551644410D5B927BE2F4F477251E1E3C5AF5DA67554E49E8BFAECBCB47C825B9F0A249292CF140EEB5266BBB6EE4CD24C18509F24B973F
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.9".. />.. version 9 (RS5) -->.. <migration.. replacementSettingsVersionRange="9".. settingsVersion="9".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvAcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\* [ProvDcSettingIndex]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentCo

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-vista.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1899
                              Entropy (8bit):4.909439704928165
                              Encrypted:false
                              SSDEEP:48:/2e8v+NgfXxMY4xw1xwMxYBBbc5Btcc/w:/2CiMFGtzo
                              MD5:ACB1FB65DAF70CD0DB01AB5C869E4ECF
                              SHA1:408F65364D16B4D7CE89582EB73F80CF6DF4BDED
                              SHA-256:35AF1D269750C237191AEE400240D75923D772DC7C6828A55B95DB0A4FD1621D
                              SHA-512:D0E5DD584D13098740D05CD50349833CC1EB0088042928A88B42964AA636AC2451CDD642E6E8778F71F570B6671956FC96A6ADED0C322E22CE1FB7819CF9D0D7
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.0".. />.. version 0 = Vista -->.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="0".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\User\PowerSchemes\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\User\Default\PowerSchemes\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-win10.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3371
                              Entropy (8bit):5.0579126943503425
                              Encrypted:false
                              SSDEEP:48:/2e8v+NgfrMY4xwzaxYxQVLuBBEb33pgQbc5BuoxFxwWxw3hcc/A:/2CAMgQHRGsz4
                              MD5:247606B5AC34C8987B41E290CBA08711
                              SHA1:71CD9D9D4993F61FB8BA1B9F312BBFDBD8323185
                              SHA-256:F19FABB27A2ED458735FDCB6E5625B57CC83296F19D220C0A55410833387DABD
                              SHA-512:7025799BAC2BEAA827B033E6B48A81B3198CD5DAC1E60DA133C71F381750B2CE3FFE2C44AD2B7A574BF0C29BF31B993790B6A799ACFE802DF333572A803CB95D
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.3".. />.. version 3 = Win10 -->.. <migration.. replacementSettingsVersionRange="3".. settingsVersion="3".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\User\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\SecurityDescriptors\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerRequest

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-win7.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2616
                              Entropy (8bit):4.895779960104781
                              Encrypted:false
                              SSDEEP:48:/2e8v+NgfD/MY4xwzaxYxQVBBbc5BziUs0XFYgY4LyBtcc/A:/2CuMg+GS0Vb8tz4
                              MD5:B55C9529EA95F889EF86AC8CC8EC3E1F
                              SHA1:11129B1A4509A191B612A83BECFA74F2F4DEFD53
                              SHA-256:7489C52AC4FABE236042C66280DF8CAB30A65712814B6517681051EE186EA6A3
                              SHA-512:BCA997EB34A4B3531DAA2F98730910C70236FBE746CD635D161DC4A7060FEBE39D27F42D4024D6FF277613C8E45ACFDD1697A0E57F412F5A593E4202F3CB8129
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.1".. />.. version 1 = Win7 -->.. <migration.. replacementSettingsVersionRange="1".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\User\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\SecurityDescriptors\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerRequestO

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-definitions-replacement-win8.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (312), with CRLF line terminators
                              Category:dropped
                              Size (bytes):27152
                              Entropy (8bit):5.30983121566884
                              Encrypted:false
                              SSDEEP:192:uUUMgUZoV7Vemhm4VqV9mimaVcV3mGmZ4:uUZgcM
                              MD5:EDB063D08A42E3D22E64E3A30018BCFF
                              SHA1:E6D7F055DB751DF754DBD48F8534B4217579F5F6
                              SHA-256:42A4612DDCB4697E3D21D1114EA1B7FEB25D6B43172A67B30BD24D6C658DF5C5
                              SHA-512:B07493E2F0909A6560AD7D9DA087F2F6DF31166914564F11EC32327376D31FA34F9A6484F88FF8C09E3651177ACC0F0B0E98B3B818FC056C86EA6D6679CF66BF
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Power-Policy-Definitions".. processorArchitecture="*".. version="0.0.0.2".. />.. version 2 = Win8 -->.. <migration.. replacementSettingsVersionRange="2".. settingsVersion="2".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\User\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\SecurityDescriptors\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerReque

                              \Device\CdRom0\sources\replacementmanifests\powermanagement-powerpolicy-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):652
                              Entropy (8bit):4.9490590207117116
                              Encrypted:false
                              SSDEEP:12:TM3ii1o2Mf8ior5s8Pv48yxMgF+9jSEgV6cj3qo0QzAm0dpzAjfG:q/o2e8ZFPvJ8+N1g0cj3+3vIju
                              MD5:3F9B39FA0D704C2036C32212A6B56674
                              SHA1:AD173153ECA1F9FD43242E447369EAD68CA4EA21
                              SHA-256:4F850E902DE19EAA7E693D92BBFCFB4EDF6EEFAFF1BC66153D8C6419DF8EF875
                              SHA-512:63D57F17E3F962AE1C2407926301C906064E27208F7E85F98C84A2E98136E82964E52E777643AE7D2E8C1BCEC4923A7CB84C364C3BBE0BBF67D88CB50A80AE59
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildFilter="".. buildType="release".. language="neutral".. name="Microsoft-Windows-Power-Policy-Migration".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*" .. settingsVersion="0".. />..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\ppipolicies-encryption-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1001
                              Entropy (8bit):4.910858066731256
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+VLsg0cjTi3vDMEFB1wkA7BX0FCUK:22e8v+VAgfTUMYP9gB2A
                              MD5:CA652AE39C6BA12FAFE2F51935ECD5C5
                              SHA1:DE7C30B9E7A92E1FCE0006C82BACD27DD0F6045B
                              SHA-256:D959F305F435B0ABECB0550F0ECFDB9A3D44AB6213E18564644DE4161AE2BCE4
                              SHA-512:D8222747F208AE86855AF7E62756E48966B0461606143942F08670D925FA64391DC1D4F6ACAB53FD4BA15E008781879ECB2CD5E5ECDE5441152A8250D193CA5C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Shell-PPIPolicies-Encryption".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-5".. settingsVersion="6".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. Misc settings like BitLocker -->.. <pattern type="Registry">HKLM\System\CurrentControlSet\Policies\Microsoft\FVE [RDVDenyWriteAccess]</pattern> .. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. </migration>..</assembly>.

                              \Device\CdRom0\sources\replacementmanifests\ppipolicies-general-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2161
                              Entropy (8bit):4.998878712925827
                              Encrypted:false
                              SSDEEP:48:22e8v+VNgfTUMYF/Ofkdf+rfw9fkqfxyf7VdoB2A:22CHMk8kl0wFkYy7sb
                              MD5:9C4F7F7A5DCA271233C262CA01B0C66C
                              SHA1:C202041345E4ADAC3C4390C5D0DAA3574A26E96E
                              SHA-256:F8AD0A7159A53EAFE82942E1E3C790A0C2C7F827E333635DAD41AB6B67C1364B
                              SHA-512:BDCB3DAF0E3C3894702CAFB163AD5D542B1E705F7059D1EE37EF08C18D4E20DDE5E830AFD3621AA0A593C784A2759E5A7E4A9C71A68A5E01E77CA9DCC2C697AC
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Shell-PPIPolicies-General".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-5".. settingsVersion="6".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. Misc settings like password rotation -->.. <pattern type="Registry">HKLM\Software\Microsoft\PPI\Settings [*]</pattern>.. Save all the welcome screen settings -->.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PPI\WelcomeSetting

                              \Device\CdRom0\sources\replacementmanifests\ppipolicies-miracast-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1352
                              Entropy (8bit):4.966635969573309
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+V7g0cjTi3vDMEFDwwbwOxR+Qwu+wwV2BX0FCUK:22e8v+V7gfTUMYDfbLR+QQf4B2A
                              MD5:FA0A9AD94DC695501347D8EDA58FD90B
                              SHA1:32AE538016C56EA694AB68220665656760F70609
                              SHA-256:E10874770C04A58979E7CE7F82B7FD3D153D026B72D952A5720544B27FB2E4D7
                              SHA-512:17D2FF92F31F4B085F707ACAB59A1A226E097BFDEB877F0F7C02E2EABC05DD968E8F0440294FD81607573C591073D404A4E09E21007375087C3B71CF83323483
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Shell-PPIPolicies-Miracast".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-5".. settingsVersion="6".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. Save projection settings -->.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\MiracastReceiver [*]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\mrvlpcie8897 [OperatingChannel]</pattern>.. Miracast settings -->..

                              \Device\CdRom0\sources\replacementmanifests\ppipolicies-power-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):985
                              Entropy (8bit):4.9113597535975755
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+ViDg0cjTi3vDMEFIwwVRBX0FCUK:22e8v+VegfTUMYIfnB2A
                              MD5:7159222FA7CA2AE8F530369D1E122473
                              SHA1:F6E81D6DEF6040695677F099627733ECE70F3ED6
                              SHA-256:CCCAEE9D7BB67AAE1C438534BA233003828499B58128309CEFC8BC9305E14597
                              SHA-512:2AD2CDCBD24033CA4DCB0D8A5388440D020C90170CE024349C902F052FCB89DA228D11578EF358E8E2286079F99F871D4EA96E7FCA9DD797BCF2881D5841AF2A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Shell-PPIPolicies-Power".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-5".. settingsVersion="6".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. Save the sleep settings -->.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Team\PowerSettings [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\printing-localprinting-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3557
                              Entropy (8bit):5.023717067997311
                              Encrypted:false
                              SSDEEP:48:22e8v+kgfQ0AMY4fiBXB4fiTY46e6B6bhB2eXayIFsIlj3PcVIg6uJ/ZGg6uMpgF:22CY0AMBeUYYtAngN3a8y/ZOJY
                              MD5:3462B225D187DC82E592411ACE574D58
                              SHA1:206B2E848FF86F1CEDDE805D8992AFEF58169642
                              SHA-256:F60E8082DBC41108F1124F42FA4A1E33CA4953CEF219175DB45B84E0CADB73E9
                              SHA-512:1D5BE349845FB2380C9A726AB2911EDCB6AAD412CA109C2A827C1A26A90039848B4D2F5B1E6D8004A88F394AAF844800349AE8217CFF8AD53DA347E6049334F9
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Printing-LocalPrinting".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0-2".. scope="Upgrade,MigWiz,USMT".. settingsVersion="3".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports [*]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.DestinationPriority()">.. <objectSet>.. <pattern type="Registry

                              \Device\CdRom0\sources\replacementmanifests\printing-localprinting-replacement\apmonportmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):104248
                              Entropy (8bit):6.025632656790019
                              Encrypted:false
                              SSDEEP:1536:3qYC1ApWWuDmdI3LqkSIdVJ7kr0hMPhEuwiqKjkX5cF3wX6+Ly9etZRhlJPh3:3q1bWu3YIVir0hMPV+wkwM9xZRnJJ3
                              MD5:CEB39BC450126C1BA329F1F8552BEFA3
                              SHA1:E0C96ED39750E326F7539F8438D5E371A5868FA1
                              SHA-256:50403F6B92D146B1040282E6FB3032AB0F74A48C1C112662AC6BBDB062AC65C2
                              SHA-512:BBA38CBCF659666AC18EAC462550989C3E952732967171599B16097D601EBDEB4E8D7A72DC136D79A7AA6480320FB11DB72EB075131CEC4AC76D54572842900E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ...d...d...d...p...g...p...v...d.......p...u...p...o...p...e...p...h...p...e...p...e...Richd...................PE..d...3..m.........." .....................................................................`A........................................`\.......]..................$....v..8!..........0:..T.......................(.......................0....[..@....................text............................... ..`.rdata...Z.......\..................@..@.data...0....p.......R..............@....pdata..$............X..............@..@.didat...............f..............@....rsrc................h..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\printing-localprinting-replacement\usbportmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):101688
                              Entropy (8bit):6.142273843104645
                              Encrypted:false
                              SSDEEP:1536:PoPeAGBcpkcjBFkY0c4L1Zpg++0/oFot0tZjDEHVyKg1nb16lKPPP:PjziXfyJgl0/oF+oZs1yb9b1OKHP
                              MD5:84D3D555351E58A157D3523A11FD040B
                              SHA1:3E12F9E9C93F7AB6C8240D8013D957F3BF25E66B
                              SHA-256:09B726D65674B581CF5AF522257008DAEAC12EC886DC7235540DC710263A9EFA
                              SHA-512:55E8259936CFDA9178EF4AF08E14715B376A5604917B777647CD8A50003C809296AD5C5ECE3EE6D7E3D26D180F83CA84AE851AC241A2EE386E21A25D8DF0EF5F
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................!.............%..................M.......Rich...........................PE..d...EUc..........." .........x.......................................................R....`A........................................ N.......N...............p.......l..8!...........3..T.......................(....................................................text............................... ..`.rdata..6L.......N..................@..@.data........`.......J..............@....pdata.......p.......P..............@..@.rsrc................^..............@..@.reloc...............h..............@..B................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\printing-server-foundation-features-upgrade.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1400
                              Entropy (8bit):4.870800560142276
                              Encrypted:false
                              SSDEEP:24:p/Vd6g0cj3gi3Nj8Wp2q3jiWEMhQ9a4KHNPRvYfUYp2MPFhUK:sgfQg8Wp2q3ne4xRvSv2MNX
                              MD5:677195F52C31B8BD020314375DEC04F5
                              SHA1:74D1FFEC6FA10E8A33467A67FEC5F5248AD0E379
                              SHA-256:AAE0266A78F2F363400197402A6331CD812169B97DCE430F1ACEFCBFE115E1BE
                              SHA-512:856962D8074A6F803FAF072AC96EE82BC115A328F56665969DC63CB72B3D8CBD8869870B85BF4391C112E1964EBD4978A486AC719AAFA597AABB88301339EDB7
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="*".. name="Printing-Server-Foundation-Features".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="0".. >.. <registerSDF name="Printing-Server-Foundation-Features"/>.. <migXml>.. <detects>.. Multiple <detect> are AND, multiple <condition> are OR: -->.. <detect>.. Install the Printing-Server-Foundation-Features component if either the Print Server or.. the Scan Server roles are installed AND the OS is Windows Server 2008 R2 or below. -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\Software\Microsoft\ServerRoles [PrintServer]")</condition>.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\System\CurrentControlSet\Servic

                              \Device\CdRom0\sources\replacementmanifests\printing-servercore-wow64-rm.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):930
                              Entropy (8bit):4.9275935267755235
                              Encrypted:false
                              SSDEEP:12:MM3ii175cF+9t0gV6cj3AhQzAszAjUaSHqcYfA0kkCd+A0Mtd+A0Yd+FRhyuhURE:p/Vg+gg0cj363zjUVtkQbPBMHFhUK
                              MD5:3E10A6F0B6E76B4D91479BFD165B9F52
                              SHA1:FF2AB20825C70441C7C06A8629D1C7C4764EA328
                              SHA-256:272C1C23668DDE94B988CCA6942191DCADD75A970A6C2452A365F035022136E7
                              SHA-512:C1618734A38EECC69043FC62F4A17373B4FC32957C5EEDF7B1F3E1C5A000F3369C5DD8D656993DC2B7F49B5DE14F660F0AE8609652CDEE36341877C657D50618
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-Printing-ServerCore-WOW64-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="Printing-ServerCore-Role-WOW64"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT", "6.0.*")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [scregedit.wsf]" )</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\syswow64 [usbmon.dll]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\printing-spooler-core-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):933
                              Entropy (8bit):4.877622241431433
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+Kg0cj3+3vVjxmEF4w+BX0FCUK:22e8v+KgfyxmY4DB2A
                              MD5:700007CC70E85EE5B23A4DE2349A57CF
                              SHA1:6ED476655372285F9AC82B4CDCAA64ED2A95149C
                              SHA-256:08721CBAC00279D32657CCE5C0130CA0E70B2A95F6BD0CF01829F1B541FC31C1
                              SHA-512:018910D3C070BB9D5D98A25D81FE5EE7AF92B7643DB40A8E75CDA78E3C6FD32BE9DEBAEB996DDA4C3C3340525E33CA0359B07699269C133C592C93E8BE933CAC
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Printing-Spooler-Core".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.1-6.3".. settingsVersion="0".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Printers\Defaults\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\processmodel-cpt-rm.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1862
                              Entropy (8bit):4.825336628637638
                              Encrypted:false
                              SSDEEP:48:5+Zkjgfx0VMY4htDmCbn/DmEbFe7DBu44e7IyA:AZOMRZO7137G
                              MD5:995269773DAEF02FA4C0183117B056EC
                              SHA1:53B870D3CC9CBC5AD7FFC7D01643289A81D03EF9
                              SHA-256:0AB3058384A4A7A02D469C4785E09376D5C3BBA273C936AAFF29A1383B263A30
                              SHA-512:21AB35E0D6910839B2DCB913F9CDDB12EA1B842CEA424C81C5D72C4EB5528A821B0BC159670EE381F161D5C126BEEB6D6BE0B08B78A926CA9163AF96138018EE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-ProcessModel-Cpt".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\APPHOSTSVC [Start]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\APPHOSTSVC [DelayedAutostart]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\APPHOSTSVC [FailureActions]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\WAS [Start]</pattern>.. <pattern type="Registry">HKLM\System

                              \Device\CdRom0\sources\replacementmanifests\profsvcreplacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1046
                              Entropy (8bit):5.028553347860464
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+TDg0cj0Dovv3yb6ENgwuuorwuuoCJXMFhUf:/2e8v+vgf00ib6IgfGJu2
                              MD5:74C08482FE3F4450E95F855487B65276
                              SHA1:A443101A0E7C3A49D6C0746A1A3BD2FC929B6AD3
                              SHA-256:B7D702FDC13103DA2321FA20E4E5177061DF76958B10FBC2A27C5B83F9DC41A8
                              SHA-512:4EB79949059A83BD0B90E5B6126ADE7741B31CAD16AF0EF7B8D0E7773EACBD1A561246D1D6CB9469FC92A6993D77ED4B4645EE824B55E23DFAAB1CFC09484849
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Profsvc".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. settingsVersion="1".. replacementSettingsVersionRange="0"... alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Profsvc\Parameters [UseProfilePathExtensionVersion]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Profsvc\Parameters [UseProfilePathMinorExtensionVersion]</pattern>.. </objectSet>.. </include>.. </rule

                              \Device\CdRom0\sources\replacementmanifests\propsys-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2282
                              Entropy (8bit):4.9838622500267356
                              Encrypted:false
                              SSDEEP:48:22e8z2j+4gSQ3eIg/Mq/AJmg/cH/Egl4YIgDMqDAJmgDcHDEgliX:22X2qTexM4MjcEg+Y1MUMnIEgG
                              MD5:E1FED4FD09982F0B9453A6E545E0C36E
                              SHA1:8B1B6C140BD9542D565DFBAE208A28127F3E7617
                              SHA-256:9A81B097D22DFF26BC1A926F6E754476D8EF7BC1C19536D8D5C18EE0D35B96B0
                              SHA-512:23BE9B00CBBDC4D8CC5E90C711838A3EEB76D1EBFFFD860E8BDAD6E2AD95D376E754565BB844879A48613D25DEE9F7A32D083CDE3B9171F2BDCD6A1748A0E183
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-propsys".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. scope="Upgrade".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="system">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap [*]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\PropertySystem\* [*]</pattern>.. </objectSet

                              \Device\CdRom0\sources\replacementmanifests\quickactions-windows-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1380
                              Entropy (8bit):4.98581997444293
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+lvg0cjuFlZ0L3vU56jokENgw8epew8eUlJXLENgwwVhiJXMFhUK:22e8v+lvgfed5GokIgipeiUlJ7Igf/ii
                              MD5:9DE6B93B1F04D464A655E3EBD68C3F35
                              SHA1:6831338D3DA7AF71F48AE43AC09759A0A2A4810B
                              SHA-256:CD90E0EE151ED819DFD965EA36F71C826046431A2CE1DAB85C80B7174C484577
                              SHA-512:97D5B0D8ED1B2B65E655A6B6D1F5B54D47F94552BFE699274365D4F0FCFDCB3CA373E31271872204D88B567A07DA301D33586EF740A2C01A48B6EC7530B3F701
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-QuickActions-Definitions".. processorArchitecture="*".. version="0.0.0.0".. />.. This manifest replaces QuickActions-Windows.man during migration for old builds that shipped without a migration section -->.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="10.0.10240-10.0.14369".. scope="Upgrade".. settingsVersion="0".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Control Panel\Quick Actions [*]</pattern>.. <pattern type="Registry">HKCU\Control Panel\Q

                              \Device\CdRom0\sources\replacementmanifests\rasapi-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3203
                              Entropy (8bit):5.12542763655385
                              Encrypted:false
                              SSDEEP:48:22e8z8+Igf0h5IgPduct6fTJ1lducMlducKJY1ePduc7MpdGG6fTFIgfuctTJ1Fg:22XPQHOb1wUDe1PwBw46GD5V61
                              MD5:0ECC71E92483FE225B7C75660FA8F2F0
                              SHA1:69DCA4E435D45FDCD393D4B50EA0CB17D8E69EF3
                              SHA-256:2152E257FD6AE1B2C9901420136A0C5FE74BF3EDDBCD200F8D4FC3ACE970825B
                              SHA-512:3503023AD60C103845AC9CFC501F6EA69A59BD73C821CB004D0A5D1B82099CEE2AC1C5216467A358A29AAF58556391C69EA9D78CD7A529B973AD3D02B2E7E579
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-RasApi".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,USMT,SvrMig".. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Network\Connections\Pbk\* [*]</pattern>.. <pattern type="Registry">HKCU\Software\Microsoft\RAS Phonebook\* [*]</pattern>.. </objectSet>.. </include>.. <locationModify script="MigXmlHelper.RelativeMove(&apos;%CSIDL_APPDATA%\Microsoft\N

                              \Device\CdRom0\sources\replacementmanifests\rasbase-rassstp-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6131
                              Entropy (8bit):4.88512524298338
                              Encrypted:false
                              SSDEEP:48:22e8l2j+8gfh0VLeIgmVInLJ0dOpG1onr4LQ9cVIgGgxFHHHaA09DJ0gGgxFHHHN:2252qB+Sp2LQ0xnqXtnq5Pvh2Sm
                              MD5:6D03A38F71F42BB9791C2323C52E32AE
                              SHA1:2682EF220E334DB681D205978FDA9153219F4459
                              SHA-256:B4CC28495EB4BF96370BC9BB39DBCC505BF4C585F65CA8141C83D2E1C15D5504
                              SHA-512:98D418DC16EB0E190C001D87DEC203DB5538DCE04B6808BD58F5626E60E3FDB721A9CDAE0FE74790139AA276BEC3D7BF2AF35EF5446C30D0F0A73A611EEBF079
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. owners="aknanda".. supportInformation="".. testers="arpang".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-RasBase-RasSstp".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1".. scope="Upgrade,SvrMig,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\SstpSvc\Parameters [UseHttps]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Ss

                              \Device\CdRom0\sources\replacementmanifests\rasbase-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5955
                              Entropy (8bit):4.890008768669657
                              Encrypted:false
                              SSDEEP:48:/2e8A+PgfU0VLeIg6lippqSphAmYAiNp19S1cm/EVl/E3JuePvh27+/g0lowqlSu:/2HT+SbE3E5ZPvh2S1bEXEJu
                              MD5:20B92EF6BF6846E45053563F0E2A7E30
                              SHA1:2BAD67A5587E70B5DA7E0C465C7C082BF16AC93E
                              SHA-256:77F10EE97761D822ADF09C7CB480863FD7A3B1F4F553859713C3E7CBCB91B3D6
                              SHA-512:65C71E575CA7E79ACD033DD31ACF434EE94E943EF8165BEA443B127E908BCA77BE31CEA99B790014D4508224A2A68F03F7E28518F951EF0B1F28BAA4D70BB1F6
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. owners="aknanda".. supportInformation="".. testers="arpang".. >.. <assemblyIdentity.. name="Microsoft-Windows-RasBase".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. versionScope="nonSxS".. />.... <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1".. scope="Upgrade,SvrMig,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\RemoteAccess\Parameters\Ip [AllowClientIpAddresses]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Service

                              \Device\CdRom0\sources\replacementmanifests\rasddm-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2523
                              Entropy (8bit):4.870855007952935
                              Encrypted:false
                              SSDEEP:48:/2e8A+YgfNAeIg9g23fh2xJuePvh27+Qg0low9g2X/h2RZ+G2b/:/2HRXXg2Z2rZPvh2SC3g2Z27u
                              MD5:92F05BA8B11F9E7F78243B48AFBB26C1
                              SHA1:E3A0F6E7AF9C1E66D189F02CD3C7E0CC5313571F
                              SHA-256:408253479678D4A01C3E2DB056E728763E0C6BD63665844BAC5C729A5E1C8986
                              SHA-512:4C4F3D1090D0AC861FCDE2F9DFA9740DA63D2E167A92A0D892D026318520FF4B7AF8607D03032E0B1711F93CC6AEE877ACD3818DB2DCF3E71FFFA006AD7598F5
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. owners="aknanda".. supportInformation="".. testers="arpang".. >.. <assemblyIdentity.. name="Microsoft-Windows-RasMprDdm".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1".. scope="Upgrade,SvrMig".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\RemoteAccess\Authentication\Providers [ActiveProvider]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\RemoteA

                              \Device\CdRom0\sources\replacementmanifests\rasmanservice-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2276
                              Entropy (8bit):4.892014380319466
                              Encrypted:false
                              SSDEEP:48:22e8l2j+tgfIU0VLeIgJgoGJveLQ9cVIwFJuePvh27+tg0p:2252qfU+SY2LQ0hZPvh2Sz
                              MD5:DD5080CECAB043493EAC1C0FC0A35E5F
                              SHA1:394EE35D601C35AA5B9A73994C6B7BB14AD2CAD4
                              SHA-256:DDAE7CCBA5929BE478300D6B3DF036562A04200CD5BE04FB2B8189D2180E6D76
                              SHA-512:511E52838FE29CF6E6C42277C7C356E0DC24F74CE38EEF218BE91C21EAE6523387986DF0D955E0DB97EE7217E599EA3C3BAB9DAE612E309902EB7AAE274F93F6
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. owners="aknanda".. supportInformation="".. testers="arpang".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-RasmanService".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. scope="Upgrade,SvrMig,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters [AllowPPTPWeakCrypto]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Servi

                              \Device\CdRom0\sources\replacementmanifests\rasmanservice-replv2.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2701
                              Entropy (8bit):4.969018535772179
                              Encrypted:false
                              SSDEEP:48:22e8z2j+tgf9HU0VlIgJgoYL6e6lFGJveLQ9cVIgFJuePvh27+tg0C:22X2q4HU+lxJK2LQ0hZPvh2Sk
                              MD5:288D395898DF94F538548E749BD25DE6
                              SHA1:42308ED1497F45EB97B8BBB060CCDBF92750FC5E
                              SHA-256:100FCF6E45BB78DFB69516B9DCB6DD94F637E94E36DEF37614C39BB0942FBEA3
                              SHA-512:5FA96387A9E96560348DC496BF0C2733389068C530AAF58CFD2D58CCFF6588A66E536792480268F79F4A71E58C0B7736F39A2AB25503D5DD6734E7619F47B3D4
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-RasmanService".. processorArchitecture="*".. version="0.0.0.1".. />.. <migration.. replacementSettingsVersionRange="1".. replacementVersionRange="6.1.*".. scope="Upgrade,SvrMig,MigWiz,USMT".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters [AllowPPTPWeakCrypto]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters [AllowL2TPWeakCrypto]</pattern>.. <pat

                              \Device\CdRom0\sources\replacementmanifests\rasmanservice-replv3.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2805
                              Entropy (8bit):4.958822125312111
                              Encrypted:false
                              SSDEEP:48:22e8z2j+tgf8JX6U0V/Ig26epgI4L6lFGJveLQ9cVIgFJuePvh27+tg0C:22X2qRJqU+/zAK2LQ0hZPvh2Sk
                              MD5:AD22A4F904C9287D18703824FBCA79CF
                              SHA1:22AE6619FD264EDA3E804C46A584803F398C4EC7
                              SHA-256:C896CF9491172210FCE0363E1F96ABD09ED4A5C4D6FC629EF7786E53F12BF5AD
                              SHA-512:59C95A13332234F3FE89217539E5BD43BD8FB3385FFFDB0E3ED7323B5EE05F535999E56E3970F4732659BC9F43D59171EDE7F66EE6A171014FEE6D02F75118E7
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-RasmanService".. processorArchitecture="*".. version="0.0.0.2".. />.. <migration.. replacementSettingsVersionRange="2".. replacementVersionRange="10.*".. scope="Upgrade,SvrMig,MigWiz,USMT".. settingsVersion="3".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Config [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters [NegotiateDH2048_AES256]</pattern>.. <pattern type="Registry"

                              \Device\CdRom0\sources\replacementmanifests\rasppp-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2975
                              Entropy (8bit):4.937815189283552
                              Encrypted:false
                              SSDEEP:48:/2e8A+Ygfw1IgWwx1Zp0mJzodVpEVpCVVniePvh27+Qg0C:/2HE1Pa2OFPvh2Sn
                              MD5:CAB512CEE96650A72FE145C4FEC325F9
                              SHA1:C8FCC431813EA589F838C23A091B0040981D4853
                              SHA-256:E53AA646A3D628E9E10F5577793277E822D3CC2BEEDE5D6F2CAE154101784680
                              SHA-512:514582FC6BD4FF3C63297E86ED8A7EEF80D9C88D55092CADFEFAE31B4BF1E274566710D5EBFABA05859F17B9E5C7F1B5A8EF71914CBD12EBA73CACD8153A2912
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. owners="aknanda".. supportInformation="".. testers="arpang".. >.. <assemblyIdentity.. name="Microsoft-Windows-Rasppp".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT,SvrMig".. replacementVersionRange="6.0-6.1".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\RasMan\PPP [MaxConfigure]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\RasMan\PPP [MaxFailure]</pa

                              \Device\CdRom0\sources\replacementmanifests\rasrqs-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1814
                              Entropy (8bit):4.76557999381968
                              Encrypted:false
                              SSDEEP:48:/2e8A+ugfUseIgqJuePvh27+2g0lowaZ++:/2HSjUZPvh2SIk7
                              MD5:3858B4FCEFB8D0987B81AD56F567703D
                              SHA1:B931302D099E7140C27DF73E4D9381F48FC8DE26
                              SHA-256:91FD82828B47EF2D067398D0C74B5A63F91F4CD0C81F101DCF64ABB6C6FE9C2D
                              SHA-512:BD5BF75330CDB8B66574BBE52544126DAD9FFD596FF88A82E628CABD1E021C7A4262CE8304837038CE5A105EFF26428F8AB74E61DFB827B2F0F9BB5409BA8ED7
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. owners="aknanda".. supportInformation="".. testers="arpang".. >.. <assemblyIdentity.. name="Microsoft-Windows-RasRqs".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. versionScope="nonSxS".. />.... <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1".. scope="Upgrade,MigWiz,USMT,SvrMig".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Rqs [AllowedSet]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. <supportedComponents>.. <s

                              \Device\CdRom0\sources\replacementmanifests\rasserver-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):27273
                              Entropy (8bit):5.032383417210288
                              Encrypted:false
                              SSDEEP:96:/25P/daQMDUxUFLvvrVCoa9zrbdUxUFLvvrVCoa9zrZQ0jTF0g01x0UqOey2kL8o:YaQMDRbY9hRbY9zyeRJhRbYC6
                              MD5:28C948286773693D68A57CFF126203B7
                              SHA1:E963DACE1D6E54F315F6D62C3A9872F0F1C5B2B8
                              SHA-256:C7D5674C635D7D79E63A7B9012E946AB3B62B001849B711C812442B63F68899F
                              SHA-512:0350932E1EB3A743B9AD8EC7CBA8A407CCB883BC7BD206B192D1EA5C1F7109AD7935D04106239DF52CC40743427F759AFAF2EC8CA35A8F9A0DEE0D22F1F9861C
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. owners="aknanda".. supportInformation="".. testers="arpang".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-RasServer".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,SvrMig".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1".. settingsVersion="0".. alwaysProcess="yes".. >.. <registerSDF name="RemoteAccessServer"/>.. <registerSDF name="DamgmtTools"/>.. <registerSDF name="RemoteAccessPowershell"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition negation="Yes">MigXmlHelper.DoesStringContentEqual("Registry","HKLM\System\Cu

                              \Device\CdRom0\sources\replacementmanifests\rasserveradmintools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):642
                              Entropy (8bit):4.883459448168007
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+98KgV6cj3whQzA0zAjkaKAAScYfA0y1Xd+FRZyuhURpG:q/Vg+Lg0cj3K3bjkF7MPFhUK
                              MD5:B70DBF2C8E76AEA2E1DF888FA5875763
                              SHA1:326AB7A7E55820BE321CF0F53E2851A1E8817FF3
                              SHA-256:7186098DAFE3A8D7E0BB530C5D36B415A76A00204F97B5A2B4A6C998C361A705
                              SHA-512:640EE361012C0B415950FEB99AA18120D35C28E758CFFB3331D06298AC1EA9F9C39C0C64B31C394DDD562E3683B4B8EA4975B7CA8A2E8757853A5516E6C7EFFB
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-RasServerAdminTools-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="RasServerAdminTools"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [rrasmgmt.msc]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\refs-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1156
                              Entropy (8bit):4.952225463497452
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+Ag0cj35BY3vjG+jxkHtSEF4wcNBX0FCUK:/2e8v+AgfzKGCxQSY4/B2A
                              MD5:13FB7D93D0A866556075055DDBAA667B
                              SHA1:F075F7E0C19D884DBCB7680B3076AE673AE50DEF
                              SHA-256:9BB00A9B7442538FE539B53DE2553EE18990C1B4C042AB0A43B1A9811B4C3380
                              SHA-512:B45109FF9CFF4E83290FFCF74126C22379301E13CEB1632DF8ABB146ED111372181A74E3DC820D7153AC421AB802AD555D54D87703A6DB9815F7F1AEDB6E6D64
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-ReFS".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2".. scope="Upgrade,MigWiz,USMT,SvrMig".. alwaysProcess="yes".. settingsVersion="0".. >.. <machineSpecific>.. <migXml xmlns="">.. Migrate RefsDisableLastAccessUpdate from Windows 8 -->.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\FileSystem [RefsDisableLastAcces

                              \Device\CdRom0\sources\replacementmanifests\refs-v1-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):454
                              Entropy (8bit):5.047789811411423
                              Encrypted:false
                              SSDEEP:6:TM3iWT1jU7dNqRu9Tnic4s4YVic4subioU81WW/5RF8gF+uyUgV6cBVwc918G:TM3ii1o2Mf8ior5QgF+9UgV6cj3sG
                              MD5:931A663D13F16261F8B3B6731028F0D2
                              SHA1:748C70644F4928E0CC4599B38C61D9F9AF5036BD
                              SHA-256:D0A2DD4DFB90525F6B32949E4AAF6E4E76B2EA3FF787D994031AB1099EBC247F
                              SHA-512:131B56320BE9A4FBBEB8AF6AA66580A4222B6505477CB69077D2B47461C041431BEF35B6983D57426DD17B4EA11FDF43DDF0CFB395CDCB369284DCD26DBE2A00
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-ReFS-v1".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\retaildemo.deployment.replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1041
                              Entropy (8bit):5.018109099539605
                              Encrypted:false
                              SSDEEP:24:2dN4Vo8Hv+KsgtKpU3zMEF4wO4wQVhorViYBX0FCUK:cyq8P+KsgtKSMY4y/wrpB2A
                              MD5:A190E77F8626499DDDFC06FF211DAF4A
                              SHA1:668EBBAEEF0F5A73695784757C967C06DD319BA6
                              SHA-256:61EF0B1BC425E096DAB84BF20359E4465525FD72BD8740AEA18044533149D844
                              SHA-512:D9514634276A2086F49FAFEA78720641E479412F94DF1325FA2BFD25BE5EEACE8A3DA4D965C70D4E96475459A6B164AABEAD2ECF6E76777ECDCA3908F0E90C74
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="utf-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" manifestVersion="1.0">.. <assemblyIdentity name="Microsoft-Windows-RetailDemo-Service.Deployment" version="0.0.0.0" processorArchitecture="*" language="neutral" />.. <migration scope="Upgrade" settingsVersion="1" replacementSettingsVersionRange="0">.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\RetailDemo [Start]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\RetailDemo\* [*]</pattern>.. <pattern type="File">%ProgramData%\Microsoft\Windows\RetailDemo\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machin

                              \Device\CdRom0\sources\replacementmanifests\rights-management-client-v1-api-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4460
                              Entropy (8bit):5.154251332758099
                              Encrypted:false
                              SSDEEP:96:/29c00II0smyEI0smyRPBzM5hZFPBzM5hIcloHSoY:K0n03Y
                              MD5:F87D91E475596717886E04A847BF1A15
                              SHA1:F01926111458554A889BAF09BF95E7477486E011
                              SHA-256:C35C312D227959048FA087092BAE763445E4AEF4510586122C2AE44D51F950B1
                              SHA-512:0D8A9B0DF70B771C1DE2D524BBADF3B39B1AD53BE5974D2F04E85F3F71CF907DB58429622621C19F670803796C5DF0607BB2056D7BE0022CAF24FD17E75FE18D
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Rights-Management-Client-v1-API".. language="neutral".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT", "6.0.*")</condition>.. </detect>.. </detects>.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\MSDRM\* [*]</pattern>.. <pattern type="Registry">HKCU\Software\Poli

                              \Device\CdRom0\sources\replacementmanifests\rights-management-services-admin-tools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1032
                              Entropy (8bit):4.919568068153622
                              Encrypted:false
                              SSDEEP:24:q/V3g0cj3cMH3zjUFaJ6B3Zncp2MPFhUK:CgftnUFaMBi2MNX
                              MD5:30E64EEB378FF2193F55EDC6B784D679
                              SHA1:CDA084A060D2C4E7ED0DED3A7E4E04FDF745D50A
                              SHA-256:A69B82F6BB1CAD860BBB86E9070B54504C970AEAF97CEDC13DB992EA737A7998
                              SHA-512:C8AE5231BA69FAA8B1B4DC7613AD755E9DCA0D2FDB21853B82F77838861E98A893610AA27DCF237AA0B964C0F4141D76F93A716BD8FFA188711CA93708C3A74D
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Rights-Management-Services-Admin-Tools-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="RightsManagementServices-AdminTools"/>.. <migXml>.. <detects>.. <detect>.. Install RightsManagementServicesRole component if it is installed AND the OS is Windows Server 2008 R2 or below. -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\DRMS")</condition>.. </detect>.. <detect>.. Detection of OS version to be Windows Server 2008 R2 or lower. IsOSEarlierThan returns TRUE if the OS version matches. -->.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>.. </migXml

                              \Device\CdRom0\sources\replacementmanifests\rights-management-services-management-tools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1041
                              Entropy (8bit):4.910751958658275
                              Encrypted:false
                              SSDEEP:24:q/VDg0cj3cMH3zjUF1J6B3Zncp2MPFhUK:YgftnUF1MBi2MNX
                              MD5:9372B308E74F922516974B70C060B051
                              SHA1:F5FBA84463F06B09AC4E78CE70BC1757D92FEFD6
                              SHA-256:576921D37834338F96063F24AA03CF9583809B8F64C2EC09B88D1368B5B86199
                              SHA-512:4D251CE0C3E4BA4177E47321838A5194BD7C25A1E983CA36FFAFDD4F14DA482077E49D6A176D96D956779A4A24A381446D41833F5EC16A3CC47F8E37788C0560
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Rights-Management-Services-Management-Tools-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="RightsManagementServicesManagementTools"/>.. <migXml>.. <detects>.. <detect>.. Install RightsManagementServicesRole component if it is installed AND the OS is Windows Server 2008 R2 or below. -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\DRMS")</condition>.. </detect>.. <detect>.. Detection of OS version to be Windows Server 2008 R2 or lower. IsOSEarlierThan returns TRUE if the OS version matches. -->.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>..

                              \Device\CdRom0\sources\replacementmanifests\rights-management-services-role-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1019
                              Entropy (8bit):4.907964654277945
                              Encrypted:false
                              SSDEEP:24:q/Vag0cj3cMH3zjUFYJ6B3Zncp2MPFhUK:9gftnUFYMBi2MNX
                              MD5:939AA3E0CF2915F5235EFEFBD905DC72
                              SHA1:18CD9BDA9C961AB8ACF25D7EE99559C8E282A082
                              SHA-256:7DE3DA642C2B752DA30B2FF7B0F5473E350DCFCE4E94C8C7A5584B47D6612793
                              SHA-512:1F5BEE778FFB9BD08CF94A8AC4ED4E689A590DC131957C02314363FE2747147FFCAC0A3AECF000C1268285A9EF4022E2642CDE97C3FFF530D60E4BF8B3AE3CBA
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Rights-Management-Services-Role-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="RightsManagementServices-Role"/>.. <migXml>.. <detects>.. <detect>.. Install RightsManagementServicesRole component if it is installed AND the OS is Windows Server 2008 R2 or below. -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\DRMS")</condition>.. </detect>.. <detect>.. Detection of OS version to be Windows Server 2008 R2 or lower. IsOSEarlierThan returns TRUE if the OS version matches. -->.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>.. </migXml>.. </migrat

                              \Device\CdRom0\sources\replacementmanifests\schedsvc-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2317
                              Entropy (8bit):5.100197272034101
                              Encrypted:false
                              SSDEEP:48:22e8v+qgf0G7z6Ig/tDfaoefal8falqfalcwfaldfalHfalgCJmgyDwpyZptPiiX:22CW4+r78kykYklklk/kDOD7NP/
                              MD5:BF4F3FD31AED7CF1EBDBB7A3F8C9A45D
                              SHA1:4D4E922D53CB2E76404793A1CE8735B9E20D5120
                              SHA-256:830D2C502BFF8977936B00E0751994C351F1253B50745EB37E9669DD0813191D
                              SHA-512:325206BF5B691B792DD81FEE03B691EFCEA72DDCC01A862C1C2557EA1805091419CA57E10E7FD58E2DB73B8FB6A35E6D8FF6AEF7AD81ED262B9F79408598FDCC
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TaskScheduler-Service".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\System32\Tasks\* [*]</pattern>.. <pattern type="File">%windir%\System32\Logfiles\SCM\* [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule [HashingCompleted]</pattern>..

                              \Device\CdRom0\sources\replacementmanifests\security-spp-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2849
                              Entropy (8bit):5.156371477164945
                              Encrypted:false
                              SSDEEP:48:22e8v+VK5gf0cbiOIgfa4fa0fagfa4falfalLfaK8LfaCpfavefaCpfavl7ffJuX:22CwcBRtzV5g8jCj3r3shQ
                              MD5:AA647EA1607EF629C9CBC1A3838C5A8C
                              SHA1:B3586C2BAE36BE5737774635C9AA207639087900
                              SHA-256:F4E533A84D3C5BE146A486784CC46C0EBC4CD53BFCF6D2DD11911BB0D843EBCC
                              SHA-512:AE2426CD5B3DC47ABA51C6DFF7D75E4741908E6B8417D68DFFEE74BCF525380AC80E32A8C87AAC9123EB24F10786F1195212AB9267F6725FE422C38F2BBF2911
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Security-SPP".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,Data".. replacementSettingsVersionRange="1-5".. settingsVersion="6".. >.. <migXml xmlns="">.. <plugin.. classId="{e5201f5e-6e1a-4c72-93bd-58231937f370}".. file="sppmig\sppmig.dll".. />.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform [DisableDnsPublishing]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentV

                              \Device\CdRom0\sources\replacementmanifests\securitycenter-core-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):957
                              Entropy (8bit):5.055666554233205
                              Encrypted:false
                              SSDEEP:24:p/o2e8/R+V8Qg0Lmj3GG3u11ENgwZfpWJJXMFhUh:22e8p+V8QgUKI1IgaRWJJuA
                              MD5:45C911A4DF895937FBDF351665E888C8
                              SHA1:CC87694247EE239FDF300AFDEE6712D11FA6B8A8
                              SHA-256:2C30C200F4601C3246FFA9DF896295E72DDB2E95FEBB89D53D308E706F05F45F
                              SHA-512:96938D5E605FF6A616F44FE6810E8CD6241D82013D9FF0202BE9D5F900C9E099DCDDCC5B0573168C1A61C8E5FD56F75EC853A4B65827C8C148900A071D08BF13
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0">.... <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-SecurityCenter-Core".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS"/>.. .. <migration.. replacementVersionRange="6.2.*" .. replacementSettingsVersionRange="1".. settingsVersion="1".. alwaysProcess="yes">.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\SOFTWARE\Microsoft\Security Center\Client\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>....</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\servercore-wow64-rm.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):763
                              Entropy (8bit):4.907363246381999
                              Encrypted:false
                              SSDEEP:12:MM3ii175cF+9zys0gV6cj3AhQzAszAjUaSEqcYfA0kkCd+A0Mtd+FRhyuhURpG:p/Vg+Vyrg0cj363zjUVKkQbPMHFhUK
                              MD5:165341E1041258BDA71AC254B976BDB5
                              SHA1:CCE0ADA02641A1263EBA89F667B322B9EC50DC84
                              SHA-256:7823F30087B9837E28D5D3F9D6E4E4CC4EC884B1E9AA74BFF0DC154F448387CD
                              SHA-512:E05DD33CA7EE9824EE90DACB834AB151AA903C0528F519DE2505891CFDBEA7E49D137FE1505908B15F2FE2326D566F47BB37A9F453DB0DD9A158BC713B7F587C
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-ServerCore-WOW64-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="ServerCore-WOW64"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT", "6.0.*")</condition>.. </detect>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [scregedit.wsf]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\settingsync-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1194
                              Entropy (8bit):4.92595050562711
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+VNg0cjR3vUUDovjgENgw5Ve3HwJXy5VeK7+FhUK:22e8v+VNgfGU0LgIg6I3HwJwIK7IX
                              MD5:47575C26EE7F55E55FD4804BCDE87499
                              SHA1:DC898FEEC111E5F34E99FE508A20C37A2402F2E0
                              SHA-256:EDC9EA1BE2EB2C255D582598D53EEFE8A4EE68806A75BD833B7DA2D2F344E773
                              SHA-512:DE99C6573507CC21E5F229D69B97A11C8D470018CC783E22331080FEA10778E939F64CD88863CD75168C1E101B28E27177F6D0F8DA122B73DBABA05A3AD204C3
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-SettingSync".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\* [*]</pattern>.. </objectSet>.. </include>.. <addObjects>.. <object>.. <location type="Registry">HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync [UpgradedProfile]</lo

                              \Device\CdRom0\sources\replacementmanifests\sharedpccsp-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1282
                              Entropy (8bit):4.893337092760453
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+VVg0cjzHPgBKjHt63/od6m92cm3N1aENgwQVe7JXMFhUK:/2e8v+VVgfzHPgcHZ6HcCaIg/I7JuX
                              MD5:9DCFAA076CEA2E8968C119FE09AC889A
                              SHA1:4A2FDE5E822F064FFA8AD506D94D665CB9C50E03
                              SHA-256:E8B2350AA7BBD1A19F926F42A15112A9CA792B974423062D19018CBAA6C96A6D
                              SHA-512:3FE78DC27B9A23ECE34C0767D572D534106728696CAC8116A3C561F34C6CD9883DD35C385B5D2C8A148A21B92531B18FF7037D699843AA651EDF902553EF3639
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-SharedPC-SharedPCCSP".. processorArchitecture="*".. version="0.0.0.0".. />.... This file is meant to migrate SharedPC reg keys when upgrading from a build that did not have migration rules for them. .. These older builds will have manifests tagged with settingsVersion="0", so we use that value as our replacementSettingsVersionRange... Any build that does support migration will be tagged with settingsVersion="1", and will therefore use SharedPCCSP.man" -->.. <migration.. scope="Upgrade".. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="yes".. >.. <migXml xmlns="">..

                              \Device\CdRom0\sources\replacementmanifests\sharemgmt-rsatclient-tools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):625
                              Entropy (8bit):4.883911590798076
                              Encrypted:false
                              SSDEEP:12:TM3ii175cHIgV6cj3whQzA0zAjkaKGWXScYfA0v/Xd+FRZyuhURpG:q/VJg0cj3K3bjkFnI1MPFhUK
                              MD5:80F2C89F65FC8B75924EDCFFCB6EB62B
                              SHA1:D33461D95BBA87040D73710770EA61A69E9BCC94
                              SHA-256:F3C1A0FFFF7A5941BC30F1A8298D52BD2CCFC6583853620F9A09B54B79F30B1B
                              SHA-512:F2FF3E3B759156F2D2668B6B3525B856CD5795815545E6FF5B127046E02E4F05D35625D8949AF8E188A98D7A7AB6625905E6164BAE621B2BDCF147DD8F10E20E
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="ShareMGMT-RsatClient-Tools-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="CoreFileServer-RSAT"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir% [StorageMgmt.msc]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\shmig-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2843
                              Entropy (8bit):5.059783758980813
                              Encrypted:false
                              SSDEEP:48:22e8v+9ygS/0bJo4o4Y4/wDmmn/Rm/R9/ey/1ty/RlHzoP/ISB2eb+4ojX:22Cg0bykhKXR0Rl31mRhontwP
                              MD5:90DA5EC338350EFA6C8885DE46FEF01B
                              SHA1:9A9A91D13146E5461D7F2774B50678DBB6469AEC
                              SHA-256:4E4B6B478F6DD43CC65CC8246321FAFC199CEE39D36623178B5C648E1127FD1B
                              SHA-512:D3586AA156C0503A34C7047FE00A6A02D0ED574793156BD23DE5803925F8FE2FF71F46FC02C643EDE66FD095053767F06F7BC7049887969F4DE2CDDF584DD60F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-shmig".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. The replacement manifest will allow this _new_ gather plugin to run in the Old OS -->.. The settingsVersion below should be the same as in shmig.man -->.. replacementSettingsVersionRange should be 0 to settingsVersion minus 1 -->.. <migration.. replacementSettingsVersionRange="0-5".. scope="Upgrade,MigWiz,USMT".. settingsVersion="6".. >.. <machineSpecific>.. <migXml xmlns="">.. <plugin.. classId="{526D451C-721A-4b97-AD34-DCE5D8CD22C5}".. file="Microsof

                              \Device\CdRom0\sources\replacementmanifests\signalmanager-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1036
                              Entropy (8bit):4.96734073346404
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+VXpg0LmjTi3m6WmEF4w5VeEBX0FCUK:22e8z2j+VXpgUKT3RmY46IEB2A
                              MD5:0E9D7DEB4B29E10B138F169429C0ECCB
                              SHA1:83302B41AF56E99B455F87225B1F8587A38CDADC
                              SHA-256:560D6CFA41C18882B183345CF7F716EBA610133DBBDCDBD2BA78E9612A55FDCD
                              SHA-512:2D4A24EFEAC0A126209ED3E3565BEFC25860FF549FB8E21941B25FC5A815996F0ABE1E9A96FCA4B4E8223146DC5A827EBFF1F41E821E18E573220022C0302EBB
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-SignalManager".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. scope="Upgrade".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows\CurrentVersion\SignalManager\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpec

                              \Device\CdRom0\sources\replacementmanifests\signature-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2906
                              Entropy (8bit):4.673123942055064
                              Encrypted:false
                              SSDEEP:48:22e8v+VXmgfTjJcovsbBzrY4/8BP+sbBzQY4/8BQTJcVIg/UJuX:22CBt4BzrhAPfBzQhAxx4Q
                              MD5:29597BAB7FC9AA0DBB181145AB4740CB
                              SHA1:A74137E4A8C9E7CC0C020F01BC08F3DA30DC5812
                              SHA-256:ECA6E320A496CE315A71258D81417CE08A74A15C19D072B468B5A015D6D098CF
                              SHA-512:CC48D1C8A741EBCB73761502978D1A90D32D1A678E02336BD4E5FB12561F4BC5C8C90BF5EA60F7022DD5D231D0167BA991B7A7C24DFD4989780017D4AF68CAFE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Signature".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="Yes".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules>.. <detects>.. <detect>.. the OS version is prior to 10.0 -->.. <condition negation="Yes">MigXmlHelper.IsOSLaterThan("NT","10.0")</condition>.. </detect>.. </detects>.. Signature Key -->.. <rules context="System">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesStringContentEqual("Registry", "HKLM\Software\Mic

                              \Device\CdRom0\sources\replacementmanifests\smartcardsubsystem-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2394
                              Entropy (8bit):5.049905930195884
                              Encrypted:false
                              SSDEEP:48:22e8v+VigfUIgfp0VRyfYjIJmgeYgfp0VRmtL6O3zvA/:22C4RDy0ivY
                              MD5:6D3360AF55B747701E0C9B686F8ECBD2
                              SHA1:0C0D30DD0A00053CA52E5F7A3F373A476A0AFB25
                              SHA-256:515309771BE28C0B10EBA67C1E271518587DF828201ACCA5C7D8E08C4BC95717
                              SHA-512:B4746CF2F7AFEB24835CE79E682B0BF2C6963932A30D82B43E64EBF7C2FF80C33AB153CB1EDC66F27DF710299B461AA6A1203F81489AE9D9B278492405B55209
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-SmartCardSubsystem".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration settingsVersion="1" replacementSettingsVersionRange="0">.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon [scremoveoption]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\CertPropSvc [Start]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\SCPolicySvc [Start]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Cryptog

                              \Device\CdRom0\sources\replacementmanifests\snmp-gui-tools-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):634
                              Entropy (8bit):4.945529950137532
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9zLKgV6cj3whQzA0zAjkaKzScYfA0aTXd+FRZyuhURpG:q/Vg+Vug0cj3K3bjkFFtMPFhUK
                              MD5:956DEB515BCB89B584BDE5C14BB19BCE
                              SHA1:174E39C8ED172D1BCB35F7A89DB6281AF4F1482E
                              SHA-256:FCBEF16D150EF80574E01D6A5CC8500DF11C51AF33996CB2A1B6414606B59AC2
                              SHA-512:1A4BCD0AD85248F4C835DB2C197443AA3A2666B1EBE3A3EB504F0DD64513C16B0A42279A7DB0396161FB68252905BCF15C6D073EE81BF4ED2C3F317B675C871E
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-SNMP-Gui-Tools-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="Server-RSAT-SNMP"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir%\system32 [snmpsnap.dll]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\sounds-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2423
                              Entropy (8bit):4.879777173013796
                              Encrypted:false
                              SSDEEP:48:22e8z2j+V3gSQlU0LjMUIgN3a3XS3IJfpgN3XS3IGg3a3JFIgjPJfpgjPQX:22X2qQU0Dr4XA0oXAm43Dl
                              MD5:B350E33032A328C6F54A1F897F8C8925
                              SHA1:9EBB7F70C710C07B86AC9B812C5B2EECD9467128
                              SHA-256:F2DB0FF00FED9084430BC5EC221D8347C5B0F0A7B762573544F1BE2CE0282E28
                              SHA-512:C0E80CC7730F4E7528B22F4D533A452D9C81D76E9FBA7B99B8AD851604D403DF3E5CD6DAEBAAF4B6612C5D375FC24D946422D551E3A7E85632A791A5DAA3E364
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Shell-Sounds".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT", "6.0.*")</condition>.. </detect>.. </detects>.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\AppEvents\E

                              \Device\CdRom0\sources\replacementmanifests\spectrum-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):864
                              Entropy (8bit):4.8449782824891905
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZQ+V1g0cjh3N1LRMEF4rlBX0FCUK:22e8m+V1gfZlMY4rlB2A
                              MD5:DFF6E2E3E052F206B103603769CD6031
                              SHA1:6AF3CDA4A58DADF3463A502A24BB68FCEADDC960
                              SHA-256:B889B10F2663C4DA891A8ADAD925676652C46394E75FFA7A5942C499DCD520D5
                              SHA-512:73AA56685D845F44FCA8352E39ACEEBAC03FFDA988C6CE7846E3DA454734A74EA1A877E4F96E7C320B09F6FD9F527B584FC7D72EBF7227AA745CA957B8F40BC7
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity .. name="Microsoft-Windows-Spectrum".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="Yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%ProgramData%\Microsoft\Spectrum\*[*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\sppmig\sppmig.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):45368
                              Entropy (8bit):6.233172724142792
                              Encrypted:false
                              SSDEEP:768:/39EAlItCQ7zkAl2vmmmTTK1IgX5vRd5FTffx4yBuQ7eI1PGm:2zkAWj0TQxayBv3PGm
                              MD5:E3762A46DC0F0BA05C4DEAA5021C6518
                              SHA1:48A8B0298917483EED19CF98651D3122E9276D86
                              SHA-256:59F27E59622FFE206D4937533A25A46B20F7CFBC4026936A6A5C7982F6C97424
                              SHA-512:CA86819C1AE258F4D86FB98335318DE38048A899FD30A0DC21016DEF54D071B07BA8394DB9C8D15E7F3730BF8F466B46653FBA6124F0043C242DDBA33BA73FE6
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............H..H..H..IH..H...I..H...I..H..H...H...I..H...I..H...I..H..%H..H...I..HRich..H........................PE..d...9of".........." .....\...6......p_....................................................`A....................................................................8.......8!.......... |..T............................q...............r...............................text...p[.......\.................. ..`.rdata.. ....p... ...`..............@..@.data...X...........................@....pdata..8...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\srm-cbadriver-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2610
                              Entropy (8bit):4.846346563550296
                              Encrypted:false
                              SSDEEP:48:22e8z8+BQgfz3UACDPvh2o+BIg02wFw1IuNWpNgZNbJ3pWglQX:22XPBv3UxDPvh2LB97WXgHV3pM
                              MD5:1581BC3995A2F6E15E2557A3A5A565B8
                              SHA1:74B1ACC126DE567EC47DB04573303DFEFC2E41D2
                              SHA-256:F89D78905305337B2617B148C1DE4D115E1C84F283DE12922D8E39C19F7CAD54
                              SHA-512:F996607266E005079BF0BC7816CEC859972E79E0EAFE945C103D774C348F9BDBF1D73D4786D9CECF7BD38EBCDCC64745276BB453D2B7A59BAF93BBE8F8F85C1D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-FSRM-CbafiltDriver".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. scope="Upgrade,SvrMig".. settingsVersion="0".. >.. <supportedComponents>.. Self-declare this component for migrating from Vista -->.. <supportedComponent>.. <supportedComponentIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-FSRM

                              \Device\CdRom0\sources\replacementmanifests\srm-datascrndriver-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2621
                              Entropy (8bit):4.838924437548881
                              Encrypted:false
                              SSDEEP:48:22e8z8+IQgfz3UACDPvh2o+IIg02w8w1IuL1pDAJ3pWgsQX:22XPIv3UxDPvh2LI6Z1q3pn
                              MD5:76CBA3EC4700D0CEE3C5FEA1EB3E5992
                              SHA1:2150C951C4F36F8C83F5A16A5CED41A6831F63E1
                              SHA-256:C8EDD385A2FDDDC9854611AFEEC921F3E7279441E884F915984DFEF2903DEC69
                              SHA-512:7FF31597E51F7797EA8F02DFA50C9D53CB4DBEB46DBE469B4E6A0D50E62A24F56D2BBBD40568F373CB7FCB842112CB2B941E96E37ECD25E8BB2559481F54C0C7
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-FSRM-DataScreenDriver".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. scope="Upgrade,SvrMig".. settingsVersion="0".. >.. <supportedComponents>.. Self-declare this component for migrating from Vista -->.. <supportedComponent>.. <supportedComponentIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-F

                              \Device\CdRom0\sources\replacementmanifests\srm-infrastructure-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):694
                              Entropy (8bit):4.966142334787731
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9By7gV6cj3whQzA0zAjV0drH5aK9iRScYfA05o5/ytd+FRZyuhURE:q/Vg++7g0cj3K3bjq5H5F9iGPMPFhUK
                              MD5:60804CE4071C1E31D347E078EF760DF0
                              SHA1:9FC646A53FDC46BDD0024E57DD04C6D3A322F6CE
                              SHA-256:6972267A6F98EC1A17BBD8D82688D5949904FA5A559C480073868FE68C8881BA
                              SHA-512:552A9E389BF958FE80557E36FF70EB0EC83708C1E5A0D7676B18B9BC45DF902BB2A31F0A0C9D4F1F7145446F0D1E2C469C8A4CDDCF11C942A97502F13A5AD065
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-FSRM-Infrastructure-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. replacementVersionRange="6.1.*".. alwaysProcess="yes">.. <registerSDF name="FSRM-Infrastructure"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist("Registry","HKLM\SYSTEM\CurrentControlSet\Services\SrmSvc")</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\srm-management-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):621
                              Entropy (8bit):4.859353450274121
                              Encrypted:false
                              SSDEEP:12:TM3ii175cF+9BNQgV6cj3whQzA0zAjkaK94ScYfA0jd+FRZyuhURpG:q/Vg+xQg0cj3K3bjkF9rMPFhUK
                              MD5:8E3692E789BA863717A95AC53D26010C
                              SHA1:CA0D40286AB2480661709C313E8FE5526AEE6612
                              SHA-256:C84F68E5B5017BE418860F3F84C574705888BB41D82A9712D35E55110ECC3D4A
                              SHA-512:D5FE3505AFE0BAAA0265079E9214BF70C78ADBABF91FC531EA5F378F4174B638D2B1F4C713C2CDE7F971E13AC1C90395EA7722135C355BD6EAA184132E54BE9C
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-FSRM-Management-RM".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.... <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="FSRM-Management"/>.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesObjectExist( "File", "%windir% [fsrm.msc]" )</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\srm-quotadriver-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2590
                              Entropy (8bit):4.846781987882921
                              Encrypted:false
                              SSDEEP:48:22e8z8+uQgfz3UACDPvh2o+uIg02wYw1Iu1prpMJ3pWgIQX:22XPuv3UxDPvh2LuYbFK3pb
                              MD5:3B1C5D19B2106773022BC97F3B154415
                              SHA1:C522D4FF74EF7178CE2629D6640D20D98AFE5F89
                              SHA-256:03A0BB151A1F19F91A0D811AD768862B33BEB1DE9559E44AFAEB73B84092D1AC
                              SHA-512:DF6D50CFA9F6F71DCA29B013E84CA71F4A91B139E6CAC9910EF3B7E7A123ABD6B7F0345A295A688D9F727286DF6C4BD33C78AF6F7A9E254F6B697573D552DC25
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-FSRM-QuotaDriver".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. scope="Upgrade,SvrMig".. settingsVersion="0".. >.. <supportedComponents>.. Self-declare this component for migrating from Vista -->.. <supportedComponent>.. <supportedComponentIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-FSRM-Q

                              \Device\CdRom0\sources\replacementmanifests\srm-service-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4084
                              Entropy (8bit):4.91318651545947
                              Encrypted:false
                              SSDEEP:48:22e8z8+2gfz3UACDPvh2o++g02wJKw1Iuk9Ybawg7wT9/g89/aJmgFHhfw7pWgJR:22XPx3UxDPvh2L6IyoGOR2pT
                              MD5:86E9395CAA59A4045620A9FE0D3FBF07
                              SHA1:EA911B7CF08542F24696B11B3414A2D9C7A7171B
                              SHA-256:D5C888EEAA313D4B2655FC7E0FA48B9302C26F7287F688F70016A49D9F48D1E2
                              SHA-512:BDD7ACC0D8E4D41B1B948BECA11D118C36357AC6541399EDEFCC6D1C3B46847EA38A173C13A2D90A86C6F96DDE18172D84BF7BE0646BF4883E09CA2DA78FB8E5
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-FSRM-Service".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. scope="Upgrade,SvrMig".. settingsVersion="0".. >.. <supportedComponents>.. Self-declare this component for migrating from Vista -->.. <supportedComponent>.. <supportedComponentIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-FSRM-Servi

                              \Device\CdRom0\sources\replacementmanifests\srm-service-reports-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2827
                              Entropy (8bit):4.842290151657627
                              Encrypted:false
                              SSDEEP:48:22e8z8+vgfz3UACgwPvh2o+fg02wAw1IuUtpGEJ3pWgwQX:22XPs3UxgwPvh2Lhu/3pb
                              MD5:35ECA3977737081FE1BA8B8B4644A710
                              SHA1:0732794F34B19F3F20C07CB00C5F6701038F0B9F
                              SHA-256:907B12FA37C2F96D6A14F4BED2220D6C3D314C186C40D28514ED322B01CE34D8
                              SHA-512:D4C6EC85E19F73110C6608D556B25E4F66D21160BFB2638EA1A7C896CB8F2BA721551F92F087B82681E9DDA0CA9BE07626200EC4A915FEAB3DF46C95C6AC4A3E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-FSRM-StorageReportService".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. scope="Upgrade,SvrMig".. settingsVersion="0".. >.. <supportedComponents>.. Self-declare this component for migrating from Vista -->.. <supportedComponent>.. <supportedComponentIdentity.. xmlns="urn:schemas-microsoft-com:asm.v3".. buildFilter="".. buildType="$(build.buildType)"..

                              \Device\CdRom0\sources\replacementmanifests\srm-ui-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2410
                              Entropy (8bit):4.834907434656924
                              Encrypted:false
                              SSDEEP:48:22e8z8+Pgfz3UACDPvh2o+/g02wftw1IufvfLJ3pWgfNQX:22XPM3UxDPvh2LjIdnl3pTI
                              MD5:9B91FAA7B1C73550B6A517558737CBD7
                              SHA1:8EADC5A3B7205E0D4530325C5F2FA0B216D5D41D
                              SHA-256:B0555121CB01B21AAF8943C999531B1EDF2DE108507CE38B20CC2623436CF655
                              SHA-512:186A22523F82B214A26B45F1C25B6D22E0D137A04B95FAECE77C522DD53A8214FCAB75666B1D363440541449945A8314EF15504B16364B8B88F932E1F45F0CF6
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-FSRM-UI".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. scope="Upgrade,SvrMig".. settingsVersion="0".. >.. <supportedComponents>.. Self-declare this component for migrating from Vista -->.. <supportedComponent>.. <supportedComponentIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="*".. name="Microsoft-Windows-FSRM-UI"..

                              \Device\CdRom0\sources\replacementmanifests\srumon-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1307
                              Entropy (8bit):4.889159545584884
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+VCg0Lmj3gi3NWMEF4h6BXjzpWF4h6LKFCUK:22e8z2j+VCgUKQ3MY4IBPp+4IwA
                              MD5:15A57222904CEB0E50FF62F6E647F4C4
                              SHA1:4ABFF97E9E2EAABBF64A52E6440D3F672D1845C5
                              SHA-256:F403C878B2521E4FC3468274FBB06B888126EF846491D8A9A9B5DFE7FA643191
                              SHA-512:823F0F7766506AD0F7B11FA4EBA1637661CFAC758DDB16EF314D3E44EAB1F74F6D59180C0067296C1B049DC76A1DC257CF0CCCEA7ACE651A18077F7294399DC9
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-SruMon".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\system32\sru [SRUDB.dat]</pattern>.. </objectSet>.. </include>.. Specify merge resolution handler. Source priority forces migrate from sou

                              \Device\CdRom0\sources\replacementmanifests\starttiledata-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2702
                              Entropy (8bit):4.968845875337023
                              Encrypted:false
                              SSDEEP:48:22e8v+VPQgfQmW93/F3JXF0PYyAYy7NIg6YyWfP0kfYkfefPfZJuX:22C9zW9v/XgYDYcNIYnP0aYaMHzQ
                              MD5:C017DB8295ABCA987869BD9B2D19D19D
                              SHA1:1FAA160F3E64C17B9784391192642C743E4AE62F
                              SHA-256:67A9CC40E5401ADDB007AD3824C41DE5BAA81B63CED613B267586AA2D959EA72
                              SHA-512:FE2A02F86AC9709D05B000B54D73DDDAAABA187EEEBC475432295955B6261048BDCF94CDEF896E3E5E3DB01E9F30D02285A535677D510D3FBC1B288F81B00F59
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-StartTileData".. processorArchitecture="*".. version="0.0.0.0".. />.. This file is meant to create our migration keys when migrating from a build that did not.. have Curated Tile Collections in it, which is covered by the replacementSettingsVersionRange="0"... Any build after that will use the migration settings in StartTileData.man .. since that specifies a settingVersion="1" .. We only need to do the capture portion of migration here. Moving those values under our CTC registry.. key is accomplished by the main manifest-->.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="

                              \Device\CdRom0\sources\replacementmanifests\sysdm-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2692
                              Entropy (8bit):4.899368373371814
                              Encrypted:false
                              SSDEEP:48:22e8G+kgfm30Ia3MY4rR9ff1Iw1B2kPap9cVIgrR9vv1I4lJu2:229k0Ia3MxjF3Vip0hjlPh
                              MD5:81D7BCFB1ECEA5B065D43CD9DDD31A6D
                              SHA1:9A03C1179340A1541E10700B9CDE3DD3DB256B3A
                              SHA-256:B86FFBB90E91D1637FCA8820A63D9938F3177EA8F344AEE607E7DC08A626B764
                              SHA-512:AB374309EDA432823212657852061793EBE7A95FB7106FE337CC345A5D055D70AA87E38C56180FB74C316F8EE1EECE72F5E84267570C14FD484528B33C81B3CD
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-sysdm".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. scope="Upgrade,MigWiz,USMT".. settingsVersion="1".. >.. The <machineSpecific> node causes settings to be applied before the final reboot during an upgrade -->.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl [Win32PrioritySeparation]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentCon

                              \Device\CdRom0\sources\replacementmanifests\sysmain-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1823
                              Entropy (8bit):4.969014759222008
                              Encrypted:false
                              SSDEEP:48:22e8v+VgRcgfT40Tamd1IgfZfamQfaCJuG+VgRUgW:22Cd0Tt1RB2dUN
                              MD5:29E63739F332DAD036E8ADA591EB240D
                              SHA1:AD09689CBE453E669965F2E2BECF6CE07AA42168
                              SHA-256:78F7E03315674E138402BB2EF0998955D393EACA73E413A4B5064BB980547665
                              SHA-512:9739AA5DD868CE27B31EB90319DE2C790990C53D81B65DD4BEE379AFAE778C8E439D1178485E00682E2376376B0CD27A9CFD3724707EFDAB657DE2CA7A18AB76
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-SystemMaintenanceService".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="1".. replacementVersionRange="6.0-6.1.6940".. scope="Upgrade,MigWiz,USMT".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <addObjects>.. <object>.. <location type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch [MigratedData]</location>.. <attributes>Dword</attributes>.. <bytes>00000001</bytes>.. </object>.. </addObjects>.. <include>..

                              \Device\CdRom0\sources\replacementmanifests\systemsettingsthreshold-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1027
                              Entropy (8bit):4.921408321933682
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZF2YS+V1g0cj06v3VdMEF4wQVOEyzSLBX0FCUK:/2e8z2j+V1gf0mdMY4/YH2LB2A
                              MD5:59D58233E9871BB171A88A6BB51E1AB2
                              SHA1:78CDA326D3B2D985C8CBF99898AE8C27C96B3429
                              SHA-256:0E711843EC600163FB379A4CEA94C3870E3011D795AF420966317DC7804479EC
                              SHA-512:EAC0D8C0DC6946937F9572249A9282841BDA7882D1324A6700411B205101F1B65F2274651F5FC235B3E3B94EB6AD96E0A688ADD8D02B5CC4BFEFC2221A628335
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-SystemSettingsThreshold".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade".. settingsVersion="1".. replacementSettingsVersionRange="0" .. alwaysProcess="yes" .. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Settings\Network\DataMarketplace\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>..

                              \Device\CdRom0\sources\replacementmanifests\tabletpcplatforminput-core-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):15619
                              Entropy (8bit):4.878924638455219
                              Encrypted:false
                              SSDEEP:96:22950bYI5IQ0HICiAIl58PIaK8IZtvI6q+IP/CIbrBII8YItxfzfr8IZttIMQ4IX:EU1E5K
                              MD5:5DB177BFE6E99C6DBA4557D890704DF6
                              SHA1:7303B3E8FDA0FBE8B69761537B4DFBFFC2CB193F
                              SHA-256:60FEE5D22D6A76A791DC2479DE9FA155E2AA0DA35041E153F715E38975F18DC9
                              SHA-512:9C43A32A112BF560F9F3F9BD30E85CE0DB5F272E9C5082DF02F3F4466270A416954AFC0DB52EE15FAC2862835F9A5623446DE5701484E4D948A3C27D3E0BA9F4
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-TabletPC-Platform-Input-Core".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementVersionRange="6.0.*".. replacementSettingsVersionRange="0".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Wisp\Pen\SysEventParameters [TapTime.min]</pattern>.. <pattern type="Registry">HKCU\Software\Microsoft\Wisp\Pen\SysEventParameters [TapTime.max]</pattern>.. <pattern type="Registry">HKCU\Software\Microsoft\Wisp\Pen\SysEventParameters [TapTime]</pattern>.. <pattern type

                              \Device\CdRom0\sources\replacementmanifests\tcblaunch-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):880
                              Entropy (8bit):4.972364786104063
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+0g0cj3gi3Alk9ENgC1HJXMFhUK:22e8v+0gfQ3lgIgChJuX
                              MD5:0F759649701652EDCC2712D7BBDE9DCD
                              SHA1:D0966DE28EC108229F238D26697A04009CA55629
                              SHA-256:E955A581118B7E758869527484BB8CF78183C2A24BCBB6EA505B5C8AD6EB12E3
                              SHA-512:903E0CB169D62AEF81BC6282888D363300CAA966242939D2B8DB3BFFE8DDBCA431EBE61B8F8F455AED510DACDDCABEE64B80B62FEB07D0F2767AEE1EB7BC1069
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Tcblaunch".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0-1".. scope="Upgrade,Data".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%SYSTEMROOT%\System32\config [VSMLKEY]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\tcpip-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):24488
                              Entropy (8bit):4.860634767117111
                              Encrypted:false
                              SSDEEP:96:jWH1aAKRIkyqifFjf9saZf0t8MDaI0uqAKRIkyqifFjf9saZf0t8MDaI0u:yVaAKP+FJs6MOTLAKP+FJs6MOTu
                              MD5:7A85D4A133FE4452A0D5C9B4BA9B3EAA
                              SHA1:530E4F547EB5583E673414EE361DC56B9F7A68FC
                              SHA-256:4B9F6FD347FCDE7D14C1A1E1C7073149EDC4BDF7EE1538F1C95FD5CA7E805442
                              SHA-512:ABFB78AB9AA36085FB5DEF25B1B595A48E51CF1F17BDF83AA4ADABFB95E3F1F8961799B483F748090428B1C6703947D61F7B64C32BB41C24265007BF617861CB
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly>.. <assemblyIdentity name="Microsoft-Windows-TCPIP" .. version="0.0.0.0" .. processorArchitecture="*" language="neutral"/>.. <migration settingsVersion="0".. replacementSettingsVersionRange="0">.. <machineSpecific xmlns="urn:schemas-microsoft-com:asm.v3">.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters [DisabledComponents]</pattern>.. </objectSet>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\* [IPAddress]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\* [SubnetMask]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\C

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-appserver-licensing-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1134
                              Entropy (8bit):4.947403188620739
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+ZAg0cj31Doh3Nv6EkQMKENgwuENrJXEFhUf:/2e8v+ZAgfl0+EMKIg+NJm2
                              MD5:85DF92406ED3B7E5C69DE4B535461F64
                              SHA1:94CEE9ACE3F409596E84E6D4F4DAA0F9ED116508
                              SHA-256:C3BAA2139587065B6F44A94E1D5FEFF33F080941488253BCA876216A2A2F512A
                              SHA-512:C0716C589901ED0DF9D20EE21193D5589492E1948D100869E7530492A4E024E9D275A9B05886CF87401204A9F3101CD82B9832EA5696FCD2304A34BA75A0C1DD
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TerminalServices-AppServer-Licensing".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. replacementSettingsVersionRange="0".. settingsVersion="1".. replacementVersionRange="6.0.*" .. alwaysProcess="yes".. >.. <migXml xmlns="">.. <detects>.. <detect>... <condition>MigXmlHelper.DoesOSMatch("NT", "6.0.*")</condition>.. </detect>.. </detects>.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\TermService\Paramete

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-gateway-package-r-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1039
                              Entropy (8bit):4.949167204033184
                              Encrypted:false
                              SSDEEP:24:p/Wg+ZhQg0cj3L3Vj4FPfQ65DWll3Zncp2MPFhUK:Z+ZhQgfJ4FHJ5+li2MNX
                              MD5:CB7E5C6E7738F3ED44CD1DE98F97D28F
                              SHA1:ADAEA742F652D16B286AB98A6EB4FB851809E433
                              SHA-256:62A2E4287A23AEA5AC6A182BC86A93B9A00A3766F070A4CEDD650B5877D075A3
                              SHA-512:0F98F03B9166AEE7A2D882CE4730F152AD028F5B38C35774AAAE79005E025D3C861F0B198A56F985A8C2408FAD70E8AC57C9958670A0A028676B6CBB931E8637
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>....<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-TerminalServices-Gateway-Package".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="RDS-Gateway"/>.. <migXml>.. <detects>.. <detect>.. Install Remote-Desktop-Getway component if it is installed AND the OS is Windows Server 2008 R2 or below. -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\Terminal Server Gateway")</condition>.. </detect>.. <detect>.. Detection of OS version to be Windows Server 2008 R2 or lower. IsOSEarlierThan returns TRUE if the OS version matches. -->.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>.. <

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-gateway-package-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1039
                              Entropy (8bit):4.949167204033184
                              Encrypted:false
                              SSDEEP:24:p/Wg+ZhQg0cj3L3Vj4FPfQ65DWll3Zncp2MPFhUK:Z+ZhQgfJ4FHJ5+li2MNX
                              MD5:CB7E5C6E7738F3ED44CD1DE98F97D28F
                              SHA1:ADAEA742F652D16B286AB98A6EB4FB851809E433
                              SHA-256:62A2E4287A23AEA5AC6A182BC86A93B9A00A3766F070A4CEDD650B5877D075A3
                              SHA-512:0F98F03B9166AEE7A2D882CE4730F152AD028F5B38C35774AAAE79005E025D3C861F0B198A56F985A8C2408FAD70E8AC57C9958670A0A028676B6CBB931E8637
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>....<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-TerminalServices-Gateway-Package".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="RDS-Gateway"/>.. <migXml>.. <detects>.. <detect>.. Install Remote-Desktop-Getway component if it is installed AND the OS is Windows Server 2008 R2 or below. -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\Terminal Server Gateway")</condition>.. </detect>.. <detect>.. Detection of OS version to be Windows Server 2008 R2 or lower. IsOSEarlierThan returns TRUE if the OS version matches. -->.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>.. <

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-gateway-ui-package-r-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1052
                              Entropy (8bit):4.971092634232028
                              Encrypted:false
                              SSDEEP:24:p/Wg+ZW3Qg0cj3L3Vj4FEfO65DWll3Zncp2MPFhUK:Z+ZwQgfJ4Fcv5+li2MNX
                              MD5:652BF56515AE22F7083021140826F324
                              SHA1:ADFEFB6AD66B4946BAAD7CEA6BFEAEA71F525F1C
                              SHA-256:5739B13C592E4F4CB6E5BC8A716323E565584D6F6A70D02DC7A72B3EED535F52
                              SHA-512:43C899025D16D0939C732284CE95539810D0E2029DF0F4CFBFE3104579DC0A7B6592CB495BF344C7F8C8D7ECDEABF867115B6711E41C39244F5B313BE51787FE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>....<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-TerminalServices-Gateway-UI-Package".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="RSAT-RDS-Gateway"/>.. <migXml>.. <detects>.. <detect>.. Install RSAT Remote-Desktop-Getway component if it is installed AND the OS is Windows Server 2008 R2 or below. -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\Terminal Server Gateway")</condition>.. </detect>.. <detect>.. Detection of OS version to be Windows Server 2008 R2 or lower. IsOSEarlierThan returns TRUE if the OS version matches. -->.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </de

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-gateway-ui-package-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1052
                              Entropy (8bit):4.971092634232028
                              Encrypted:false
                              SSDEEP:24:p/Wg+ZW3Qg0cj3L3Vj4FEfO65DWll3Zncp2MPFhUK:Z+ZwQgfJ4Fcv5+li2MNX
                              MD5:652BF56515AE22F7083021140826F324
                              SHA1:ADFEFB6AD66B4946BAAD7CEA6BFEAEA71F525F1C
                              SHA-256:5739B13C592E4F4CB6E5BC8A716323E565584D6F6A70D02DC7A72B3EED535F52
                              SHA-512:43C899025D16D0939C732284CE95539810D0E2029DF0F4CFBFE3104579DC0A7B6592CB495BF344C7F8C8D7ECDEABF867115B6711E41C39244F5B313BE51787FE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>....<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-TerminalServices-Gateway-UI-Package".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="RSAT-RDS-Gateway"/>.. <migXml>.. <detects>.. <detect>.. Install RSAT Remote-Desktop-Getway component if it is installed AND the OS is Windows Server 2008 R2 or below. -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\Terminal Server Gateway")</condition>.. </detect>.. <detect>.. Detection of OS version to be Windows Server 2008 R2 or lower. IsOSEarlierThan returns TRUE if the OS version matches. -->.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </de

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-licenseserver-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1731
                              Entropy (8bit):5.174855253719388
                              Encrypted:false
                              SSDEEP:48:/2e8v+Zfgfl0h9ZyRIgjavjaS/+RuD1/e/H/lJm2:/2C80LMR1YhxD9sf3p
                              MD5:5D8548FE277D3336485FDCB083A3D0AE
                              SHA1:048EE2FD014CEB8BA2CCFB3331A36A25EC7C2F65
                              SHA-256:C267A26ECBD7CFA4BCD65BEE1934DE6B607D70DB660FA39969B2C45B2EFE8D9B
                              SHA-512:BC89D2C8658A2EBBAC6B8AC48C1AF00A87ACD9A2BAF2BEF8A70760B91206D43ACCA45D4700E04F90DD9FAF9F69B610A7DDDAB6F17EADFF2A955870B26BA93A4F
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TerminalServices-LicenseServer".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. replacementSettingsVersionRange="0".. settingsVersion="1".. replacementVersionRange="6.0-6.1" .. >.. <migXml xmlns="">.. <plugin.. classId="{999293E6-7830-45f3-9E3E-A0403E828EFB}".. file="Microsoft-Windows-TerminalServices-LicenseServer\TlsRepPlugin.dll".. />.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlset\Services\TermServLicensin

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-localsessionmanager-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1377
                              Entropy (8bit):4.992544306303786
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+ZHg0cj3+3N9ENgwxTDW8apaLwxTDWzTewxTDWe7pwxTDWmwxTDsQJXg:22e8v+ZHgfAIgkUpaLkUTek37pk3kDJQ
                              MD5:4DD16988838E042803EE1F7429266E43
                              SHA1:E77C95B0297A07844BDFB62AF2ACEEB0F079A262
                              SHA-256:B9B4B2FD2B11D2388D737D75F06554FD43E5F853C1027F938DE1F52D0A7EC090
                              SHA-512:F69051FFEA086A52BE4B0A04C9AB32EE5D19B6181F464CCDC76E78EC72DEAA2A4FECEBAF69B452CB8E11AF674DE51BA551D2279E0CC4EFC2F515459D42CCA7BB
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TerminalServices-LocalSessionManager".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server [fDenyTSConnections]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server [AllowRemoteRPC]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server [Del

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-publishing-wmiprovider-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2251
                              Entropy (8bit):5.113177441373641
                              Encrypted:false
                              SSDEEP:48:/2e8v+Z6o4QgfRIgf9Hf9Ff9Df9Lf93f9wf9uf9Lf9tf9IJub:/2Coo4VR9n1xt0ORTOE
                              MD5:D7E0E2FC11F40312E91B6ACD5C13E342
                              SHA1:69D18A429FB8D731A455C6215ED52C5E2B105717
                              SHA-256:73DED299B849192458FA844C27CB46D9DB5F033E0DA9B2B28845D5077498812D
                              SHA-512:3046219BA90C950D010EE15258E1232CDAA336DE60D45C1144B2ACB177695E23B73172BE3BCE1F7109CD892F537B05B3497ACD69CAA923A80B6658E66BA76B46
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TerminalServices-Publishing-WMIProvider".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. settingsVersion="1" .. replacementSettingsVersionRange="0">.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList [fDisabledAllowList]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList [fHasCertificate]</pattern>.. <pattern type="Registry">HKLM\

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-rapweb-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):860
                              Entropy (8bit):4.870520887965546
                              Encrypted:false
                              SSDEEP:24:q/o2e8Zhjg0cj3+3Njm+6ENgGyJXMFhUK:/2e8njgf8x6IgBJuX
                              MD5:2EB7F4DDD90BCFD7F4BB1869DDBA6185
                              SHA1:01BC17D0D63C21B676C03B56556D53AF56B46749
                              SHA-256:0E3BD5B533A31F2DB15EDE64AD95E93F440ECF4AC8F6C9117567EDBB5F83C896
                              SHA-512:C351CD4C11E2B7120868B6DD4F7061E48C90F944C4FD98E67F6C0B22786CDBCBD0396DC447A1A2BFDDE5B1A5FC2CAF11DE666460E658FD83A2B0C0D81667DDAA
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="TSPortalWeb".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="0".. replacementVersionRange="6.2".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\Web\RDWeb[Web.config]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-rapwebpart-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1083
                              Entropy (8bit):4.89946353221566
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZWWjg0cj0Doh3NjmV26ENgG93gGl3gGkJXMFhUK:/2e8kWjgf00fd6IgA3gk3gfJuX
                              MD5:90B669EB398E5D178B261B1A1EED20DB
                              SHA1:9FF6F09B6B61D78495F71EAC91A62E54C7846BF2
                              SHA-256:67CEB953A8D81A003B37B77E3708A3ABFF146C6F97F2709470527C8FF854A042
                              SHA-512:4781B05908EAD49A615935A96CA02D80C0DEEE44FA9B01F70E4F53FA4AC6C7B9D85DA952510DFC3F7238156A6273844BE7EE75D1613CAF37768417C7EA9E3213
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="TSPortalWebPart".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. replacementSettingsVersionRange="0".. settingsVersion="0".. replacementVersionRange="6.0-6.1.7043".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\Web\TS\* [*]</pattern>.. </objectSet>.. <objectSet>.. <pattern type="File">%windir%\Web\TSFeed\* [*]</pattern>.. </objectSet>.. <objectSet>.. <pattern type="File">%windir%\Web\TSFeedLogin\* [*]</pattern>.. </objectSet

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-rdp-winstationextensions-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3390
                              Entropy (8bit):4.904471039547804
                              Encrypted:false
                              SSDEEP:48:22e8G+ZoKgf00ftIgkb+kvkmJJmkCZDpklkWC5koeHkyk4Zb7k0ZkuXG0iUpEccA:229/0FuPKF9yPFHfdv/
                              MD5:FC0CB2E52E29E28925504088FB40A756
                              SHA1:3E5E5034DB95D8C34EE1F30E4B332A890CA147F7
                              SHA-256:1C12F7766DB077A49C7E0A00BB6F4A5E2A979A84138D63DB03C14CD847FC7A1B
                              SHA-512:65A7A06C41BC885CE115DC8408BB795AB516867477F4409AE1036F5BC512383F40A5A3271A4C99D16E3089F203C752460CCD49D62B9A230FDF47EB59D575EC15
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions".. language="neutral".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. replacementSettingsVersionRange="0".. settingsVersion="0".. replacementVersionRange="6.0-6.1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\VIDEO\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentCon

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-remoteconnectionmanager-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5441
                              Entropy (8bit):4.9394030972623915
                              Encrypted:false
                              SSDEEP:48:22e8v+Zkgf70lIgkwklkFklkXbkWkPkVkVkOpkokKk6k6kok2YpkHkpkakLkWkAL:22Cl0lu/pP
                              MD5:42F741424722F77B005B32EBC91270F6
                              SHA1:F3E27A351420995CBA9E3048B7840569357177F4
                              SHA-256:7F30897AAEC31A412661201C823E8E143A7062C024869D067F1C9035703CDF37
                              SHA-512:67830ACC595A41557AAFC1799D2ED65BF3064EEFA359DEE6564895C6BED458D2C94CD66929700E6C4792B05DB2AE9BBCC7CFAC367181D4009751D8CF5BDF7A92
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TerminalServices-RemoteConnectionManager".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. scope="Upgrade,MigWiz,USMT".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server [TSUserEnabled]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server [DeleteTempDirsOnExit]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\Curren

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-role-package-r-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1044
                              Entropy (8bit):4.924038572560615
                              Encrypted:false
                              SSDEEP:24:p/Wg+ZtQg0cj3L3Vj4FFL65D73Zncp2MPFhUK:Z+ZtQgfJ4FFm5fi2MNX
                              MD5:4B41FCD994EFAEC6E88AA386AC98694F
                              SHA1:19E8EA4B13FE4A2933FB02F27105E261CD1C91D8
                              SHA-256:6BD172E952FB34252B289164656A15B4940EFF45F243B56569C1421477D032F6
                              SHA-512:261D1B736645DFE8EEAEE0540D19F9408D284FB310C8A9CD020C759DA3AE5BD738224F59934316D09C54712BFA042D7232E97448825346722F25DB18340B66C4
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>....<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-TerminalServices-Role-Package".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="Remote-Desktop-Services"/>.. <migXml>.. <detects>.. <detect>.. Install Remote-Desktop-Services component if it is installed AND the OS is Windows Server 2008 R2 or below. -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\Terminal Services")</condition>.. </detect>.. <detect>.. Detection of OS version to be Windows Server 2008 R2 or lower. IsOSEarlierThan returns TRUE if the OS version matches. -->.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>..

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-role-package-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1042
                              Entropy (8bit):4.9233194750499205
                              Encrypted:false
                              SSDEEP:24:p/Vg+ZtQg0cj3L3Vj4FFL65D73Zncp2MPFhUK:Y+ZtQgfJ4FFm5fi2MNX
                              MD5:010D72DACBC61EAD0F043AE9DBC0E205
                              SHA1:0D5885453EA09D2D20CC33949CB7720588614DC2
                              SHA-256:9EF9EE2B4E01BD620D37B58488007599072E5CAEDF092C696D5DECDF76B47CB4
                              SHA-512:88415CD9FBF94F23CA274C5346B8EA2652FBC555ADBCBEC07DE1127F4B12D938D5EFA06F30EA7840D6447EC5E60B183F0027F4AF7ABB34B4D625753A5EA2639A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-TerminalServices-Role-Package".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="yes">.. <registerSDF name="Remote-Desktop-Services"/>.. <migXml>.. <detects>.. <detect>.. Install Remote-Desktop-Services component if it is installed AND the OS is Windows Server 2008 R2 or below. -->.. <condition>MigXmlHelper.DoesObjectExist("Registry", "HKLM\SOFTWARE\Microsoft\Terminal Services")</condition>.. </detect>.. <detect>.. Detection of OS version to be Windows Server 2008 R2 or lower. IsOSEarlierThan returns TRUE if the OS version matches. -->.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2")</condition>.. </detect>.. </detects>..

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-sessiondirectory-client-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2743
                              Entropy (8bit):4.899760844123097
                              Encrypted:false
                              SSDEEP:48:22e8v+ZogfQHU0LeIgk8k/fQk94pkakYkO3ka9Ju9wPvh27+ZggLBqg5ic+ZFgh:22CGHU0Sq9mvWwPvh2ShZyi
                              MD5:FF179F7C6A2D56A2F89B4E387CD1995C
                              SHA1:018F8D8F83C55613375066C9319F0E840B8BC2B2
                              SHA-256:BF76EAFAC31AB6E2DBFC9B592595E390622B28BFAEB001998B6F3914314DBB96
                              SHA-512:FFEF332F8803863F1B806B4A200A64AB21DF4FDE12C0246113FE130494750B4B64C208E0025CFC152F1A8AE4D226AA2BD0CD2A088FE2E1401BDCB3426914A471
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TerminalServices-SessionDirectory-Client".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.1.*".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server [SessionDirectoryActive]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server [SessionDirectoryExposeServerIP]</pattern

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-sessiondirectory-server-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4168
                              Entropy (8bit):4.785329494970319
                              Encrypted:false
                              SSDEEP:48:/2e8v+Z8gfEweJRsOaED8RtumQyEy+7sl+N5Hh7bwIaJMwQNQKhyf9p8cUaUJZhY:/2CNeJRzAL2yEJjrh7bwIuMR2rnGbS
                              MD5:5047E7576F9A286BDEE66073A0BCD283
                              SHA1:16719CE15E8938E687A55F75156ED64EBA27A729
                              SHA-256:FA1B84C8FE59698F299ACE533DFE270682CC0B102B6641B3B15E1006CE7772F0
                              SHA-512:0C6675454249420F10BCC855E60724125B4235DE20E581EC7820B4813BD8957EAF3E246465F8A7FF139DF2D7CE4C06BC7131B74EA731DED7FA5A612F75409AFC
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TerminalServices-SessionDirectory-Server".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="0".. replacementVersionRange="6.1-6.2".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet> .. .. Following is the upgrade sequence and the actions we take in each phase: .... - Gather phase: For this phase, we author gather rule to tell setup/upgrade process to.. preserve old d

                              \Device\CdRom0\sources\replacementmanifests\terminalservices-tsv-vmhostagent-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1279
                              Entropy (8bit):4.910068192201706
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+ZRRg0cj3W3Njm9eE81JowuQN51JgrVGJXEFCUf:/2e8v+ZDgfEweJJo8/JgrUJmR
                              MD5:1B4878D52A35608B922EA617E4592BBD
                              SHA1:0F86205CFFF1C0AC567683A3D82D9F5B20960E64
                              SHA-256:DD60757A107993889DEE7CD70B3B9D12C5171AC086E9A0C33A7BDC88D0C6CCD0
                              SHA-512:469CA48F990D815A444D0302471C3D65730C94E2BF4144C03ADB4E3F366FE0D07AF0F67422CBA4F15BBB483B82C7A431FC54AF32C0B5E51DFBD7BFC24A4EB14C
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TerminalServices-TSV-VmHostAgent".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="0".. replacementVersionRange="6.1-6.2".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet> .. This tells setup/upgrade process that we want to preserve this registry key. --> .. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\vmhostagent\Parameters [tssdis]</pattern>.. This tells setup/upgrade process tha

                              \Device\CdRom0\sources\replacementmanifests\tetheringservice-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1065
                              Entropy (8bit):4.96984082363901
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+pg0cjh3N1LRMEF4wuSb3wuyBX0FCUK:22e8z2j+pgfZlMY4Qr0B2A
                              MD5:4DBFCA3B87A59186D2612A95CA2CD899
                              SHA1:4C84BD2D60CE789B44070CDDC296C09D2F52B1CC
                              SHA-256:2C229D8DA31E17FCEF244A8A2029CA8FE8374738A9ECBFED9E23FB89DB8DF059
                              SHA-512:704ECDBE3FC38AC3807946072C7C523C36B4AF1586BEFE01A87BBBF35CF20214A0E0DE892A56E74FE8AA806154D7D2B9CC7028AEF47BEC326564B5F18CD12421
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-OneCore-TetheringService".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="Yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\icssvc\Roaming\*[*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\icssvc\Settings\*[*]</pattern>.. </objectSet>.. </include>.. </rules>..

                              \Device\CdRom0\sources\replacementmanifests\textservicesframework-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6465
                              Entropy (8bit):4.91392769805535
                              Encrypted:false
                              SSDEEP:96:229dC/OQ1IN4SCJC/VALWf5uz7B1QVAXWf59Q1AY5iZ63VA7mn5mjzZNQVAHmn5x:O/laLXKP7XN
                              MD5:66EC7A12C6A3543E367B00AFB5135CF5
                              SHA1:7A83A9FA73957FA9C26E01D464762C49B071AAB4
                              SHA-256:D7DD680339266412774393FF132CF58FB62D147B41F8A1C5C6D038B7FF12B534
                              SHA-512:51B9CABCE64A40C4607BECFB5F0C3E8038FFF44C75336AE6AD9CDFEA815FDD9479C6E71F3873EBBF0C64A207D948553EAD627EC3F2DEB0C34C45056D653BAD7A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-TextServicesFramework-Migration".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. />.. <migration.. scope="Upgrade,Data,MigWiz,USMT".. settingsVersion="2".. replacementSettingsVersionRange="0-1".. >.. <machineSpecific>.. <migXml xmlns="">.. Plug-in setting for msctfmig.dll -->.. <plugin.. classId="{0b23c863-4410-4153-8733-a60c9b1990fb}".. file="Microsoft-Windows-TextServicesFramework-Migration\msctfmig.dll".. offlineApply="Yes".. />.. Gather the registry keys that need to be migrated -->.. valid only in full ugprade or data-o

                              \Device\CdRom0\sources\replacementmanifests\time-service-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1190
                              Entropy (8bit):4.881895608689785
                              Encrypted:false
                              SSDEEP:24:q/VR+FDjVg0aTK+3vWAnjJFsuDMrENgwurJXmNgwuHewuwTMFhUf:Y+FnVgKAjJFjDMrIgZJmg1eii2
                              MD5:E074B31BE7CD7458697CC3630737C79E
                              SHA1:8E264D306C2CF084C704CC2B3C79B9A93177EAFA
                              SHA-256:F52C056D0680C1165FCF090F9DEAF05C28EBB366D2D7B90717480BAB9C4DFF52
                              SHA-512:6B86C38924C5653B97B6EC2238F3BD2B9EA453EA34884609C1131B74657BC5CF1458BFEC918050A3941BA12C09AC2BC58F12826D2210F85415F7FFC9FCDCF14F
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Time-Service".. version="0.0.0.0".. processorArchitecture="*".. />.. replacement manifest migration is applicable from Win7 to very recent builds --> .. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.1-10.0.9890".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. Include all W32Time regkeys except the regkey corresponding to the trigger info we have removed -->.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\W32Time\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\W32time [RequiredPrivileges]</pattern>.. <pattern type="

                              \Device\CdRom0\sources\replacementmanifests\tpmdriverwmi-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2577
                              Entropy (8bit):4.948260494654791
                              Encrypted:false
                              SSDEEP:48:22e8v+ogfNco6IXwV+1ewQJmfzFAAX+spKv/V3J3uiX:22C5WxouON2tJD
                              MD5:1BBC988EB64858D2748AD6796E01634D
                              SHA1:D60EFF9154B51381B0E5CC91C4B27F0371C6BD9F
                              SHA-256:8CE65B2DF1E066432AD9FC285C887CDF5794E4DF7D8DBD58D361954E4B987FD1
                              SHA-512:34DC17CBC8750426C785B43F83DD335EA445BB656A9A7ED4F67093F68360523D808225141EE5589007F8A32E558B646D73C896B77BA9B7289BC0BE29EA395552
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-TPM-Driver-WMI".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,Data".. settingsVersion="2".. replacementSettingsVersionRange="0-1".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. .. This rule will be used during the gather phase to capture all.. settings under the WMI key.. -->.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Tpm\WMI\* [*]</pattern>.. <pattern type="Registry">HKLM

                              \Device\CdRom0\sources\replacementmanifests\tpmvsc-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):916
                              Entropy (8bit):5.040260725049012
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+VFg0cj06v31L+ENgC1j+YeV9BJXMFhUK:22e8v+VFgf0eaIgCQDLBJuX
                              MD5:1A3A6DE1A409FD46B96B63E6295E5AE5
                              SHA1:AB126C2FBE059E18D29527D27248318D07E59E9F
                              SHA-256:2A8BDB0868BFDA1B3E5BC2E0451590F50371DDC8AAC32B965541AD57FD643CA6
                              SHA-512:45A0FBD4E8F7339FFFA5A04F04048672E1D2FDA3F61FB59F610B40D5B887876841A9FC785F701D35BA7FF2DB7309359645C50A0F33687DF4A0F586594A5D4C23
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-SmartCard-TPM-VCard-Module".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade".. settingsVersion="1".. replacementSettingsVersionRange="0".. alwaysProcess="Yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%SYSTEMROOT%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\SmartCard\Tpm\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\twinui-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):11716
                              Entropy (8bit):4.9742428059807064
                              Encrypted:false
                              SSDEEP:192:xndoci0gKqliX56pr68OeRLVy+c7lRgb9lY5oqtLq8r3:xndoci0gKqEX8pG8tRLVy+c7lRgb9lYv
                              MD5:D46FB01D86A4B4EEA183CDFC76B90A12
                              SHA1:E6BFE3AE352CC773232AFF5A6A0501A6C9A9DD5A
                              SHA-256:E26450DEA290C2C823A83497452F029DA968171062BDD0C1911E8E644E86709E
                              SHA-512:05BAD5B69DAC8F1469A331760B08E94F13836DDFD448DC6F05CE9036ADDEE91558E7470C65DBE4031E7E8FF912DC6755D16C450C501598A5CDA4059C6AE8C283
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="utf-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" manifestVersion="1.0">.. <assemblyIdentity name="Microsoft-Windows-TwinUI" version="0.0.0.0" processorArchitecture="*" language="neutral" />.. Rules for pulling settings from any earlier settings version into the current version (10). -->.. The entries here *completely override* the rules defined in the downlevel copy of twinui.man. -->.. This should essentially be the subset of settings from the current migration rules that existed in one of these prior releases. -->.. settingsVersion 9 and 10 corresponds to removing two sharing toast IconUri's that were added previously in "RS5" -->.. settingsVersion 8 corresponds to allowing migration of BitLocker and WIP notification settings in "RS2" -->.. settingsVersion 7 corresponds to no longer removing

                              \Device\CdRom0\sources\replacementmanifests\udfs-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1557
                              Entropy (8bit):4.94546856685982
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+sg0cj35BY3vD0j8B0HicVENgwNJXBBRENgwgJXMFhUK:/2e8v+sgfzusvCcVIgYJxIgDJuX
                              MD5:0C1B62B5C27108AEA98619A132E7C38B
                              SHA1:83FDD69663AC40852718F0813E5589D4FAFBB30C
                              SHA-256:BF30C13579DEB5198C384BF6227FCF9BC71663A42102A2A9A3E7F54458387BDD
                              SHA-512:EC8CB8E54DE71EF744F2AF02FB6FA1920D461D498BA45892C375805035F473975427C3B775765569BBCF70E7B1B2D61EBCDCACBF218942CAA44AA6F0A641B201
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-UDFS".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1".. scope="Upgrade,MigWiz,USMT,SvrMig".. settingsVersion="0".. >.. <migXml xmlns="">.. Migrate UdfsCloseSessionOnEject from Windows 7 -->.. <rules context="System">.. <detects>.. <detect>.. <condition>MigXmlHelper.DoesOSMatch("NT", "6.1.*")</condition>.. </detect>.. </detects>.. <include>.. <objectSet>.. <

                              \Device\CdRom0\sources\replacementmanifests\updateservices-common-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):850
                              Entropy (8bit):4.962478560073124
                              Encrypted:false
                              SSDEEP:24:p/o2UCs7g0cj3LDGrENgwwawwxJXMFhUK:22I7gfvGrIgfafxJuX
                              MD5:AD2EAD8146AF5507E41E90065B915F17
                              SHA1:1974662B9D552DD671F4D9D9ED26246D00993D5E
                              SHA-256:FE660804B8D940BDB2F68A766091E739DFC5CAD19199E0A61D3D3D916098B854
                              SHA-512:76181FC56DFEEFB6E6E50ED7735DC4F052DF6C01D26028BEA3135DC7CA98A9368B175865082F058FDD49F7C04F52CAC72156FCF58865CD9B3DFC7017DA396004
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="UpdateServices-Common".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementVersionRange="6.2.*" alwaysProcess="yes" scope="Upgrade">.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup [VersionString]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup [EnableRemoting]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\updateservices-services-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2825
                              Entropy (8bit):4.989570602972299
                              Encrypted:false
                              SSDEEP:48:22IHFygfvGrIgfxfcf5Jmgfaf3fHf6fFf0f/pfWfRjfHfgefgEfg8afgViX:22sErRZSTDIv/otqJERb/tbct
                              MD5:DC43D710C19E38630F19B1E6851741DA
                              SHA1:3AD434C3CC8A125022F915EFE3E5C018C92898DC
                              SHA-256:D6057C16C09FBCEFEDA388D0B1C11954CF0907A9708EE2D6CFE959AA2CF5D156
                              SHA-512:671DD41694ACC2582F61B7F77CF3FC82D64070BF462D749B986ABD7ADB31DEE89ABCE5F600A801BAAF64660814D8A63326F75318F12D03111055FD0319EF6548
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="UpdateServices-Services".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration replacementVersionRange="6.2.*" alwaysProcess="yes" scope="Upgrade">.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup\$ [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate [CertHash]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\SystemCertificates\WSUS\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Update Serv

                              \Device\CdRom0\sources\replacementmanifests\upnpdevicehost-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2455
                              Entropy (8bit):5.074428989655324
                              Encrypted:false
                              SSDEEP:48:/2e8z2j+TgsBb2KN0LrIjRMY4QuSsfSCfS9fSCb3B843wbIgfqgfShMfSKJuv2b+:/2X2q/Ff0IMTvd4BNsRq2TFO
                              MD5:12248F140564AF122D527471170BC255
                              SHA1:B6C4604C46D119638A3DE4CBE881B28530C64901
                              SHA-256:B7CE77D92C9B0DF14698DD1AA381BB618251B394529BFFBD6A480F678AB43F23
                              SHA-512:D34EC0BAA4EB7A2CCF2E551BB8F2DF3CBFA56ED08995763B72DB24419A5B6F7AB1DFC96BFC27ED4B21A655F932EAA59DCFAE44ECEDD10CEDF393D5E8784B7042
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-UPnPDeviceHost".. processorArchitecture="*".. product="$(build.product)".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1-6.2.8300".. alwaysProcess="6.1-6.2.8300".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\ServiceProfiles\LocalService\AppData\Roamin

                              \Device\CdRom0\sources\replacementmanifests\upnpdevicehost-server-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2462
                              Entropy (8bit):5.075549731851826
                              Encrypted:false
                              SSDEEP:48:/2e8z2j+lgsBb2KN0LrIjRMY4QuSsfSCfS9fSCb3B843wbIgfqgfShMfSKJuv2b+:/2X2qhFf0IMTvd4BNsRq2TFO
                              MD5:20D10DD2860638DE649B7FB48A65095E
                              SHA1:9ACBFC628D3D8C269D70A1DCF0EE57F65A1FF0CD
                              SHA-256:D227373395926368D207F7E89C285B03F798CFB6179EF9FBF7016DF983515EA6
                              SHA-512:1AF29219CDFC2E171DBC2DD72023A3C7FA5767276AC04C905AB8501554E3370F03E25380FE8D3D6A5C7295A7D951141A860236A51276BA06E8311A19D0526E68
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-UPnPDeviceHost-Server".. processorArchitecture="*".. product="$(build.product)".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.1-6.2.8300".. alwaysProcess="6.1-6.2.8300".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\ServiceProfiles\LocalService\AppData

                              \Device\CdRom0\sources\replacementmanifests\upnpssdp-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2320
                              Entropy (8bit):5.060024170080251
                              Encrypted:false
                              SSDEEP:48:/2e8z2j+RgsBb2KN0L7zD0MY4ZLUyEW7Q67B843w42b/:/2X2qNFf0fX0MUUC
                              MD5:83BDD06543A734239622E31184C27542
                              SHA1:4A53906A45AEC58E4866E3A7D5E3C46C3F3A02B8
                              SHA-256:5BF02B23B6551F2454FC2BCEF8201CB485FCCFF83A8E73BBDC309C35B70B7A6B
                              SHA-512:67C1BCEA4AFA1ADCBF255906666B7F03A33F304DAA5C4A3B52E4DEEEAE6FD8010DE67185429932200C1AB7EE5DE96F7D44D4EB6C2E822369E37BA065E7BA47C2
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-UPnPSSDP".. processorArchitecture="*".. product="$(build.product)".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. alwaysProcess="6.2.*".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV\Parameters [Additiona

                              \Device\CdRom0\sources\replacementmanifests\upnpssdp-server-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2327
                              Entropy (8bit):5.06046080622861
                              Encrypted:false
                              SSDEEP:48:/2e8z2j+iCgsBb2KN0L7zD0MY4ZLUyEW7Q67B843w42b/:/2X2qiaFf0fX0MUUC
                              MD5:4AB163FB4D2F0899DB5C5F78523A418A
                              SHA1:20DB1723D5017E28FEF49AF4E607EAB033104226
                              SHA-256:607D95B606637D2369EA05F3271B9A25A707211036DBD457E3017DF74CAB8EC3
                              SHA-512:F66A17B48BB859D67FD1CD4DEFB82F6252BA09DE07A170822F5F42B075D70645095E67D5A1F816705C6A619BE1DFF3B25718ED2D2805343596A0F0FE978FD1AA
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-UPnPSSDP-Server".. processorArchitecture="*".. product="$(build.product)".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. alwaysProcess="6.2.*".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV\Parameters [Ad

                              \Device\CdRom0\sources\replacementmanifests\usbmigration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1685
                              Entropy (8bit):4.9962390137375134
                              Encrypted:false
                              SSDEEP:24:p/o2e8Zg+0g0cjmi3vplkjxmEF4waAw5nWwOqLpwOzg3wOKJmwOKGApwOO/BX0FA:22e8G+0gfmacxmY4apMNBg3oYo5p8B2A
                              MD5:E0ACCBD468F1825698B3C12E62EAAA16
                              SHA1:9226976FFAAF99DC89320A67D701F2FB08A656EB
                              SHA-256:9EF99ECAA2ECABEBFF04058CD38BB06FA555032E2077AED22F8C47E5272CDB72
                              SHA-512:317EBEFA0BDD91FBD65C71A65B337A7464C6B16A66B2C1E793E70968C906FB76703490D1B8920F6D473A88FB8822146B6701A0ABC30638298098B6E2A24D4ED3
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-UsbMigration".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-10.0".. scope="Upgrade,Data".. settingsVersion="0".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules contex="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\usbflags\* [*]</pattern>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\usb\TestConfig\XHCI\* [*]</pattern>.. <pattern type="Registry">HKLM\Sy

                              \Device\CdRom0\sources\replacementmanifests\video-tvvideocontrol-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):914
                              Entropy (8bit):5.032538103036136
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+Wg0cj8p03l4ENgwQNoeJXMFvRudlJUK:22e8v+Wgf8pnIg/NoeJuvob/
                              MD5:20D2F2BB301A509AD5CD2ECFEF24AC24
                              SHA1:B1086B646FAB4B789A07ECD0C8405206F936B192
                              SHA-256:C79F2F51BB3690E5595388132C4D11A8B728BDCCCDC5DD9F4DC64D3C3EC7F327
                              SHA-512:2E4E837D2851F3A0167D3F04D40DC8C938FB7F5690160F33C02E7455B94E6966C7EE55647CE6CD32251DA70D00F18B9C5C95AAB000641B426AAB67860A3DC165
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Video-TVVideoControl".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade".. replacementSettingsVersionRange="0".. settingsVersion="1">.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Multimedia\TV\Tuning Spaces\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. <migrationDisplayID>Programs\Media_Center_Settings</migrationDisplayID>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\virtualdiskservice-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1786
                              Entropy (8bit):4.79233539143423
                              Encrypted:false
                              SSDEEP:48:22e8G+hRVgjFAdqeugJId4J5DBIrxMY4fb3K5B2A:229h4F+1ugJl/DONM57K7b
                              MD5:461DDDD000C240E8139B7B881072FC4F
                              SHA1:A072B5ED01F19C9F9933F34AD295DC5628416DEB
                              SHA-256:89996A5F942D879AC8385F4E69DF1805532C629603188117E6FC7B766D77FCB6
                              SHA-512:5B2501D11DB49A963E9539ADD8BFC311A45F40F39FD1AEAFD0CF20158A71BD453C75AD745EA20E68B7C7FEF72AA288476B75DF54A8E60AA8A3E02B40B16A9CD2
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-VirtualDiskService".. version="0.0.0.0".. processorArchitecture="*".. language="neutral".. />.. .. This manifest is used to gather settings for migration from Vista and WS08.. because those builds shipped with an incorrect manifest..... As this manifest is only used to gather settings, it does not need the.. supportedComponents and merge elements..... The only settings that we need to gather from Vista and WS08 is the list.. of registered hardware providers and the alignment values..... The machineSpecific element informs the migration engine to limit our.. participation to inplace upgrades only and to not inclu

                              \Device\CdRom0\sources\replacementmanifests\volsnap-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2955
                              Entropy (8bit):4.6498077384183905
                              Encrypted:false
                              SSDEEP:48:22e8G+jVghroVL+6gWDI2QCo+FgWDI2Q0MY4GB84GwA:229u6CULLtdMsU
                              MD5:25845D39C22A5920372C96981737C14B
                              SHA1:1E5B1D4FB954A0561D5FC876D230453247B4FFAB
                              SHA-256:AEBD531AB9FD4CAF977B3452BA89789C6798E2149443607005505D7F88671E59
                              SHA-512:C698021EE236755C572C1CE7E84BB0C7686D3B01F7B5A0C6B912A84CE0CD5515AE85680F377D9B1B3CA4DC0C28B133B4D2CF09F7640638FAA9F57BC4C5647ABE
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Volsnap".. version="0.0.0.0".. processorArchitecture="*".. language="neutral".. />.. <migration .. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. settingsVersion="0".. alwaysProcess="Yes".. >.. This section is for migration from before Vista -->.. <supportedComponents>.. <supportedComponent>.. <supportedComponentIdentity.. xmlns="urn:schemas-microsoft-com:asm.v3".. language="*".. name="Microsoft-Windows-Volsnap-DL".. processorArchitecture="*".. settingsVersionRange="0".. />.. <machineSpecific>.. <migXml xmln

                              \Device\CdRom0\sources\replacementmanifests\vssservice-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4120
                              Entropy (8bit):5.041005170787489
                              Encrypted:false
                              SSDEEP:48:22e8z8+zgfz3UGgPvh27+Dg0IwMxgxPt5w4wSDIu719j5gL4xQxPJhRpg8xQxPtY:22XPo3UnPvh2STdpgz7b
                              MD5:7CD1D54A01416C61D98436BF632F6C3A
                              SHA1:B1A9D9B49EE9DA34798FA8ADE1E723DFB23C0E25
                              SHA-256:A41C950C395C7965E8E16BE0E94C54361D705F7EEF973DF81C85656D5647C970
                              SHA-512:B1DF8830FC7A0B0ACB32EF3BB2FA97BE3B99462E5F9BEB70D049A45C268131849B3066334057A3EB81BE1EF910CFC0A396D442BE52BB3F27E36A765E26FDF8AF
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-VssService".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0.*".. scope="Upgrade".. settingsVersion="0".. >.. <supportedComponents>.. <supportedComponent>.. <supportedComponentIdentity.. buildFilter="".. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-VssService".. processorArchitecture="*".. publicKeyToken="$(

                              \Device\CdRom0\sources\replacementmanifests\wbiosrvc-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1275
                              Entropy (8bit):5.064788085719507
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+fg0vj3+3AlkEENgwQVXwQVYQwOv6opzUJXMFhUK:22e8z2j+fgSLl5Ig/h/d4OzUJuX
                              MD5:6C3A9F555CF4C14ABB1C09A363D3653C
                              SHA1:1C586028973FD9267D81D39B799831C2A499CA6E
                              SHA-256:26DD973601C01A527C0AF9F8DEBBB2D75694C25ADC42B92AF53516BAC9F5F3E5
                              SHA-512:57AA2A8FC6AA93258C2AF07B2F36FA12E46DE3C54AD12593A3C373CE701C2FDFB375ABFFAADB48224A6A891C9CC19471F746768B8EE03686DBF15DF145860CEB
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-WBioSrvc".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0-1".. scope="Upgrade,Data".. settingsVersion="2".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\WinBio [Enabled]</pattern>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\WinBio\AccountInfo\* [*]</pattern>.. <pattern type="Registry">HKL

                              \Device\CdRom0\sources\replacementmanifests\wcf-http-activation-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):850
                              Entropy (8bit):4.723064196963599
                              Encrypted:false
                              SSDEEP:24:2dtwxyEGpBXpRW9CkjXgMDwjcm33rMPFhUf:c6ouCcXgM0RrMN2
                              MD5:D38C6CCF246376E7609F39F42D9C0CA5
                              SHA1:88CF882F76334DC4573F1AD0AB5D2911A272EE4F
                              SHA-256:89FFB53DDEA9CAA07656A91806429265323A1BD8E0219CBEC747F5363BE3DE52
                              SHA-512:DCEB68883A912FCB20469C81E22145020DD8D456908D477A9D0CBEBF2A623EAA211621F1727070813982C36AB5F1BE22220DA0E755D283C8391423E54B2F4D5B
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly>.. This doesn't actually replace the WCF-HTTP-Activation component... It's just here to provide a dummy MigUnit so the post-apply step for WCF runs.. if HTTP Activation is enabled during migration. -->.. <assemblyIdentity name="WCF-HTTP-Activation" .. version="0.0.0.0" .. processorArchitecture="*" />.. <migration scope="Upgrade,MigWiz,USMT" .. settingsVersion="0" .. replacementVersionRange="6.0".. replacementSettingsVersionRange="0" .. alwaysProcess="yes">.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSLaterThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>

                              \Device\CdRom0\sources\replacementmanifests\wcf-nonhttp-activation-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):860
                              Entropy (8bit):4.737747485132033
                              Encrypted:false
                              SSDEEP:24:2dtwx1EGpBJ3pRJ9CkjXgMDwjcm33rMPFhUf:c6zhzCcXgM0RrMN2
                              MD5:E9756634728E396DC9DFB4383507E070
                              SHA1:70CE884D68D763A2ADDB50B6C40ABBE4DC58945D
                              SHA-256:B6F4635C9790B211397A36CC52CFF2480A3EB1A46C25CAFE809F54DEDC0933AE
                              SHA-512:02717BD9E06EA4EA287A0353268F73AFAD3C52220DC2D8EF29AF6895E29CEE1F29BA6DA1C01B0D662859DB2D1F63F52BDA820F93C965FDBE9640E6993975E532
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly>.. This doesn't actually replace the WCF-NonHTTP-Activation component... It's just here to provide a dummy MigUnit so the post-apply step for WCF runs.. if Non-HTTP Activation is enabled during migration. -->.. <assemblyIdentity name="WCF-NonHTTP-Activation" .. version="0.0.0.0" .. processorArchitecture="*" />.. <migration scope="Upgrade,MigWiz,USMT" .. settingsVersion="0" .. replacementVersionRange="6.0".. replacementSettingsVersionRange="0" .. alwaysProcess="yes">.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSLaterThan("NT", "6.0.0.0")</condition>.. </detect>.. </detects>.. </migXml>.. </migration>..</assembly>

                              \Device\CdRom0\sources\replacementmanifests\web-services-for-management-core-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):13714
                              Entropy (8bit):4.826594379253296
                              Encrypted:false
                              SSDEEP:96:22CPovM0y0xQjSVSlSUSykdMqI7X90MD0xQjSVSlSUSykdMqwgJL3Pvh2SZiSVSf:DvD7NoWNXJL/8IIp7IpA
                              MD5:27B7B1CF2CA909DA16C625DDA46F6D98
                              SHA1:66F9E2CA22C56088A74CFF0F8F8147D04295E2B8
                              SHA-256:9BA79C3EC4EC28FD2A323D95342FE9781484AFEDD35695B241EF089184E89A8C
                              SHA-512:EDB70F12DA5FC12B9C05D7EE5E15584EF6D7C09427B6EAEDD7800DBB0EAA42740950A2BD2C34609371C1FCBF624D070873A619C9A6A598E3FB3EA293E528A11F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Web-Services-for-Management-Core".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />...... <migration.. replacementSettingsVersionRange="0-9999".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsUpgrade()</condition>.. </detect>.. </detects>.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\WSMan\* [*]</pattern>.. </objectSet>.. </include>..

                              \Device\CdRom0\sources\replacementmanifests\webdavredir-clientonly-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2138
                              Entropy (8bit):5.017918653423253
                              Encrypted:false
                              SSDEEP:48:22e8v+rXgfFFMY4X1Eyq5SFpLh06D93HZB2A:22CrkMXEvQrb
                              MD5:2A912BDF74FBC48ACC021DBE7389036F
                              SHA1:0F298A0A302857480820DE61FEB1160F25A380C9
                              SHA-256:852200E3F4715D584A1D85860A29CE59EFA7BF01F23E5CF470551E7A7682C2BB
                              SHA-512:6F40AFC8FB77A9CEB22E193C952DD8419620C66E09B94926E133A91360C4507C0FC2063EB3EFB2AC55636156B10A5D747748DEF0FC674F7A224191EB0E20D89A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-WebDAVRedir-ClientOnly".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. settingsVersion="1".. replacementSettingsVersionRange="0".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\ProviderOrder [webclient]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\WebClient\Parameters [ServerNotFoundCacheLifeTimeInSec]</pattern>.. <pattern type="Registry">HKLM\SYS

                              \Device\CdRom0\sources\replacementmanifests\webdavredir-serveronly-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2138
                              Entropy (8bit):5.017426634659795
                              Encrypted:false
                              SSDEEP:48:22e8v+3gfFFMY4X1Eyq5SFpLh06D93HZB2A:22CEMXEvQrb
                              MD5:EF9B6DBE81753E30384AA7ED91448200
                              SHA1:050932F148878DCC97F351EC607340BA751B1BDE
                              SHA-256:B278669EB6BED285D1854B7B22D200F8235834E178829EA09FB9647694B21577
                              SHA-512:8150CB20D0FAE023FF7C2DF0BDEFB99FAD6A444E6B06A67BE28FBE97F46C2BC6E9A3E62E920761C946F6B8282DF53E6A869BA2151B094836FA34A7525480F6CD
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-WebDAVRedir-ServerOnly".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. settingsVersion="1".. replacementSettingsVersionRange="0".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\ProviderOrder [webclient]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\WebClient\Parameters [ServerNotFoundCacheLifeTimeInSec]</pattern>.. <pattern type="Registry">HKLM\SYS

                              \Device\CdRom0\sources\replacementmanifests\wia-coreservices-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):969
                              Entropy (8bit):4.900659042464737
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+iDc+Fyg0cj3gLG3NWMEF4wXbgBX0FCUK:22e8v+gc+FygfQXMY4YMB2A
                              MD5:9AB6CC58D9289AE8EFCA5051CE5258FA
                              SHA1:4C5FC37413346E5FC88D60D94316E347D8D60E18
                              SHA-256:F018E2863E197861136D473E6BD9AFC45CC9CF148D64052BC6D235966F079F4F
                              SHA-512:A2AE643B4236A34B5BA12F3A27086776CBFDD80A34FF445DF0FD59E6AC3F0D1DDDFFA35BEC89D2C1DEEBED95627B909EC6547508EA7DA4EC030E4A6D02B76715
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-WindowsImageAcquisition-CoreServices".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="Yes".. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Control\StillImage\Events\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machineSpecific>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\wicamigrationav-rl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):10142
                              Entropy (8bit):5.15072116624319
                              Encrypted:false
                              SSDEEP:96:22X2q8xMBUcZ6cZkcZycZVncZ2qcZ2p8cZAcZ+cZ4cZmcZMcZGcZocZmcZAcZ2wE:mJM/zaZyt
                              MD5:A51C8971FD89027ECAF9EB8AFA8173E8
                              SHA1:0D9BC71EB725184B8C469FB2ECE702F3ED07A621
                              SHA-256:D816505B137C217ABC6D61A9F0F35408A225D35653ABD2030399A29BD1015FBF
                              SHA-512:00F037BE30B630DDE3FB655C00FF102805304BC787D4DD9CB2FECCE4C885C9FCFEDBE8448322F6CC09E6C1A5CA93E06CAAABE76B0F9A2F1946A901378125DD35
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-WICAMigrationAv".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="6.2-6.3.9420".. settingsVersion="0".. alwaysProcess="yes".. scope="Upgrade".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0 [DataRequire

                              \Device\CdRom0\sources\replacementmanifests\wid8-migration.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2056
                              Entropy (8bit):3.4566760004478483
                              Encrypted:false
                              SSDEEP:48:yn+DSTErjrD0Y8pCiPv7oJ6HuvU2AWwMVEJMVbilwMVgMVbixB/S:CofroXPTHt2AW5VECVul5VJVuK
                              MD5:D0B828B1595CAE3F1EDDFBBEAEB79142
                              SHA1:730BEA9A020D9AFEE1F1103628BD5623F663E17C
                              SHA-256:1A2C9F45F6763F5E1E6BB58EA1BCCC647E9DB716E2E0785106A02A249204738C
                              SHA-512:0A1A4A077979096401ABD6C9C551997BC93AC6A7FF4054FA06196CED4C2B43B5561C29D90D6DD56DC572C0E7D6D34D075BDCD67239B9DF19FCDB6D4183CBAC76
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.'.1...0.'. .e.n.c.o.d.i.n.g.=.'.u.t.f.-.1.6.'. .s.t.a.n.d.a.l.o.n.e.=.'.y.e.s.'.?.>.....<.a.s.s.e.m.b.l.y..... . . . .x.m.l.n.s.=.".u.r.n.:.s.c.h.e.m.a.s.-.m.i.c.r.o.s.o.f.t.-.c.o.m.:.a.s.m...v.3."..... . . . .m.a.n.i.f.e.s.t.V.e.r.s.i.o.n.=.".1...0."..... . . . .>..... . .<.a.s.s.e.m.b.l.y.I.d.e.n.t.i.t.y..... . . . . . .l.a.n.g.u.a.g.e.=.".n.e.u.t.r.a.l."..... . . . . . .n.a.m.e.=.".M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.I.D.-.m.i.g.r.a.t.i.o.n."..... . . . . . .p.r.o.c.e.s.s.o.r.A.r.c.h.i.t.e.c.t.u.r.e.=.".*."..... . . . . . .v.e.r.s.i.o.n.=.".0...0...0...0."..... . . . . . .v.e.r.s.i.o.n.S.c.o.p.e.=.".n.o.n.S.x.S."..... . . . . . ./.>..... . .<.m.i.g.r.a.t.i.o.n..... . . . . . .a.l.w.a.y.s.P.r.o.c.e.s.s.=.".y.e.s."..... . . . . . .r.e.p.l.a.c.e.m.e.n.t.S.e.t.t.i.n.g.s.V.e.r.s.i.o.n.R.a.n.g.e.=.".0."..... . . . . . .r.e.p.l.a.c.e.m.e.n.t.V.e.r.s.i.o.n.R.a.n.g.e.=.".6...2.-.6...3."..... . . . . . .s.e.t.t.i.n.g.s.V.e.r.s.i.o.n.=.".0."..... . . . . . .>...

                              \Device\CdRom0\sources\replacementmanifests\win32k-settings-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):18732
                              Entropy (8bit):5.002856720411019
                              Encrypted:false
                              SSDEEP:192:OQsUMcHunIVmaMIYxYEGuFYq0o6Nr4l0lJ8:scHuCmaEYTo6Nrm
                              MD5:6B7859FB0AC4B88EE72E3A427497C652
                              SHA1:1D15A83A4B043436FF6B915C3F27F40BDFD6D311
                              SHA-256:35E4E51A61E7E1E0952311B5C34719882D97C1FAE911FDFB4B74A90536E10853
                              SHA-512:D5858F34A5D82D6A54626F12B1736EC98DF1602D0E5321DA0D45DB67FFD5731614508D060DF98866E0943809F851FD1A673A4CCFC5ECE6AD43BF8BDE2CFC26D9
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Win32k-Settings".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0-9".. scope="Upgrade,MigWiz,USMT".. settingsVersion="9".. >.. The SettingsVersion was incremented to account for a forcefull, one time.. upgrade to the new default setting for MouseWheelRouting (MSFT: 1142350)-->.. The SettingsVersion 6 is a result of moving keyboard settings to the first.. boot apply (MSFT: 5587449)-->.. 7 to 8 was in order to move wallpaper migration offline -->.. 8 to 9 was to move configuration based migration to migXml migration for o

                              \Device\CdRom0\sources\replacementmanifests\windows-senseclient-service-rep.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1382
                              Entropy (8bit):4.98644801435336
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2Y0Zg0Lmj3+3m6jozeYENWwu3BwwjHtwwjHOn5BJXMFhUK:22e8z2ZZgUK7GozdIWZBfjNfjun5BJuX
                              MD5:AF0BEC5392C284301532860D218D1C5E
                              SHA1:6C4BD5AA0FEF01322F324A0FDA6F602A9ADF6F90
                              SHA-256:8F3E1BA5F89A88D6207ABA61EB081585777B91110F6906DB266C51F9F8B54CED
                              SHA-512:E2FACAB71CA9ADB403D03CFDBA3AB72E4D9BC6C77E7BB7EA06361171319D6612CAD71A0B6BB23E982BA768049C4DD36BF2ABFBB3732F1F0CDF0CA5900145E85A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Windows-SenseClient-Service".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. replacementSettingsVersionRange="0".. scope="Upgrade".. settingsVersion="0".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. rules gathering registry entries (default merge rule for registry overwrite the target value) -->.. <include>.. <objectSet>.. Sense service state -->.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\

                              \Device\CdRom0\sources\replacementmanifests\windows.cortana.desktop-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1532
                              Entropy (8bit):5.108940194244362
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+F8jg0cjh3m6FtENgwZVeD6wZVeDHwZVeDbfwZVeDb6wZVeDbMpwZVel:22e8v+F8jgfguIgaIuaILaIfaI6aIwai
                              MD5:AF7ECB24F733F1D990A7275733CD7929
                              SHA1:03C9E08A27AEE7D09FEF650885FA80BE6F57D4D9
                              SHA-256:E81D94B030AD2F5DECC02741A9351F97F67F8F5E231589CAD7C12F5BEFA357E7
                              SHA-512:083EF4458821A955FFD559D65BA87E47BE1331B0EA7DAB1EE09AB5BAA1E06DEB3FA8E8FCE09912E8118CECF8D4C73D0EC4D2D272A12FC5D116259F79BF610567
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Cortana-BrokeredApi-Desktop".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="0".. scope="Upgrade".. settingsVersion="1".. >.. <migXml xmlns="">.. Per-user state -->.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search [BingSearchEnabled]</pattern>.. <pattern type="Registry">HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search [CanCortanaBeEnabled]</pattern>.. <pattern type="Registry">HKCU\SOFTWARE\Microsoft\Windows\CurrentV

                              \Device\CdRom0\sources\replacementmanifests\windows.holographic.displaythrottling-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2634
                              Entropy (8bit):5.004040327901584
                              Encrypted:false
                              SSDEEP:48:22e8v+LOgfTXcPIgfh2JkhNhPhgfh2T/MYtCfhXB8hNhPe4fhODA:22C8RIkbZcQMVz8bZrv
                              MD5:686BA89604C00FDB3B22482311EDBB7C
                              SHA1:17CF0C1468308DF2253340F5E9CA5A7735F621F5
                              SHA-256:FBC5384F7D08088748E9ECC514104FD85D3BD471704119B3CC006F97D310B88B
                              SHA-512:3967A69501C55BDDC12D921DBB99D6F74FAD024923B93179A703112EAF363D349DBA853A911C8D90DAEA417F5D5DE9C8100003A9EE2D39DEF3DC679B1B7AA15D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Holographic-DisplayThrottling".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="Yes".. replacementSettingsVersionRange="0-1".. settingsVersion="2".. >.. <migXml xmlns="">.. In order to support migrating a single value to two separate locations, we define two migration rulesets as they're.. run at separate stages during the migration step. For single 1-1 migrations, place the rule in the machineSpecific.. section below. -->.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microso

                              \Device\CdRom0\sources\replacementmanifests\windows.media-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):993
                              Entropy (8bit):5.011003966089359
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+DVg0vj3gi3mDovjENgw5VONJXMFhUK:22e8z2j+xgSQ30LIg6YNJuX
                              MD5:60B8A9F1993CD6202872CD420418484D
                              SHA1:84622C444C626E0BA230A1F426C2C3F89032DB33
                              SHA-256:495F4DB06243891FCB4D18AEB6488470D1030316B5835C3E4009F6BE841B1397
                              SHA-512:DEAC143D438CC76132781A0122792AD716015F4F216CB6F048EDA17C8AAD58E19955CD64F4EC6C51D9309F57EF88B53905250E1CAE21E30409BE62AA6664D1F1
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-Runtime-Windows-Media".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. scope="Upgrade,MigWiz,USMT".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows\CurrentVersion\ClosedCaptioning\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>..</assembly>..

                              \Device\CdRom0\sources\replacementmanifests\windows.sharedpc.accountmanager-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1421
                              Entropy (8bit):4.890593255449173
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZR+V/g0cjzHQ/BKjHt63/od6m9xcm3N1aENgwOCgwOa5WDiJXMFhUK:/2e8v+V/gfzH2cHZ6McCaIg8g4IDiJuX
                              MD5:1CF72F4ADDC837D35BA38F632066C480
                              SHA1:69C0B937D76FEA93DB7C8BDE932F74BE55893CAF
                              SHA-256:0FD1CD1E551977E59BF3CAAB272D22E4E3A66AF7F43F9E97A6389E58DC677DC6
                              SHA-512:3B793782AB38381880B9852B9FDB4A1DABB759E2E6B0DFEFA5AAB754D25FD0A404DCBDAE11EB3656E3BC1552021E7F4549D335B34B0CE0EB0C18DE021DC2798E
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-SharedPC-AccountManager".. processorArchitecture="*".. version="0.0.0.0".. />.... This file is meant to migrate account manager reg keys when upgrading from a build that did not have migration rules for them. .. These older builds will have manifests tagged with settingsVersion="0", so we use that value as our replacementSettingsVersionRange... Any build that does support migration will be tagged with settingsVersion="1", and will therefore use Windows.SharedPC.AccountManager.man" -->.. <migration.. scope="Upgrade".. replacementSettingsVersionRange="0".. settingsVersion="1".. alwaysProcess="yes".. >.

                              \Device\CdRom0\sources\replacementmanifests\windows.ui.shell-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2074
                              Entropy (8bit):5.063445886325946
                              Encrypted:false
                              SSDEEP:48:22e8v+ngfb37iixlGgIgluJ8J0gluJ8rIglubJ0glubQvhE/:22C+iEPKJgGJaKVGv
                              MD5:EEE1168B3D162DA974A52F46A888F72B
                              SHA1:278E81663E658D2E357C0092A3F2DE9854DC226D
                              SHA-256:905F183C96292B7D8EE7FCDA6E19D89F3DC48C87ACFA7984A1CE96E456183045
                              SHA-512:186E43DC74EC55B547077789AE84D55DFD671A814E3E35E05538572670BFD5FCEF835CBE9A5FE11A4D725340324DDB86BE3286D278398AE9934725D210974257
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-UI-Shell-Component".. processorArchitecture="*".. version="0.0.0.0".. />.. Migration engine uses Windows.UI.Shell-repl.man for builds within the replacementVersionRange instead of Windows.UI.Shell.man -->.. in the OS. So if a resource needs to be migraded from a build within the replacementVersionRange to a higher build then -->.. it needs to be added here as well as Windows.UI.Shell.man -->.. <migration.. replacementSettingsVersionRange="0".. replacementVersionRange="10.0.10240-10.0.10561".. scope="Upgrade".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="User">..

                              \Device\CdRom0\sources\replacementmanifests\windowspushnotifications-platform-library-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1392
                              Entropy (8bit):4.84101469167077
                              Encrypted:false
                              SSDEEP:24:q/o2e8pZ+kg00jKBY33YMqjA32Qw5VQfluVlfluVSpXkFJUK:/2e8H+kg/y9M2A32Q6WfluXfluMpm/
                              MD5:5A33AF49F42244FEAFB28FC14BA9D06E
                              SHA1:499AADD561A8830584323F98A9EC25C186D81B5F
                              SHA-256:7481E821FA7BD25F51FF8DF657EDFFD2882BB193CDA89908E3EE596E2DE9EA4A
                              SHA-512:CD0196620D6BF287F3CC4F6193F7E490688D559763AB20ECD35821552F29C897F186E78F27B0A33374055CD5F57482F0FBB535491E0BB820F0D32D60E76E8DF0
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-PushNotifications-Platform-Library".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. xmlns:auto-ns1="urn:schemas-microsoft-com:asm.v3".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2-6.3.*".. scope="Upgrade".. settingsVersion="0".. >.. <migXml xmlns="">.. Migrate the notifications data file and registration information -->.. <rules context="User">.. <include> .. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotification

                              \Device\CdRom0\sources\replacementmanifests\windowssearchengine-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6109
                              Entropy (8bit):5.03356659491962
                              Encrypted:false
                              SSDEEP:96:22X22aEnVxuKnaOWv/hvypjPcQHYCsE/hp9wMhx0K1VMto+an7LEsAMaA+aO:m2VnVeQBKEho
                              MD5:D4737474B6CC6ABE2FB09E7565F88047
                              SHA1:92D7FF0DFC6367C390CDA01B3C89A01E95F832C9
                              SHA-256:16F8F9F0EB7510CBAB7341CE43CE09BD4741FBA161884551C80E6EA29BD7341C
                              SHA-512:753FB7CD1911C32148DCC8F95743C1FC926DA49E788B20B880F11D3525831F39BE9FCAC93233E5428767EECF9A2EE57641E84937028CC0B4E7AAB1B1A3F97F29
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="WindowsSearchEngine".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-10.0".. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="0".. >.. <migXml xmlns="">.. <plugin.. classId="{617c0a54-d12e-4340-87e7-01cc31bde762}".. file="WindowsSearchEngine\WSearchMigPlugin.dll".. offlineApply="yes".. />.. <rules context="System">.. <include>.. <objectSet>.. <pattern t

                              \Device\CdRom0\sources\replacementmanifests\windowssearchengine\wsearchmigplugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):135992
                              Entropy (8bit):5.754904365051816
                              Encrypted:false
                              SSDEEP:3072:YGR0pYYmCiZ77V1P3Z4oPQH3gI9V+ryK7blHR/+Wf0NiW:YGR0phmCiZ77V1POpH3gI9VwyKP/+w0h
                              MD5:4821361307898DF49DD67404890AD24A
                              SHA1:64B6DEEF489CF2431F9C0A3955A1E440BE70EBEA
                              SHA-256:C4E0C1074EA5E0D8F92946F0F24B8BAE64CF71515AC901F467039CB317F31257
                              SHA-512:AEA7F9C0B7B184B21E6C5EC33DC1B4206AE0770AC1E8548DCE7DB8F49DF53C00C9E93E6CABE4189F3B5ADB9C6835F8E709F5F57C9ABA90B40C7009966DA2A8C4
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c.........................................*...................................................Rich....................PE..d....a............",.........................................................0......./....`A........................................0...................................8!... ..h....|..T............................2...............3...............................text...o........................... ..`.rdata...... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..h.... ......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\windowsstoreapi-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1175
                              Entropy (8bit):4.889125054023112
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+VLUg0cjTLG3vijlkENgwQVeA0JXpENgw5Ve5QJXMFhUK:22e8v+VLUgfTzlkIg/ITJ5Ig6ICJuX
                              MD5:21B660DC0C2D897E6B4780B19BBE9964
                              SHA1:79E6273219A0BA7F3E6F87767789A33EBDF607AD
                              SHA-256:E97BEAF0886D210A4C15A4C99A0B03FD68445C224CC9B176558EA946936096DC
                              SHA-512:DA22021EC0403506EDEAA9606EADF07262B63C4CB469145C5D26CBC2ABABC2CE2D2CACE50ABC7AB722B8E4B94ECBC47FD3E8CF560FDD69200F47FC56286157E5
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Store-Runtime".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="Yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2-10.0".. settingsVersion="0".. scope="Upgrade,Data".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\Store [StoreContentModifier]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry"

                              \Device\CdRom0\sources\replacementmanifests\windowsupdate-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1671
                              Entropy (8bit):5.123343223379953
                              Encrypted:false
                              SSDEEP:48:cm2e8v+Ngfs5I2a0tgmLIf0f0A8fxfG5JuX:f2C15zdeq0AyZGTQ
                              MD5:07AC78EFA6D7ECCFB8D85C9191119A20
                              SHA1:2A108A2D740819A6F668F10CFD93A6E250B0D8CC
                              SHA-256:465485E2DEC65E9B0C9D7FE2A903E8901C3CC1138B420691061547C391B266A4
                              SHA-512:67141FF919896FDCE911E5DC3E0891F438DA066905F21265FCD607B91226EC3E20034E88B0D14161FC44ED0E5AA2B15B4FCB8EB7F011F13410F8ACA4C53D4C89
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-WindowsUpdateClient-Core".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. replacementSettingsVersionRange="1".. optimizePatterns="No".. offlineApply="No".. scope="Upgrade,Data".. settingsVersion="2".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. PostRebootEventCache.V2 still need to be migrated for 82B scenario. So the below line cannot comment out on Win8.1.-->.. pattern type="File">%WINDIR%\SoftwareDistribution\PostRebootEventCache.V2\* [*]</pattern-->.. <pattern type="File">%WINDIR%\SoftwareDist

                              \Device\CdRom0\sources\replacementmanifests\windowswebapphost-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1123
                              Entropy (8bit):4.946073044237737
                              Encrypted:false
                              SSDEEP:24:p/o2e8Zg+9rg0cjj03ljYLLENgwQVM2JXpENgw5VM2JXMFhUK:22e8G+9rgfjKYPIg/K2J5Ig6K2JuX
                              MD5:2CACB3815A0C9C5A63FB43ABE219CC3B
                              SHA1:E4BB0531CB597094A32F2D511C8C1C58B0698096
                              SHA-256:EC1D8BE44D9E3F1B1AE10F8D12349013F5B2CE93994960DC1520D9D75D153F53
                              SHA-512:7D0E4400FC1B99738BEAE115FD9445CAA61BE1E83463B41A3673336FA6A75DD587872159AC6C25524FB9ABB999E9A836526F43E0D87D94BACED84281B24A5506
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Web-App-Host".. processorArchitecture="*".. version="0.0.0.0".. language="neutral".. />.. <migration.. replacementSettingsVersionRange="0".. settingsVersion="0".. alwaysProcess="Yes">.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\Software\Microsoft\Windows\CurrentVersion\AppHost [EnableWebContentEvaluation]</pattern>.. </objectSet>.. </include>.. </rules>.. <rules context="User">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost [EnableWebContentEval

                              \Device\CdRom0\sources\replacementmanifests\winlogon-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):12599
                              Entropy (8bit):4.9517029834755535
                              Encrypted:false
                              SSDEEP:96:229dcK7clHOdcuBpuQp12pjmpjpycnclp9p+08IC4E3fxWGEkGtnH3TH6wrFPZ1R:ouaubucsjiNZc3fB8bMuU4uZp
                              MD5:818F0D3E41DA3E65735E538B0C9FBC8B
                              SHA1:82D9942FD4676F8D6B7E8583730C6740E79D8C21
                              SHA-256:9ACAAF5AB652E305CF8CC426136C692F1882CA3576BF440E4E1F0132910FC6B1
                              SHA-512:E6598005C0C86FD966906AC382E4D821DD11A326022C34090A936A3CC545B50EF61CD17D2A3CD46D7723CA6F3F42B90E6102C36F0F01FE469AD996E0B94ABCFB
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. name="Microsoft-Windows-Winlogon".. processorArchitecture="*".. language="neutral".. version="0.0.0.0".. />.. <configuration.. xmlns:asmv2="urn:schemas-microsoft-com:asm.v3".. xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State".. buildFilter="not build.isWow".. >.. <configurationSchema>.. <xsd:schema.. xmlns="Microsoft-Windows-Winlogon".. targetNamespace="Microsoft-Windows-Winlogon".. >.. <xsd:element.. default="2".. name="NumberOfInitialSessions".. type="xsd:unsignedInt".. wcm:description="$(resourceString.description)".. wcm:displayName="$(resourceString.di

                              \Device\CdRom0\sources\replacementmanifests\winmde-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1016
                              Entropy (8bit):5.048942925289944
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+2jg0vj3gi3vUUDovjeENgwwV3GJXMFhUK:22e8z2j+2jgSQHU0LeIgfwJuX
                              MD5:6A45D03CF265A4A54A94E287E0BDBB7C
                              SHA1:7BA8687194D5785F1B71C8A477BEC311050DB9EB
                              SHA-256:F138E0E5FD88E6804063B5ED9A0CBC46FD8574C6BA695158C92AAEFD7F31EC40
                              SHA-512:68A7F6BA2BC0F423F52BD2DA83F0A8146A7E3A1F630457443E445F0F778BE75969952189D4F9083834ABE29F5B94F46FDFB4933D77D022E07C077BCD3F21B02E
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-WinMDE".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. scope="Upgrade,MigWiz,USMT".. settingsVersion="0".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows Media Foundation\DLNASupport\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration

                              \Device\CdRom0\sources\replacementmanifests\winnat-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1188
                              Entropy (8bit):4.7911029875855276
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+5g0cj06v31NMEd4wuNZX04wuNDyFaUK:22e8v+5gf0eNMo4bZE4bw4
                              MD5:4C9C952DAC2DA7133AC8D96B8B2F8536
                              SHA1:C8008A6D3719A0C8ABEC3B4CC9FE16F9C877211B
                              SHA-256:4F08B1562EF6E7D3B43D676FC6C9B468A8862B52D1B58D355508521A9E211E2F
                              SHA-512:0120507A7C993A0CCB3D529C8560684E07F667B2A3F360B891025A90112B14D2DA6EF6A71C9B2E5E1F644D7147644982C5EEEDC5844DC56E1DF1B2EA325B0E78
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-WinNat".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. scope="Upgrade".. settingsVersion="1".. replacementSettingsVersionRange="0".. alwaysProcess="yes".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\Winnat\ [Start]</pattern>.. </objectSet>.. </include>.. <merge script="MigXmlHelper.SourcePriority()">.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentCon

                              \Device\CdRom0\sources\replacementmanifests\winsat-cmi-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):889
                              Entropy (8bit):4.865772709876414
                              Encrypted:false
                              SSDEEP:24:K2e8ZjF+ag0cx33ii6EF4wwV2HBX0FJUf:K2e81F+ag/X6Y4fMB2G
                              MD5:11815AA40BA3BFD3C621E203BB9DCBC9
                              SHA1:3F3877270E26E993F7C02B97F4DD6FFF637DE87D
                              SHA-256:C028EFD706EDF69F365A5A2CE7177088FE2082C124C1A0ACC4085B2A8DCDCCC3
                              SHA-512:C984E5876CEC46E0FAE030A29943CFF4446E01914348DFAD5D980560E150185BFFE510AC1786333A4AD3E8EBB1E73D282892D92494A213487F69161EEDB4FE07
                              Malicious:false
                              Preview:<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-WindowsSystemAssessmentTool".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS" .. />.. <migration settingsVersion="1".. replacementSettingsVersionRange="1".. replacementVersionRange="6.2-6.3".. alwaysProcess="yes".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinSAT\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </migration>.. </assembly>

                              \Device\CdRom0\sources\replacementmanifests\wlidsvc.vista-win7.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4165
                              Entropy (8bit):4.886779477950301
                              Encrypted:false
                              SSDEEP:96:/2xsBiGID6i20X7Ad0X0ngxFhU7UDWzd0/Q:YspPVdEDKo0d3
                              MD5:F1B110FC3D7B2E8E0755F0C9283228AB
                              SHA1:9666FB5FB6552F96246BED9BAD6977137D74A4C6
                              SHA-256:E2AB76CECD50891481EAB64030D433EBE44F6BADFE03BD8F5D8CB817CA82A59E
                              SHA-512:BDC37756A3EA980650DA2882F1B98F799FC86E148C14678FDD6AA0AFC0C7A9657052F278C29DB6F355AC782A4F1CCE99D41763F104F9E5165AB8254EE614039D
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. "Replacement manifest" used to "replace" our (non-existent) Vista and Win7 manifests.. to handle gathering settings on these OSes. -->.. <assemblyIdentity.. language="neutral".. name="Windows-ID-Connected-Account-Provider-WLIDSvc".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="6.0-6.1".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-6.1".. scope="Upgrade,MigWiz,USMT,Data".. settingsVersion="0".. >.. <migXml xmlns="">.. <detects>.. <detect>.. <condition>MigXmlHelper.IsOSEarlierThan("NT", "6.2.0")</condition>.. </detect>.. </detects>.. <rules context="user">.. <!-

                              \Device\CdRom0\sources\replacementmanifests\wmdmigration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4136
                              Entropy (8bit):4.983406757037376
                              Encrypted:false
                              SSDEEP:96:beIEjWdyVITMvJ0jn+RYeYLVmAadKFEsBkcXKu/k3sIWP/b:STtHzsr
                              MD5:259ADE019C1B6C619B42570310804EE6
                              SHA1:E3C4A81B831BD0678D68FBAEF8FDEA43F4687B8F
                              SHA-256:B01207CEAAA4963EAB570322B0FE3D92A535C215F0E5089F3F0539DC65F70E5F
                              SHA-512:7428CC75E24D114BC7FEEF5825570C3664DB8AB7628AB22A40FA43A50E1479FF18FD0472CFA3C7F9468BF6209B023F67E413CC0D64C0DB572B76E7709C4DB689
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly>.. <assemblyIdentity.. name="Microsoft-Windows-WindowsMobileDevice-Migration".. version="0.0.0.0".. processorArchitecture="*".. language="neutral".. />.. <migration settingsVersion="0" replacementSettingsVersionRange="0" replacementVersionRange="6.0.*">.. <migXml xmlns="">.. <rules context="user">.. <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows CE Services\* [*]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\ActiveSync\* [repl.dat]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows CE Services\HTTP Server\* [*]</pattern>.. <pattern type="Registry">HKCU\Software\Microsoft\Windows CE Services\Logging\* [*]</pattern>.. </objectSet>.. </exclude>.. </rules>.

                              \Device\CdRom0\sources\replacementmanifests\wmi-core-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2743
                              Entropy (8bit):5.1263646165207915
                              Encrypted:false
                              SSDEEP:48:22e8v+dgUKbd1IgAe/q/Ll/wl/g/KDLlDwlDAJmg7ZIJpDaVib:22CO1h4LtwtW0LBwBMe
                              MD5:7BA3CF6E05C79440608583E89823FB5C
                              SHA1:62F9CCEB88121A10B61B9A56224C8CB7B8B51472
                              SHA-256:71D7AFE436A63E911D49FA279229C001DBD96B22629346DEA07A55148BE12141
                              SHA-512:5722C14B9E6CD54AEE88D1F3834CE5B1968F5A104DBBD865E52B56FC1713C2C9D60750E848D74392F3830E3F0AF4BFD412E4721633E6BBEB37E59C54DA01B91D
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-WMI-Core".. processorArchitecture="*".. publicKeyToken="$(Build.WindowsPublicKeyToken)".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration .. replacementSettingsVersionRange="0".. settingsVersion="1".. >.. <migXml xmlns="">.. <plugin.. classId="{401F8281-A9B6-49F9-9F71-8AEA167EEEFD}".. file="%windir%\system32\migration\WMIMigrationPlugin.dll".. offlineApply="yes".. />.. <rules context="system">.. <include>.. <objectSet>.. <pattern type="File">%windir%\system32\wbem\* [*]</pattern>.. <pattern type="File">%windir%\sysWow

                              \Device\CdRom0\sources\replacementmanifests\wmiacpi-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1128
                              Entropy (8bit):4.885152502729023
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZR+Wg0cjTi3vUU6jxiWflSEF4wuMVBX0FCUK:22e8v+WgfTHUGxi9Y4AB2A
                              MD5:15B4A82E7DA0D00092B23C5946CCFCAD
                              SHA1:01901A0A0E5410279147F49BC6D6E7DFEEC996A0
                              SHA-256:A40C9EA2E243B01DCBBC0E6F74DEDBC74E91576FFDD04F2D2EDABDAA59642A5E
                              SHA-512:17F26DFA293E72F615CE2BE1A2E7A06BF242575A557B13124E8536E04448ADA5CA6FAB7689EFF28AB293816BD5564D6C25879E7294F3B8A62278F2E86720D7B0
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-wmiacpi".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. scope="Upgrade".. settingsVersion="0".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. .. WinBlue: 313419.. Services\WmiAcpi [MofImagePath] needs to be carried over upon upgrade from Windows 8... -->.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\WmiAcpi [MofImagePath]</pattern>..

                              \Device\CdRom0\sources\replacementmanifests\wmpnsservice-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1509
                              Entropy (8bit):5.149416903294087
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZF2YS+aIYg0vj3gi3vpQDov9ENgwwVawwVMpqwwVDwwV51wuMjJXMFhUK:/2e8z2j+UgSQ30lIgfAfypqfJfBEJuX
                              MD5:1E6017390B29D560BD535FAFC4FF3A03
                              SHA1:829BF77B5195255171687B6ED5E928B0E67F2014
                              SHA-256:DC0AD439ED924BDF708EE13615FC22555400841B4A93D8F7DE517078506E3E5B
                              SHA-512:6B9BD28A5C170AF19AB3EFD4FAFD8CCDB13B107C0469F6156C552627436739EF178D2E8C9FFB951368C73B8F78BEA98B3C19F9A0B65EE60DED63C030452EEE0F
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-WMPNSS-Service".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.0-10.0.14400".. scope="Upgrade,MigWiz,USMT".. settingsVersion="1".. >.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Devices\* [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\Windows Media

                              \Device\CdRom0\sources\replacementmanifests\wmpplayer-migration-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2821
                              Entropy (8bit):4.987038380615119
                              Encrypted:false
                              SSDEEP:48:/2e8v+PgSQHUGowA31Ig/NbA/TDNDdJ5Ig6N6U67j66T+N+U+7j6+THJuX:/2C4UCAlxp2vpP5I0fhCAjFFQ
                              MD5:78C418614C2303360705C986FD8E9C82
                              SHA1:1F0C76D46E50163112A604CBE9F51BEFF1D76136
                              SHA-256:CF5096D6779BD15C0A75E41962E301952BD25E174864D1C864727F649207FE59
                              SHA-512:7EAAAA34D00D4BC3B9D46742EE814BE4CD1371653A3DBBA4F0D08139BB69FDE21359CFAB49697D1BDEF91E8961E1208C7F3F788874B5A1322580F8364A60F46F
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-MediaPlayer-Core".. processorArchitecture="*".. publicKeyToken="".. version="0.0.0.0".. versionScope="nonSxS".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. replacementVersionRange="6.2.*".. scope="Upgrade".. settingsVersion="0".. >.. <migXml xmlns="">.. Define an environment variable to hold the sync playlist path -->.. <environment context="User">.. <variable name="SyncPlaylistsPath">.. <script>MigXmlHelper.GetStringContent("Registry", "HKCU\Software\Microsoft\MediaPlayer\Preferences [ObfuscatedSyncPlaylistsPath]")</script>.. </

                              \Device\CdRom0\sources\replacementmanifests\wpc\wpcmigration.downlevel.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):212992
                              Entropy (8bit):5.98519605546454
                              Encrypted:false
                              SSDEEP:3072:gJoPBu8PRNgnJYYlk2QB/TclcM5pzgEp00BTySPI6pjj6OWVdSwZf:gPBkDQxpnTpWdS
                              MD5:57E9009225B658EC77C41D14E8A56CAF
                              SHA1:53964A4481FC70022648A311F97C201292B4DD43
                              SHA-256:35D3039AE1AD6E43084A0A18D5DB8D72B928D633AA60F855DB085F13F68DFA15
                              SHA-512:D8FB96B40F7E562DFE5525F6D47382AC8C6AF60D7929FC33FD17EABD5284EA216D13E6D9750962065FB709B4CF57E8F17376F1FA4BFB5AB42416E9EC97FD574B
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.wk|p.8|p.8|p.8h..9sp.8|p.8.p.8h..9ep.8h..9qp.8h..9}p.8h..9dp.8h..9.p.8h..8}p.8h..9}p.8Rich|p.8........................PE..d......5.........." .........n.......................................................H....`A............................................|...\........p..@....P..L...................@...T...........................P,..............h-..H............................text...l........................... ..`.rdata..b...........................@..@.data....3....... ..................@....pdata..L....P......................@..@.rsrc...@....p.......0..............@..@.reloc...............6..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\wpc\wpcmigration.uplevel.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):237056
                              Entropy (8bit):6.022119165511294
                              Encrypted:false
                              SSDEEP:3072:OG30FmRDHgpn2IjMf5N5nt7i8U5aX9tvrXKZHOKyvy67XNuekvrPQkLsGA6zxDKw:Ofo2SNFxizAXvvrM6rNuJzQkLsGA6z
                              MD5:54A551D5777B54E65460C1F672F7B541
                              SHA1:7BBD6C78337AB11B09EFB6A0745804B63CFE8371
                              SHA-256:495109951834B2DC7AC899C67934C6CD5FD6310BFA71A8623F95F863752681B8
                              SHA-512:0C838C1F367EAB28B8A477609DECC5F6BA6646456F30A3C68016F4EC220FFEDC8EBC7047ADF7701B22DCB288244EFD30892920221E6C70D3E1186BE60BB5E313
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...?..?..?......?..;..?..<..?..>..?..>..?..?..?..7..?..:..?.....?.....?..=..?.Rich..?.........PE..d....%lR.........." ......................................................................`A............................................x...h...........8.......<...................`i..T........................... B..............8C..h...t...@....................text...\........................... ..`.rdata..X....0......................@..@.data...............................@....pdata..<........ ...n..............@..@.didat..............................@....rsrc...8...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\replacementmanifests\wsinfra-other-mw-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1159
                              Entropy (8bit):4.943551351262411
                              Encrypted:false
                              SSDEEP:24:q/o2e8ZF8+lKCyg0cjV3BavwalENgMyMcMLMjhJXMFhUK:/2e8z8+sCygfvlalIgMyMcMLMjhJuX
                              MD5:D0BD0AF99FDEB7D46A1EC02C68C16096
                              SHA1:44B1711245547E96775665DCAC7E996157BB6E82
                              SHA-256:F788865722BE5CB2B15AF313FA681AF3088E12BE83EC97729238FB9AA64AA063
                              SHA-512:BB8F6D69A9668FF18D7514900B7B2D12FFA2B606D4F6B01A1D79BA3EA3E0C073788A114A101D59189C02844FF187A42EE4D1D8F25F8734051FC1D95D47BCB683
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="release".. language="neutral".. name="Microsoft-Windows-Winsock-Core-Infrastructure-other-MinWin".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration .. replacementSettingsVersionRange="1" .. settingsVersion="1".. replacementVersionRange="6.0-6.2"... alwaysProcess="yes">...<migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%windir%\system32\drivers\etc [hosts]</pattern>.. <pattern type="File">%windir%\system32\drivers\etc [networks]</pattern>.. <pattern type="File">%windir%\system32\drivers\etc [protocol]</pattern>.. <pattern type="Fil

                              \Device\CdRom0\sources\replacementmanifests\wsinfra-upgrade-replacement.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1553
                              Entropy (8bit):4.8891786911208275
                              Encrypted:false
                              SSDEEP:48:22e8v+si4gfY8epj9Ou2w9nWfYTohjcKX:22CXcX9B2LFhjcU
                              MD5:E57A927C9D30C34CD05461A1380BA40D
                              SHA1:7BF6AA2909596161EF81A81791C22B1FC1A79093
                              SHA-256:28A1172B90FB2896D3DB1B47298E97B05C56C2D86FB04AE9D0F60FE58918AC4A
                              SHA-512:2130A89163CE8E9096F877AAFCB523DAFA34CF2057E5F79CEAB0DA024700DFECEB4C01C7FE4677A324706E2213789EC7D92AAEEF51213924EFE5F63A0E1F731A
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. language="neutral".. name="Microsoft-Windows-Winsock-Core-Infrastructure-Upgrade-Replacement".. processorArchitecture="*".. version="0.0.0.0".. versionScope="nonSxS".. />.. .. To ensure that the correct plugin bits are loaded during the "gather".. phases of an in-place upgrade, the following attributes must be updated.. whenever a fix is made to the "gather" code in WsUpgrade.dll:.... /assembly/migration/@settingsVersion.. .. This attribute should be incremented by one. Any new value must be.. mirrored in manifest located here:.. .. net\sockets\winsock2\components\wsinfra-upgrade.man.. .. /assembly/migration/@replacementSetting

                              \Device\CdRom0\sources\replacementmanifests\wwansvc-servercfg-repl.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1042
                              Entropy (8bit):4.972436515664448
                              Encrypted:false
                              SSDEEP:24:p/o2e8ZF2YS+YQg0cjTi3m6jxMEF4rZ9AowwZ9AYBX0FCUK:22e8z2j+YQgfT3GxMY4rzAofzAYB2A
                              MD5:5DB4EFB8542FB978DE4E6B23D76208FC
                              SHA1:1FA6CF188CD2A87E59C48DFEEEDDE247411166A7
                              SHA-256:00AD53E65A5C0160DE5B7DDFA9E7DC4590CDD5F74768FAFB48253417D44438D5
                              SHA-512:C119A2C488C2F8B8B93D264008C3D1FA349E0F5BD180849582A0349D42F5ED97A59E1B45078E0E446D6F7DA0384BA9479C06106A52D5432E6A5B393F41AC727F
                              Malicious:false
                              Preview:.<?xml version='1.0' encoding='utf-8' standalone='yes'?>..<assembly.. xmlns="urn:schemas-microsoft-com:asm.v3".. xmlns:xsd="http://www.w3.org/2001/XMLSchema".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. manifestVersion="1.0".. >.. <assemblyIdentity.. buildType="$(build.buildType)".. language="neutral".. name="Microsoft-Windows-WwanSvc-ServerCfg".. processorArchitecture="*".. version="0.0.0.0".. />.. <migration.. alwaysProcess="yes".. replacementSettingsVersionRange="0".. scope="Upgrade".. settingsVersion="0".. >.. <machineSpecific>.. <migXml xmlns="">.. <rules context="System">.. <include>.. <objectSet>.. <pattern type="File">%ProgramData%\Microsoft\WwanSvc\* [*]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\WwanSvc\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.. </migXml>.. </machi

                              \Device\CdRom0\sources\reportgen.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):53560
                              Entropy (8bit):5.986945377690695
                              Encrypted:false
                              SSDEEP:1536:scPKWAv3ch9lIVCt7g4z1GrcyXJ+3tkZgBvc4M5lx2PJ:7PKWAPch9lIcg4z1GgvJcB3x2R
                              MD5:D963D3AFD907A4CC053CE2D3F5A8153A
                              SHA1:1B2493B8DF3A27D202202E637D4968ED98BAD41B
                              SHA-256:58E4084CFEB4AE48424A762EF58991AE4C9C94DE8792DED5993DACF11E1BD9A1
                              SHA-512:C5C52D8444897E78C92D3E7D373FC2E94391E1EC416CBA295D583AC3DC0E8D0603B0680C88A0F0F22D9C4C7EF3106187CB56BDFE48DDB6F088FBB6CE6063DFBF
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........P...>...>...>...=...>...:...>...?...>...?...>...;...>...>...>...6...>.......>...<...>.Rich..>.................PE..d....q..........." .....h...J.......j..............................................$.....`A........................................0...................0...............8!......(.......T........................... ...............8................................text....g.......h.................. ..`.rdata...6.......8...l..............@..@.data...............................@....pdata..............................@..@.rsrc...0...........................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\reservemanager.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):280408
                              Entropy (8bit):6.342028024368734
                              Encrypted:false
                              SSDEEP:6144:p4+4pOhIyjbBeYTKhKGWz0mkl3lBBR2/0UJhUSfwyoy:OzOhIyjYYo9YNKy
                              MD5:54F45B59C383B48873F7DB02AD2A0831
                              SHA1:AD15BC2A875809C35EB4FB9232EB74F4E3E42735
                              SHA-256:EE149E53B75727AF8ECDF7EAA0E613F07BE09628B8E085E08D79062C30378FCE
                              SHA-512:7EBD091E315889B9B19F6E23BFF9F2A368B97BB721EC28E68F7E21258268B73A3614140E1C54A7EA6E8101574164F6CB80420CFE8BAC5B91BA89CF60E6761758
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r.;.6.U.6.U.6.U.".T.>.U.?..y.U.6.T.7.U.".Q.>.U.".V.5.U.".U.7.U.".]...U.".P. .U."..4.U."..7.U.".W.7.U.Rich6.U.........PE..d...O(............" ................0...............................................C*....`A........................................`.......$........p.......P......."..X%..............p........................... ...............8................................text.............................. ..`.rdata...F.......H..................@..@.data...`.... ......................@....pdata.......P......................@..@.rsrc........p......................@..@.reloc............... ..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\rmsupg.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):74040
                              Entropy (8bit):6.058322538850327
                              Encrypted:false
                              SSDEEP:1536:OJexg+aL9/jqUf7yh0PREBm/RROaRG1P7LZ9:OAxgl9/5f7yh0p+m/R0aRG1TLb
                              MD5:F381F0A33752DB36515D828BBACD978E
                              SHA1:AD240F03417CC293DDA9D5D559F57D2F508C0F60
                              SHA-256:3C97FC107E8347E3744A9F56156A5C99D9DC52F122567E0E0C578563AAAA5515
                              SHA-512:DF3CB9AFDD7D496F1F3D1BC688052E3468974DB4393CC4C0C9B9F6CDC0067DD587CAA7B2F1FF10C84467EF6E6726AFECC4680420E24C646179697532651E1836
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......So...............e..........F....e.......e..\....e..4....e.......e.......e,......e......Rich............................PE..d....yb..........." .........x.......&.......................................P......y.....`A........................................0...\.......<....0..(.... ..<.......8!...@..........T........................... ...............8................................text...4........................... ..`.rdata..~G.......H..................@..@.data...@...........................@....pdata..<.... ......................@..@.rsrc...(....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\rollback.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):127288
                              Entropy (8bit):6.02443802049769
                              Encrypted:false
                              SSDEEP:3072:TpvKUBZc/G3oKa+oRDNBEetbrmcV2xf/oNRDuUlbv81:TRc/G3oKaL9WcV2ojDuUlI1
                              MD5:16982DD532B4BC9B17F14242DB311B7A
                              SHA1:7EC8975CE479921CAC5ED51775DD156C1BCC0360
                              SHA-256:31FE35CF37B49C657B3E2FF53A5307EF1DBDC2FBE09B87A40316C7A5D8E410B9
                              SHA-512:C7D59956D5C5C1D33124ADA180A82F72132131E13990A4F6299B223251C72FA0BF3B7ED0112362A20E5210B016021B658DA253403BB08F56E7AD53C005F7EA76
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............mp[.mp[.mp[..sZ.mp[..tZ.mp[..uZ.mp[..qZ.mp[.mq[.lp[..xZ.mp[...[.mp[..rZ.mp[Rich.mp[................PE..d....|.~..........".................`..........@.............................0...........`.......... ......................................hE..........@r..............8!... ..8....(..T...................................................(D..@....................text............................... ..`.rdata..............................@..@.data........p.......L..............@....pdata...............R..............@..@.didat..@............X..............@....rsrc...@r.......t...Z..............@..@.reloc..8.... ......................@..B................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\schema.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):94208
                              Entropy (8bit):4.035369900725665
                              Encrypted:false
                              SSDEEP:1536:gu3LiLDLd/EbXiog8uC8nAyEiwJGJIJaAlxekk:gaUdKzg
                              MD5:3D6D37AAA7B0D06B2BEE8CFB138D39A9
                              SHA1:C7961BC8B5D07F6453CCD2ADE5CC5CB7267EE9A2
                              SHA-256:9CD2F4D102CB2C4A8B6D507467CDBAA6CE067819BC6124A2810843FC14208438
                              SHA-512:A11879E3A469B7266864BCA2503E0E8A16FA473283161440474F8A21BCAF4F949F4C46EEF8AEC2C2694C91362593D5C353EF5742154EA77171CDC24F2320C5F8
                              Malicious:false
                              Preview:regf........dO..................... ....`......................................................................r+........|...>.r+........|...>.....s+........|...>.rmtm....................................................................................................................................................................................................................................................................................................................................................Q.q.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\sdbapiu.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):311096
                              Entropy (8bit):6.540248911561429
                              Encrypted:false
                              SSDEEP:6144:UBh0S61y82ET6xHK/A6hrO6ML7z64OGoZNf28D:VF1yAdA6hXOz6NG8NO8D
                              MD5:3FB793BF2FFA340C43B6CDEC18AA6342
                              SHA1:646988FB42ADACDB3EC01E1FCFADCBC09700C657
                              SHA-256:38FCE3468FB292873CDD7608EA61EB058DA47FF48F16EC23815D615AB745CC38
                              SHA-512:9C6DF977BEFC41B9902EAA9F92E4A2791E1F4BA910FFCFACCABDC189B379998B294EB17D94348D2322A8C5675D8B76D322138DEAE8069E0576DD68083E3E6F1E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k..//.u|/.u|/.u|..v}".u|&..|-.u|;.q}#.u|;.v},.u|/.t|..u|;.t}*.u|;.u}..u|;.}}f.u|;..|..u|;.w}..u|Rich/.u|........................PE..d....I............" .....................................................................`A.........................................Z.......i..P...............(.......8!...........;..T............................5...............6...............................text............................... ..`RT_CODE.%.... ...................... ..`.rdata..0G...0...H..................@..@.data................f..............@....pdata..(............~..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................

                              \Device\CdRom0\sources\segoeui.ttf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:TrueType Font data, digitally signed, 24 tables, 1st "DSIG", 48 names, Unicode, \251 2018 Microsoft Corporation. All Rights Reserved.
                              Category:dropped
                              Size (bytes):955804
                              Entropy (8bit):6.789619530525311
                              Encrypted:false
                              SSDEEP:12288:oGXSVVAnRuOSQkZjAhtUesmRrgacWfoohKel9mv6rPCzq9KJBu8uQph+eDBkTlU:/XfnRu2kZAhJXfeWCTLpXph+eDBkTlU
                              MD5:D9076ED73F2501090DA92FE3C72D3CE6
                              SHA1:A132AFA6A9E4489E5758D9A23242D1AA69FC0464
                              SHA-256:BA32A222B23D727267CF1ABA4E5296FE84CE99B9D910915103FC085D7931BC88
                              SHA-512:8B9ADB493466E4CCCBAC798380F097C57E0488E334C5E61FF12E869027E49918DB7FF3B712B10431546D1A6A07E72366A3586CD69518DF42C11BD0BAF80B0B73
                              Malicious:false
                              Preview:............DSIGc..H... ..#.GDEF...........XGPOS[.~.......L.GSUBbl..........LTSHi+...U.....MERG............OS/2_b=........`VDMXvX}...j.....cmap3f..........cvt ..]....X..."fpgmID.g......\gasp...#........glyf+.....a...K.hdmx.M...p...c,head..m........6hhea...........$hmtx^.O,...h..S.kern...........jlocaZ.F....|..S.maxp........... metaMD..........nameN.....oh..$.post.Q.w....... prep...........@.........,.._.<...........<......oF..k.....c.........................k............................... ........./.......\.......O.........3.......3.....f..............................MS .@.......Q...... .............. ...*...........1...F...#.....!.P.....P.g.w.....j...j...V.L.y.....'.3.....p.....P.V.P...P.m.P.{.P...P...P.o.P.b.P.Z.P.^...p...'.y...y...y...........).........^.............}.^.....!.............../.........^.{.....^.....@.y.1.).........y.......l.....!.j.......j.5.y...R...%.R...Z.......`...`./.`...5...`...........:...................`.......`.....e.h...+.......................!.j.\....

                              \Device\CdRom0\sources\setup.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):293184
                              Entropy (8bit):6.003829896563209
                              Encrypted:false
                              SSDEEP:6144:2qXaAoNOcG20bWiT65771zhQXJgzBU4GfjTFl:2Yyma7fagm
                              MD5:B72E46E65B0EB7DF5018A01E84AB0451
                              SHA1:E8070AD3544BE84C56CA6CC3F19A22457399C887
                              SHA-256:6C55CAAD297812D0919F550ED06493503E1571390BF8CAAA75037FBC529F074C
                              SHA-512:B31BCBF6B9074034F7740BDE3843E52D4C5D0449F2694411013EEB2DF7EC6EB68D5DCA6FE8E82ECAF80E892974A59F786523D0625F78DC974D78EC51AC7A25D7
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0,..QB..QB..QB..:A..QB..:F..QB..:G..QB..:C..QB..QC.@PB..:J.QB..:...QB..:@..QB.Rich.QB.................PE..d................."......<..."......@=.........@...................................../....`.......... .......................................................`..p....X..@!......d.......T...................H...(...0...............p................................text....:.......<.................. ..`.rdata..&....P.......@..............@..@.data........P.......2..............@....pdata..p....`.......4..............@..@.rsrc................F..............@..@.reloc..d............N..............@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\setupcompat.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):383344
                              Entropy (8bit):6.184732198810084
                              Encrypted:false
                              SSDEEP:6144:TSDWxbEx9KcDIeRNh4vak32lB3XBKOul0xx8UBv9ZZ8j/o:fOIcWvak32lB3AOrLj58ro
                              MD5:1362B87ADDE52BD09984EEC239423469
                              SHA1:6F9BC646E1673734C1AEF5D9219438DB090BA10E
                              SHA-256:2CBE3491D91E10DC0FDCFD44D9F674949923D5B077A11290E602596525249BFF
                              SHA-512:2771A267EB1800B6D7492FD5F519F62411B9776C5F4AFEAFDC96556D1122C197A540D819E38CE0A016E632032A148DBB99FE5E4893FF01762C5F67DC9BF1AEA5
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........]...]...]...I.^...I.M...]...5...I.|...I.^...I.\...I.....I.F.\...I.\...Rich]...................PE..d...p+............" ............................................................... .....`A.........................................}..P...P}..........(...............p%...........K..p.......................(...................@................................text............................... ..`.rdata..T...........................@..@.data...H...........................@....pdata..............................@..@.rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\setupcore.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):2345304
                              Entropy (8bit):5.895289721952274
                              Encrypted:false
                              SSDEEP:24576:3hyphyFK9OcgftfpqLWPxcJBzkj6345lBtRfxHGuftYsOKv39sUDnIV11Lv:DhuBzkQ45PtDB1JSUDnIVj
                              MD5:C6D63005843F50470F6F6D9F260DF924
                              SHA1:6BAF9A910928ABCAA1A03A98F7758F4FE122C8DD
                              SHA-256:FADA8E7859E6C2C0C8ABB2171C5C01306E38FED18FDD47275DED2E0F54E047E3
                              SHA-512:77751DE05614D4ABEEBAFB36C35B15AC4AFB1DC94EF9BC5C8702EBF0BD40061E3F552059E8B477D73D944B6A40EF7E8CFF1CB374C595B5571B2DBFE9C03531BE
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O.q..."..."...".E.#...".E.#..."...".,.".E.#...".E.#...".E.#...".E.#./.".E."...".E.#..."Rich..."........PE..d.................",.................X........................................#.......$...`A........................................."".T....#".h....`#..9....".8.....#.X%....#.TF..@. .p...................X...(...@................................................text...O........................... ..`.rdata..x...........................@..@.data....x...`"..b...@".............@....pdata..8.....".......".............@..@.rsrc....9...`#..:..."#.............@..@.reloc..TF....#..H...\#.............@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\setupdiag.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):570744
                              Entropy (8bit):6.058811572863011
                              Encrypted:false
                              SSDEEP:6144:mAuW8Iio4wo+aLurwUJ+nHxeBi8eDVeBi8eDSeC+DeeAeBi8eDrpqQ:aIigo+qw9
                              MD5:C766853E9158449855B5D9CC0925904B
                              SHA1:9CD986CBCA432E46D2A34EA54CE69A7066FCB342
                              SHA-256:956314CE4ABF95CB91FF32BCA737A615DC38BCB1FB349A96E4E4FA5FD64252CA
                              SHA-512:06C5DE1113F5FF7F718A11B927DFD59D0538C88807809D700A342F589BBA274D233FD83C0FD86C588AE2EA54E7C0B45179EE0C0DA1DDD85D9E430734FB6DC504
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....x].........."...0..~..........*.... ........@.. .............................../....`....................................O.......................x#........................................................... ............... ..H............text...0|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B........................H........k...m......J...`...@.............................................{!...*..{"...*V.(#.....}!.....}"...*...0..;........u......,/($....{!....{!...o%...,.(&....{"....{"...o'...*.*. ..[. )UU.Z($....{!...o(...X )UU.Z(&....{"...o)...X*.0...........r...p......%..{!....................-.q.............-.&.+.......o*....%..{"....................-.q.............-.&.+.......o*....(+...*..{,...*..{-...*V.(#.....},.....}-...*...0..;........u......,/($....{,....{,...o%...,.(&....{-..

                              \Device\CdRom0\sources\setuperror.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):88080
                              Entropy (8bit):5.841487061955152
                              Encrypted:false
                              SSDEEP:1536:WHeSqLQIoYXnrY8gIVphD0i5UOigfol4P:xvXnk8gIVphQi5UJgwS
                              MD5:1C0EB583A41F5E93F741941D192E67DC
                              SHA1:FE7FAC217FC5DA4BF3BEFC80AE6650B2249BE781
                              SHA-256:F751885BBE349282D27E7589E69C673453A83321199ABA730CB1932577B87AAE
                              SHA-512:7871FCB2CF5EE70BD513355A0573744D80819789B6DF0DABF825268187832FAB1E0CC884F7FD5934F84CF7CD526890F40E394FB6F9ADCA17D2676A7D94D683EC
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;#.uUp.uUp.uUp..Vq.uUp..Qq.uUp..Pq.uUp..Tq.uUp.uTp.uUp..\q.uUp...p.uUp..Wq.uUpRich.uUp........PE..L........................T...........].......p....@..........................p............@...... ..............................d.......X............6..."...`..L....I..T............................-..@............................................text....S.......T.................. ..`.data........p.......X..............@....idata..J............Z..............@..@.rsrc...X............b..............@..@.reloc..L....`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\setuphost.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):885096
                              Entropy (8bit):6.259003881924374
                              Encrypted:false
                              SSDEEP:12288:ba/969w7tCOqzOEve8M8TPkUyKpl9T7CfNknwutVCDwwRRagK:eF69w7EOxEZTZyKttDtUwOwz
                              MD5:4E6093CC33BA18952698D7244B84A364
                              SHA1:EC696283AA8ACA80A2DB0396F36B37B1033E0130
                              SHA-256:6DECDC0E295F2246D684480C10266C067CBD60C03AF702505B7B3D045E81DF18
                              SHA-512:BD0741D8D8484531C14602F32B6552A0EF9B5E290ED9D9C2008FFC80E879F6DEA410D4D88E3E4DB1BF2C51ACF1722871DA45AD8C041D15AA6C1976ABE0F8075B
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........rF.........................................#.......|.................Rich...................PE..d......P.........."......d...2.......A.........@..........................................`.......... .......................................&..,.......H........A...\..h%..............T......................(.......................@............................text...sb.......d.................. ..`.rdata..6............h..............@..@.data...PM...P.......8..............@....pdata...A.......B...H..............@..@.rsrc...H...........................@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\setupmgr.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):989528
                              Entropy (8bit):6.313894559577917
                              Encrypted:false
                              SSDEEP:12288:T2EuCslyrnkGZdhxGlmAr7gweyYlpEGly9i4nf8x49q2Xk6rt:T2IsiTqdr1eyCEGUUW9q2UQt
                              MD5:A0C9056C16AA4CB930C83610C0756EA3
                              SHA1:5467BF525B47A72E25C11FE06CF7ED182921DECD
                              SHA-256:3CE6E795668A30B523A91634953BB55835F1CF9C5AE69DF27CC96F979E4B0BC6
                              SHA-512:BE3306D5E895D75BFE79870EC0FC2554AFC8208238BB5BC70A311C84887C743E49FD8F716A1AE9748E7AF5E6DF3B437EDC2A895661A9BB948911E8DF9AA687BB
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./"p/kC.|kC.|kC.|.(.}oC.|.(.}zC.|kC.|.B.|.(.}tC.|.(.}lC.|.(.}jC.|.(.}.C.|.(.|jC.|.(.}jC.|RichkC.|................PE..d...[.K...........",.................k.......................................`............`A........................................ l..T...tl..@....@...........I......X%...P..........p.......................(...................@................................text.............................. ..`.rdata..............................@..@.data...hY..........................@....pdata...I.......J..................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\setupplatform.cfg

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):10452
                              Entropy (8bit):5.444136787913199
                              Encrypted:false
                              SSDEEP:192:seqadKxSRlb3dY/e7sxzs7c6i19WO7hD26BV+btnQfz/:sjmTrq/e7s1vpMvoz/
                              MD5:033E7ADC314C248CC29A9F14906C21E5
                              SHA1:6B31F8A23514B4E98217CD05BE08E7967ECA7048
                              SHA-256:C40FDDBB16853406D12D30E01E170DE8474728BB8EC24794DB721DE0A7F67927
                              SHA-512:46B46D548F5A2269E886A9F6873D97549EEB92C7294114C62BAF7805AC423E4D3AA3A50CD7B3294BE03E22C271F6BEF1134ADF797D9F838962EF5B42E8ECD19E
                              Malicious:false
                              Preview:;..; This section describes the footprint dependencies..; of various platform sections..;..[Dependencies]..Basic =..Servicing = Basic..ICB = Basic, Servicing..Migration = Basic....;..; Each element in a footprint section can be one of three things:..; - File name: this must not ending in '\'...; - Folder name: this must end in '\'...; - File pattern pattern: these can contain wild cards...; These pattern should be one of the format..; accepted by FindFirstFile()...;......[Footprint.Basic]..diager.dll..diagtrack.dll..diagtrackrunner.exe..reagent.admx..reagent.dll..reagent.xml..setupplatform.cfg..setupplatform.dll..setupplatform.exe..unbcl.dll..wdsclientapi.dll..wdscore.dll..wdscsl.dll..wdsimage.dll..wdstptc.dll..wdsutil.dll..WinSetupBoot.sys..WinSetupBoot.hiv....[Footprint.Basic.Delayed]..*-*\reagent.adml..*-*\reagent.dll.mui..*-*\setupplatform.exe.mui..*-*\wdsimage.dll.mui..du.dll..ReserveManager.dll......[Footprint.Servicing]..dismapi.dll..dismcore.dll..dismcoreps.dll..dis

                              \Device\CdRom0\sources\setupplatform.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):9574736
                              Entropy (8bit):6.111622197355509
                              Encrypted:false
                              SSDEEP:98304:d3vPK1pcUSQldBGZSJfyiY1p2/DmjFEyTEAvC18b3ST/PsL9iZ8:BvPK1pcULdBGZSJfx/DmjFEXAvIjZ8
                              MD5:9E6026F43F9CCD49F5224BF7F3DBC8C8
                              SHA1:46AAC10C15A2BC2D5900DD83172FF08778D0CC42
                              SHA-256:9480C533D6E77A1F499353025DFD06FD35336B8B4A87DE1EE6E62A3C9B3D9E36
                              SHA-512:B2A5E205E5665F79BE43C5FEB68E8E3B69736E656363DDBC96F928B7552BEBA071D63F0FB0EBD00337367DFE85D5A0164290C71BD5A496A8F5A915F8E66B5891
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$Z.h`;.;`;.;`;.;iC{;b;.;tP.:e;.;tP.:u;.;`;.;.>.;tP.:U;.;tP.:n;.;tP.:a;.;tP.:P9.;tP.;a;.;tP.:a;.;Rich`;.;................PE..d.....m...........",.....LY...9......"T..................................................`A.........................................%......p'.......p..........8k......P%......(....ru.p.....................].(... `Y............../]..!......`....................text....KY......LY................. ..`.rdata...n/..`Y..p/..PY.............@..@.data...p..........................@....pdata..8k.......l...l..............@..@.didat.......`.....................@....rsrc........p......................@..@.reloc..(..........................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\setupplatform.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):170832
                              Entropy (8bit):6.192933384831558
                              Encrypted:false
                              SSDEEP:3072:bDXevsozX5Yc+9nS2Gr5P57NnpO7SBROwzcTiJ:bDXgso75Yc+lS2O5P5ZN
                              MD5:98BF312C55EFC4AD553E504AD50E7D69
                              SHA1:1936A4949B7AC6A3826C223B1D01EE4AF7E993DF
                              SHA-256:3A1C36940A3861BDA46BC80B237249D12912CA04F8B2A9CFE03A14C04CB668A6
                              SHA-512:BCE95538A3105B41A4428938DA0C5EBA5F40EF53010EDC8C6B0C8C29D5C9E31583BB94495562E25DA63360435171FEDA877F66F37A5BEE3F8D0F3CBFB6E2BD76
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.!|..r|..r|..ru.er~..rh..s...rh..so..r|..r...rh..sq..rh..sy..rh..ss..rh..r}..rh..s}..rRich|..r........PE..d....Q............".................P..........@.....................................*....`.......... ...............................................`...U...@.......v..P%......,.......T...........................0..................0.......@....................text...`........................... ..`.rdata...q.......r..................@..@.data........0......................@....pdata.......@......................@..@.didat.. ....P......................@....rsrc....U...`...V..................@..@.reloc..,............r..............@..B................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\setupprep.exe

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):10866544
                              Entropy (8bit):1.9035921692313216
                              Encrypted:false
                              SSDEEP:24576:ptG/CbkN8lkTj/b+yj8y8yIrMl3z0VdwmTRj9n5v:ptG/Ck8lq/b+yj98y7lo5v
                              MD5:F6A7DA9B18E9B81D66C9C9364CE4CBC3
                              SHA1:5DAFC3040DE95C773A1C2771896EA1E7E180E19A
                              SHA-256:A76F65088E646A73CDC03C271C112967E415947AC4F08C3F51C1CC4EDDCE7993
                              SHA-512:5468A244A0A44B4511FAC903F4974FB56A1544B03A7F80120CB67C993C69C93462622F5F40922C347EBE887B75BBAF2196F8EA14344D7662387571461D4A3EC0
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........n..............d.......d.......d.......d...............d.......dZ......d......Rich....................PE..d...%X.^..........".................0..........@............................. ............`.......... ......................................h6.................t=......p%.............T....................J..(....I...............J...............................text...<........................... ..`.rdata..............................@..@.data....<...p.......P..............@....pdata..t=.......>...b..............@..@.boxload............................@..@.rsrc.............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\sfcn.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1824
                              Entropy (8bit):4.199017495536647
                              Encrypted:false
                              SSDEEP:48:4huYMx6gqwKbckUpTA6G/E1iydLOsvZxNtQGu:4h0qwvkOTAqQFaDQGu
                              MD5:4A528871437134C9DA7FAE8AC45FBE95
                              SHA1:FDE2088201614868C7C7B7E629D5CE9BEFC1A4DE
                              SHA-256:62FD3F79869EBC0E1C2807F85CEA69E40063A7E5E4BF852B717AEDEDC90B18C9
                              SHA-512:B4295029CD4A5CD079E235118BB6F06B90115F4722ED1759B8533B0E843C38E27C59E505E8760B31F39B9F1F80D5EFE8E06471E35E450355E32822EE3760A793
                              Malicious:false
                              Preview:af..af-za..sq..sq-al..gsw-fr..am-et..ar..ar-dz..ar-bh..ar-eg..ar-iq..ar-jo..ar-kw..ar-lb..ar-ly..ar-ma..ar-om..ar-qa..ar-sa..ar-sy..ar-tn..ar-ae..ar-ye..hy..hy-am..as-in..az..az-cyrl-az..az-latn-az..ba-ru..eu..eu-es..be..be-by..bn-bd..bn-in..bs-cyrl-ba..bs-latn-ba..br-fr..bg..bg-bg..ca..ca-es..zh-hk..zh-mo..zh-cn..zh-hans..zh-sg..zh-tw..zh-hant..co-fr..hr..hr-hr..hr-ba..cs..cs-cz..da..da-dk..prs-af..div..div-mv..nl..nl-be..nl-nl..en..en-au..en-bz..en-ca..en-029..en-in..en-ie..en-jm..en-my..en-nz..en-ph..en-sg..en-za..en-tt..en-gb..en-us..en-zw..et..et-ee..fo..fo-fo..fil-ph..fi..fi-fi..fr..fr-be..fr-ca..fr-fr..fr-lu..fr-mc..fr-ch..fy-nl..gl..gl-es..ka..ka-ge..de..de-at..de-de..de-li..de-lu..de-ch..el..el-gr..kl-gl..gu..gu-in..ha-latn-ng..he..he-il..hi..hi-in..hu..hu-hu..is..is-is..ig-ng..id..id-id..iu-latn-ca..iu-cans-ca..ga-ie..xh-za..zu-za..it..it-it..it-ch..ja..ja-jp..kn..kn-in..kk..kk-kz..km-kh..qut-gt..rw-rw..sw..sw-ke..kok..kok-in..ko..ko-kr..ky..ky-kg..lo-la..lv..lv-lv..lt..lt-lt

                              \Device\CdRom0\sources\sflcid.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1644
                              Entropy (8bit):3.334309105799331
                              Encrypted:false
                              SSDEEP:48:WvoibcltahiSfcisX8gG4pG1u4M5uLPCCU:yIyhicQ834paXLKCU
                              MD5:1E823A16FDD076B81589CF5420CE05A0
                              SHA1:1230A6E8BAD3D8AA866C34034460A8A799988F69
                              SHA-256:5992B42BCB2B832D1F7C35BE71923BA8BF4A8FE5DE556F05F179DEAC0227D269
                              SHA-512:4EE72A831B6AB5C6C0CB5D111AAAFF4714ADC557DAB6E1B21FC15FF5F4D78B1806714192A659079F7C08B716070C1F97E758413FACA33A758AF43B38271ABC80
                              Malicious:false
                              Preview:0000..0001..0002..0003..0004..0005..0006..0007..0008..0009..000a..000b..000c..000d..000e..000f..0010..0011..0012..0013..0014..0015..0016..0018..0019..001a..001b..001c..001d..001e..001f..0020..0021..0022..0023..0024..0025..0026..0027..0029..002a..002b..002c..002d..002f..0036..0037..0038..0039..003e..003f..0040..0041..0043..0044..0046..0047..0049..004a..004b..004e..004f..0050..0056..0057..005a..0065..0401..0402..0403..0404..0405..0406..0407..0408..0409..040b..040c..040d..040e..040f..0410..0411..0412..0413..0414..0415..0416..0417..0418..0419..041a..041b..041c..041d..041e..041f..0420..0421..0422..0423..0424..0425..0426..0427..0428..0429..042a..042b..042c..042d..042e..042f..0432..0434..0435..0436..0437..0438..0439..043a..043b..043e..043f..0440..0441..0442..0443..0444..0445..0446..0447..0448..0449..044a..044b..044c..044d..044e..044f..0450..0451..0452..0453..0454..0456..0457..045a..045b..045d..045e..0461..0462..0463..0464..0465..0468..046a..046b..046c..046d..046e..046f..0470..0478..047a..047c

                              \Device\CdRom0\sources\sflistrs1.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5593408
                              Entropy (8bit):3.5617891984995014
                              Encrypted:false
                              SSDEEP:6144:cvLTw8cX4sjD3LRlNpTnfnbD/7B1pNGShVc4i2Zd0gLzvLTznCXPT5CkeLpXEMxv:cv0TznhEN6FoAXujp1I
                              MD5:12C1F3F174033BA30A19A27F4350689F
                              SHA1:59F398E45B35D09E205BF0D6B3609A4E2E0FF3FC
                              SHA-256:69A1C64746521BDB4F5AD17E9D604F6B76D3343D60A6AE1FD36E1E0CE5C44C0A
                              SHA-512:046962AF1EF909F50BA8905F3A83D691DE02E6018CACE5B9ED0F9DE52C4475BBDA9497DF3B49AF02930EBBC10B27DA1CB87B7166EE64F15CF7AD8F09DD17FAF4
                              Malicious:false
                              Preview:..1...0.....1.0.\.!.c.|.b.f.s.v.c...e.x.e...m.u.i.....1.0.\.!.c.|.b.o.o.t.f.i.x...b.i.n.....1.0.\.!.c.|.e.x.p.l.o.r.e.r...e.x.e...m.u.i.....1.0.\.!.c.|.h.e.l.p.p.a.n.e...e.x.e...m.u.i.....1.0.\.!.c.|.h.h...e.x.e...m.u.i.....1.0.\.!.c.|.n.o.t.e.p.a.d...e.x.e...m.u.i.....1.0.\.!.c.|.r.e.g.e.d.i.t...e.x.e...m.u.i.....1.0.\.!.c.|.t.w.a.i.n._.3.2...d.l.l...m.u.i.....1.0.\.!.c.|.w.i.n.h.l.p.3.2...e.x.e...m.u.i.....1.0.\.a.d.a.m.|.a.d.a.m.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.m.s.g...d.l.l.....1.0.\.a.d.a.m.|.a.d.a.m.n.t.d.s...d.i.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...c.a.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...i.n.i.....1.0.\.a.d.a.m.|.a.d.a.m.s.y.n.c...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.u.n.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.w.i.z.a.r.d...d.l.l.....1.0.\.a.d.a.m.|.a.d.s.c.h.e.m.a.a.n.a.l.y.z.e.r...e.x.e.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.r.a.d.e.-.1...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.r.a.d.e.-.2...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.

                              \Device\CdRom0\sources\sflistw7.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1703368
                              Entropy (8bit):3.546026643679508
                              Encrypted:false
                              SSDEEP:3072:agj2gd3ksUXUO0A06UgUE0nX067n13fv1fZzvC4fNG/1v/tX3H1PganTBfio3VXT:9dhJFOp4ro/
                              MD5:E1C384B279B5E934E40661D75F168269
                              SHA1:01FD3190B7F001EC885F84EB9F85B9EC63C94929
                              SHA-256:54150B3B8690FBD541116AD101FB326624937A35DA144E292F33C773AF102B32
                              SHA-512:EDB12624C48744538C6F4C53B6E84B95D233C48C8617176A40C325E597F60864187503CDC17CCAD763C599885E2DF845154102F5F0EEF09804690E3FC7C4185E
                              Malicious:false
                              Preview:..1...0.....1.0.\.!.c.|.b.f.s.v.c...e.x.e...m.u.i.....1.0.\.!.c.|.b.o.o.t.f.i.x...b.i.n.....1.0.\.!.c.|.e.x.p.l.o.r.e.r...e.x.e...m.u.i.....1.0.\.!.c.|.f.v.e.u.p.d.a.t.e...e.x.e...m.u.i.....1.0.\.!.c.|.h.e.l.p.p.a.n.e...e.x.e...m.u.i.....1.0.\.!.c.|.h.h...e.x.e...m.u.i.....1.0.\.!.c.|.n.o.t.e.p.a.d...e.x.e...m.u.i.....1.0.\.!.c.|.r.e.g.e.d.i.t...e.x.e...m.u.i.....1.0.\.!.c.|.t.w.a.i.n._.3.2...d.l.l...m.u.i.....1.0.\.!.c.|.w.i.n.h.l.p.3.2...e.x.e...m.u.i.....1.0.\.a.d.a.m.|.a.d.a.m.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.m.s.g...d.l.l.....1.0.\.a.d.a.m.|.a.d.a.m.n.t.d.s...d.i.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...c.a.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...i.n.i.....1.0.\.a.d.a.m.|.a.d.a.m.s.y.n.c...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.u.n.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.w.i.z.a.r.d...d.l.l.....1.0.\.a.d.a.m.|.a.d.s.c.h.e.m.a.a.n.a.l.y.z.e.r...e.x.e.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.r.a.d.e.-.1...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.

                              \Device\CdRom0\sources\sflistw8.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2608858
                              Entropy (8bit):3.5683631434321583
                              Encrypted:false
                              SSDEEP:24576:aHPc8dVZxNFnvu+VthZQQRJc8pBtl3/+O/nOeGWJhMsP371NxYpMU:L
                              MD5:1D3D2C7C5548E34FEC5C6945E2E3A076
                              SHA1:9F2B2796AFBA9795D7E91DEDAEA4F13E3A9DD318
                              SHA-256:B887D4FF129AF5B565FCB6D757EB4E992C23F5C8B430180CBD448D42A8B90453
                              SHA-512:23AE86686671AECC9C69B2A24A8C7259C6236EE3132983B7158E5C63BA7EB1493A7E94A74106B562BAACBCAC775F4EE25BD84A2F3B1D5DB68B1D0EACEA2CAE35
                              Malicious:false
                              Preview:..1...0.....1.0.\.!.c.|.b.f.s.v.c...e.x.e...m.u.i.....1.0.\.!.c.|.b.o.o.t.f.i.x...b.i.n.....1.0.\.!.c.|.e.x.p.l.o.r.e.r...e.x.e...m.u.i.....1.0.\.!.c.|.h.e.l.p.p.a.n.e...e.x.e...m.u.i.....1.0.\.!.c.|.h.h...e.x.e...m.u.i.....1.0.\.!.c.|.n.o.t.e.p.a.d...e.x.e...m.u.i.....1.0.\.!.c.|.r.e.g.e.d.i.t...e.x.e...m.u.i.....1.0.\.!.c.|.t.w.a.i.n._.3.2...d.l.l...m.u.i.....1.0.\.!.c.|.w.i.n.h.l.p.3.2...e.x.e...m.u.i.....1.0.\.a.d.a.m.|.a.d.a.m.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.m.s.g...d.l.l.....1.0.\.a.d.a.m.|.a.d.a.m.n.t.d.s...d.i.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...c.a.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...i.n.i.....1.0.\.a.d.a.m.|.a.d.a.m.s.y.n.c...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.u.n.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.w.i.z.a.r.d...d.l.l.....1.0.\.a.d.a.m.|.a.d.s.c.h.e.m.a.a.n.a.l.y.z.e.r...e.x.e.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.r.a.d.e.-.1...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.r.a.d.e.-.2...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.

                              \Device\CdRom0\sources\sflistw8.woa.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):954436
                              Entropy (8bit):3.5292158657548267
                              Encrypted:false
                              SSDEEP:3072:Ngq2gd3ksUXUO0A06UgUE0nX067n13fv1fZzvC4fNG/1v/tX3H1PganTBfio3VXB:Po19VTVdqQ2+
                              MD5:E4075D73F36ABE56C18AA6C3BA778DD3
                              SHA1:3BB26208CB5AA6F2D6B40EF08E2C1FAEF39B192F
                              SHA-256:D764E36840884484FA4FA9E5D43A7A2298B0C0F0D69D3553D9EAF8BB273ACD56
                              SHA-512:2B34633E3498F8F6F7DBBF4A9037DFF2FF50D7D5FB7B166DC369369882AC02E24171C037339EA5E268CA2A72E183060C9BD85EAB4CE390E2512C5894F0F08796
                              Malicious:false
                              Preview:..1...0.....1.0.\.!.c.|.b.f.s.v.c...e.x.e...m.u.i.....1.0.\.!.c.|.e.x.p.l.o.r.e.r...e.x.e...m.u.i.....1.0.\.!.c.|.h.e.l.p.p.a.n.e...e.x.e...m.u.i.....1.0.\.!.c.|.h.h...e.x.e...m.u.i.....1.0.\.!.c.|.n.o.t.e.p.a.d...e.x.e...m.u.i.....1.0.\.!.c.|.r.e.g.e.d.i.t...e.x.e...m.u.i.....1.0.\.a.p.p.c.o.m.p.a.t.\.p.r.o.g.r.a.m.s.|.a.m.c.a.c.h.e...h.v.e...l.o.g.1.....1.0.\.a.p.p.c.o.m.p.a.t.\.p.r.o.g.r.a.m.s.|.a.m.c.a.c.h.e...h.v.e...l.o.g.2.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.g.e.n.r.a.l...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.l.a.y.e.r.s...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.r.e.s...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.s.p.e.c.f.c...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.w.i.n.r.t...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.x.t.r.n.a.l...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.d.r.v.m.a.i.n...s.d.b.....1.0.\.a.p.p.p.a.t.c.h.|.m.s.i.m.a.i.n...s.d.b.....1.0.\.a.p.p.p.a.t.c.h.|.p.c.a.m.a.i.n...s.d.b.....1.0.\.a.p.p.p.a.t.c.h.|.s.y.s.m.a.i.n...s.d.b.....1.0.\.b.i.t.l.o.c.k.e.r.d.i.s.c.o.v.e.r.y.v.o.l.u.m.e.c.o.

                              \Device\CdRom0\sources\sflistwb.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3172904
                              Entropy (8bit):3.5557030073016485
                              Encrypted:false
                              SSDEEP:6144:Ko7Ky+KCGMYAYkcgEO6GCBVua7/FRWyD30swvYfIQsBWeLpXkxOgZUN4R:KosYq4UNE
                              MD5:B5C24F0E3B815E89B5503A7F598DBCDC
                              SHA1:3654549958B084A90A16605B0EA73452802170CC
                              SHA-256:F64223FA7895093765F5EF225801E00C863AA10CC45D3D45D4F0AABA0C41A509
                              SHA-512:0153FDA8266DD8BE55A76379E1EEEAB819EDBA66A246D4543560402D5A3B40E57AD4B2DB938C9120998F351F0266D067896E9AF34F37483DFD344AB33F7E9ADD
                              Malicious:false
                              Preview:..1...0.....1.0.\.!.c.|.b.f.s.v.c...e.x.e...m.u.i.....1.0.\.!.c.|.b.o.o.t.f.i.x...b.i.n.....1.0.\.!.c.|.e.x.p.l.o.r.e.r...e.x.e...m.u.i.....1.0.\.!.c.|.h.e.l.p.p.a.n.e...e.x.e...m.u.i.....1.0.\.!.c.|.h.h...e.x.e...m.u.i.....1.0.\.!.c.|.n.o.t.e.p.a.d...e.x.e...m.u.i.....1.0.\.!.c.|.r.e.g.e.d.i.t...e.x.e...m.u.i.....1.0.\.!.c.|.t.w.a.i.n._.3.2...d.l.l...m.u.i.....1.0.\.!.c.|.w.i.n.h.l.p.3.2...e.x.e...m.u.i.....1.0.\.a.d.a.m.|.a.d.a.m.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.m.s.g...d.l.l.....1.0.\.a.d.a.m.|.a.d.a.m.n.t.d.s...d.i.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...c.a.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...i.n.i.....1.0.\.a.d.a.m.|.a.d.a.m.s.y.n.c...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.u.n.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.w.i.z.a.r.d...d.l.l.....1.0.\.a.d.a.m.|.a.d.s.c.h.e.m.a.a.n.a.l.y.z.e.r...e.x.e.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.r.a.d.e.-.1...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.r.a.d.e.-.2...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.

                              \Device\CdRom0\sources\sflistwb.woa.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1150134
                              Entropy (8bit):3.514628408186966
                              Encrypted:false
                              SSDEEP:3072:Ngn2gd3ksUXUO0A06UgUE0nX067n13fv1fZzvC4fNG/1v/tX3H1PganTBfio3VX9:fzBCsEMqpEIG
                              MD5:59799AC7D0402D3B99264D40348CF9B1
                              SHA1:9F9D6C1019CF75395F63BD44DEDFB86C4E743B11
                              SHA-256:FDE6CADC43923E4F0409ECECC3F3C4125748C644B29635D7C5A8E98AAE168C79
                              SHA-512:B70D69A1201ADA54D38D5024D7CADC9E92696F64EABA2F1A6483A9F3A205C407F0F2F9B00A60BF1E5360E57C6F4BBBBF151F80FE2C6287B550131494209F3A66
                              Malicious:false
                              Preview:..1...0.....1.0.\.!.c.|.b.f.s.v.c...e.x.e...m.u.i.....1.0.\.!.c.|.e.x.p.l.o.r.e.r...e.x.e...m.u.i.....1.0.\.!.c.|.h.e.l.p.p.a.n.e...e.x.e...m.u.i.....1.0.\.!.c.|.h.h...e.x.e...m.u.i.....1.0.\.!.c.|.n.o.t.e.p.a.d...e.x.e...m.u.i.....1.0.\.!.c.|.r.e.g.e.d.i.t...e.x.e...m.u.i.....1.0.\.a.p.p.c.o.m.p.a.t.\.p.r.o.g.r.a.m.s.|.a.m.c.a.c.h.e...h.v.e...l.o.g.1.....1.0.\.a.p.p.c.o.m.p.a.t.\.p.r.o.g.r.a.m.s.|.a.m.c.a.c.h.e...h.v.e...l.o.g.2.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.g.e.n.r.a.l...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.l.a.y.e.r.s...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.r.e.s...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.s.p.e.c.f.c...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.w.i.n.r.t...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.a.c.x.t.r.n.a.l...d.l.l.....1.0.\.a.p.p.p.a.t.c.h.|.d.r.v.m.a.i.n...s.d.b.....1.0.\.a.p.p.p.a.t.c.h.|.m.s.i.m.a.i.n...s.d.b.....1.0.\.a.p.p.p.a.t.c.h.|.p.c.a.m.a.i.n...s.d.b.....1.0.\.a.p.p.p.a.t.c.h.|.s.y.s.m.a.i.n...s.d.b.....1.0.\.b.i.t.l.o.c.k.e.r.d.i.s.c.o.v.e.r.y.v.o.l.u.m.e.c.o.

                              \Device\CdRom0\sources\sflistwt.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4935438
                              Entropy (8bit):3.5614793993198903
                              Encrypted:false
                              SSDEEP:6144:h6LBiu16exRxFxSymLwEsoi2O2qyuKA0os/LgUFB7P4cdJ6C+SapGlmeCKHnzGDg:h6capGcWEZk
                              MD5:1C8E9B4F47287A640104E5EC4A8C7A57
                              SHA1:CF1C0DFB68D9BC0A38BC7BD00BF0FF36007CEEC6
                              SHA-256:58196F85FD475B819656A213E08C171593119FACCE62F875A3A3A9E6B358835E
                              SHA-512:59CD5060A7B7DA3AA58246338094541C83383B856B9CBD435A025F2AB7BDA23FA85F41024F85A89C839AB7087F6F07CACE55EE3BB1BA99F7FEA6992A5D194971
                              Malicious:false
                              Preview:..1...0.....1.0.\.!.c.|.b.f.s.v.c...e.x.e...m.u.i.....1.0.\.!.c.|.b.o.o.t.f.i.x...b.i.n.....1.0.\.!.c.|.e.x.p.l.o.r.e.r...e.x.e...m.u.i.....1.0.\.!.c.|.h.e.l.p.p.a.n.e...e.x.e...m.u.i.....1.0.\.!.c.|.h.h...e.x.e...m.u.i.....1.0.\.!.c.|.n.o.t.e.p.a.d...e.x.e...m.u.i.....1.0.\.!.c.|.r.e.g.e.d.i.t...e.x.e...m.u.i.....1.0.\.!.c.|.t.w.a.i.n._.3.2...d.l.l...m.u.i.....1.0.\.!.c.|.w.i.n.h.l.p.3.2...e.x.e...m.u.i.....1.0.\.a.d.a.m.|.a.d.a.m.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.m.s.g...d.l.l.....1.0.\.a.d.a.m.|.a.d.a.m.n.t.d.s...d.i.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...c.a.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...i.n.i.....1.0.\.a.d.a.m.|.a.d.a.m.s.y.n.c...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.u.n.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.w.i.z.a.r.d...d.l.l.....1.0.\.a.d.a.m.|.a.d.s.c.h.e.m.a.a.n.a.l.y.z.e.r...e.x.e.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.r.a.d.e.-.1...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.r.a.d.e.-.2...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.

                              \Device\CdRom0\sources\sflistwt.woa.dat

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2636850
                              Entropy (8bit):3.524175398596299
                              Encrypted:false
                              SSDEEP:3072:2kPJg22gd3ksUXUO0A06UgUE0nX067n13fv1fZzvC4fNG/1v/tX3H1PganTBfio+:8LiztTO1sCKikhKIbZUFeLpXVjf7j
                              MD5:CC79FDB16133BA1265136A9864ED52DA
                              SHA1:F7607A545C8A150661794F5562724EB32EC61438
                              SHA-256:346092F15EE47F1C979BDC2FCE5ED64A50418BE58AEC7032460EF229C461DFBA
                              SHA-512:C3D89B96DFFDF414F390EDB9079DF8805FC819BF0230823E26A718B154E642389A73EFCB7F4B349FB87A6DF34AD436D34FDBDBEE2D888150C96F6C057DDF7982
                              Malicious:false
                              Preview:..1...0.....1.0.\.!.c.|.b.f.s.v.c...e.x.e...m.u.i.....1.0.\.!.c.|.e.x.p.l.o.r.e.r...e.x.e...m.u.i.....1.0.\.!.c.|.h.e.l.p.p.a.n.e...e.x.e...m.u.i.....1.0.\.!.c.|.h.h...e.x.e...m.u.i.....1.0.\.!.c.|.n.o.t.e.p.a.d...e.x.e...m.u.i.....1.0.\.!.c.|.r.e.g.e.d.i.t...e.x.e...m.u.i.....1.0.\.a.d.a.m.|.a.d.a.m.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.m.s.g...d.l.l.....1.0.\.a.d.a.m.|.a.d.a.m.n.t.d.s...d.i.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...c.a.t.....1.0.\.a.d.a.m.|.a.d.a.m.s.c.h.e.m.a...i.n.i.....1.0.\.a.d.a.m.|.a.d.a.m.s.y.n.c...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.u.n.i.n.s.t.a.l.l...e.x.e.....1.0.\.a.d.a.m.|.a.d.a.m.w.i.z.a.r.d...d.l.l.....1.0.\.a.d.a.m.|.a.d.s.c.h.e.m.a.a.n.a.l.y.z.e.r...e.x.e.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.r.a.d.e.-.1...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.-.u.p.g.r.a.d.e.-.2...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.s.c.h.e.m.a.w.2.k.3...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.s.c.h.e.m.a.w.2.k.8...l.d.f.....1.0.\.a.d.a.m.|.m.s.-.a.d.a.m.s.y.n.

                              \Device\CdRom0\sources\sfpat.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):11365
                              Entropy (8bit):5.558046021634761
                              Encrypted:false
                              SSDEEP:96:E6/EtyP9A1v0X0yFASmOavSc+0LZLSGB11mkgGD+tHcZixba/CnlfoO1vWDZWk2a:E65dxnckMcba/Ci267
                              MD5:96E3968B2A96EC5BC2CE4575408323D1
                              SHA1:3954E0618EDB8EA3E03832657829F5D2F18E598E
                              SHA-256:3327A617F53AFB0EA072FBF8336411A0E6893EB17258B744883D0DA9CBA9794A
                              SHA-512:F748747665171022F4A3A2A0FC1E29DEF3C8AAEF8373C8887131DACEA9D87A6F5A657C48F8D50879808F1FA693A4B35A4A24633144CE73B9F71D942C79FA55CC
                              Malicious:false
                              Preview:[System.File].."%SystemRoot%\WinSxS\* [*]".."%windir%\^$NtServicePackUninstall^$\* [*]".."%windir%\^$NtUninstallAwayMode160^$\* [*]".."%windir%\^$hf_mig^$\* [*]".."%windir%\$xpsp1hfm$\* [*]".."%windir%\^$MSI$Uninstall_$^$\* [*]".."%windir%\^$NtUninstall$^$\* [*]".."%windir%\ServicePackFiles\* [*]".."%windir%\i386\* [*]".."%windir%\IE7$\* [*]".."%windir% [kb*.log]"...."%SystemRoot%\Panther\* [*]".."%SystemRoot%\Prefetch\* [*]".."%SystemRoot%\Tracing\* [*]".."%SystemRoot%\System32\wdi\sqm\* [*]".."%SystemRoot%\system32\migwiz\* [*]".."%SystemRoot%\syswow64\migwiz\* [*]".."%SystemDrive%\build\* [*]".."%SystemDrive%\InstalledRepository\* [*]".."%SystemRoot%\system32\config [bcd-template*]".."%SystemRoot%\system32\config [components*]".."%SystemRoot%\system32\config [default*]".."%SystemRoot%\system32\config [drivers*]".."%SystemRoot%\system32\config [elam*]".."%SystemRoot%\system32\config [fp]".."%SystemRoot%\system32\config [sam*]".."%SystemRoot%\system32\config [security*]".."%SystemRoot

                              \Device\CdRom0\sources\sfpatrs1.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):169870
                              Entropy (8bit):4.828937844311319
                              Encrypted:false
                              SSDEEP:3072:xi1vkPFvEgOlc1s/Wylbo+iI/B6LMGMlraIpu9zz0ukeoCED12F7SpvuMzl1rgan:xi1vkPFvEgd+iI/B6LMGMlraIpu9zz0Z
                              MD5:AAA1B380CF57E2CE8E0FB4F35FA9AF86
                              SHA1:3DE662DDBE82C1CBD65505FED5932B377A1E640E
                              SHA-256:6855B010CD099583C69278AC1725FFB9A88C84CD43686777C2FDF78DDF3EC249
                              SHA-512:1FD1B3265B5650A67EB599222E3A8C4B31DCB2498FC2B4F11705EC7FACAF931BF90AA26BE9FCB77AEB9CA5DFB7554498DE4B2D8903C4EA8934D4F3952072237F
                              Malicious:false
                              Preview:[System.File].."%SystemRoot%\system32\inetsrv\asptlb.tlb[2]".."%SystemRoot%\system32\spool\drivers\* [PrintConfig.dll]".."%SystemRoot%\inf\nfssvr\$ [dsctrs.ini]".."%SystemRoot%\system32\$ [nfsmgmt.msc]".."%SystemRoot%\Diagnostics\* [*]".."%ProgramData%\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC [desktop.ini]".."%SystemRoot%\system32\Tasks\Microsoft\Windows\Windows Activation Technologies [ValidationTask]".."%SystemRoot%\system32\Tasks\Microsoft\Windows\Windows Activation Technologies [ValidationTaskDeadline]".."%ProgramData%\regid.* [regid.*.microsoft_Windows*.swidtag]"....[System.Registry].."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTask\* [*]".."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline\* [*]".."HKLM\SOFTWARE\Classes\Microsoft.InternetExplorer.Default\* [*]"....[System.GAC].."

                              \Device\CdRom0\sources\sfpatw7.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):17396
                              Entropy (8bit):5.039756098059212
                              Encrypted:false
                              SSDEEP:384:7pLphXg4sJib6FZsva8VkAGVi/creZAEP0dpwc+QumMe8/weGrbwHcZ2A6jsxb2k:7x/03I6LpuzE2SOon
                              MD5:E28E29F84B280DD94233A7AEA09E31C6
                              SHA1:76E77254ED23B04C661289D5FC49EEAAB0E04988
                              SHA-256:04BA947E26BCF845F5C460CE5E90325CF9E1B4F6D8B04F6091982AE394C1C401
                              SHA-512:7EBFD0C5C0175BA69448135EDF24D734435061E99B79459897C85E68DE3F39427CA0E4DA1ED7D41270FF6D097C27A4957370D28194F5B0209843BE067B60B8A2
                              Malicious:false
                              Preview:[System.File].."%SystemRoot%\inf\nfssvr\$ [dsctrs.ini]".."%SystemRoot%\system32\$ [nfsmgmt.msc]".."%SystemRoot%\Diagnostics\* [*]".."%ProgramData%\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC [desktop.ini]"....[System.Registry].."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTask\* [*]".."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline\* [*]"....[System.GAC].."[accessibility, version=2.0.*]".."[aspnetmmcext, version=2.0.*]".."[auditpolicygpmanagedstubs.interop, version=6.1.*]".."[bdatunepia, version=6.1.*]".."[blbmmc, version=6.1.*]".."[blbmmc.resources, version=6.1.*]".."[blbproxy, version=6.1.*]".."[blbproxy.resources, version=6.1.*]".."[blbwizfx, version=6.1.*]".."[blbwizfx.resources, version=6.1.*]".."[cfscommonuifx, version=1.0.*]".."[cfscommonuifx.resources, version=1.0.*]".."[comsvcc

                              \Device\CdRom0\sources\sfpatw8.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):79818
                              Entropy (8bit):4.863092962328409
                              Encrypted:false
                              SSDEEP:1536:EPMPFV1zYI/B6LMGpu9zz0ukeoCED12F7SpvuMzl1rgaqIQnjUon:EPMPFV1UI/B6LMGpu9zz0ukeoCED12F7
                              MD5:3E4CE9D6FA0B53E62D618468A40CF13F
                              SHA1:A78BE0BE6808BA05330DFD1810BD4B94165D7751
                              SHA-256:DF5DB5034ECC3BC8A00E98B4C1BDF8FA2C299DAED8B895D6BBC4F2378D60FFD0
                              SHA-512:ABF5AF0239F16FEE7D09CB3BF5A8D38EF80F5399FD6C9204E0108EF02186E498CBDD2BB5B0514A2C34FEE0F8834B2B0C220330E2F55E705FCB24A37C0C266C9C
                              Malicious:false
                              Preview:[System.File].."%SystemRoot%\inf\nfssvr\$ [dsctrs.ini]".."%SystemRoot%\system32\$ [nfsmgmt.msc]".."%SystemRoot%\Diagnostics\* [*]".."%ProgramData%\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC [desktop.ini]".."%SystemRoot%\system32\Tasks\Microsoft\Windows\Windows Activation Technologies [ValidationTask]".."%SystemRoot%\system32\Tasks\Microsoft\Windows\Windows Activation Technologies [ValidationTaskDeadline]".."%ProgramData%\regid.* [regid.*.microsoft_Windows*.swidtag]"....[System.Registry].."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTask\* [*]".."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline\* [*]".."HKLM\SOFTWARE\Classes\Microsoft.InternetExplorer.Default\* [*]"....[System.GAC].."[aagmmc, version=6.2.*]".."[aagmmc.resources, version=6.2.*]".."[accessibility, version=2.0.*]".."[accessi

                              \Device\CdRom0\sources\sfpatwb.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):91635
                              Entropy (8bit):4.850814063059541
                              Encrypted:false
                              SSDEEP:1536:fP+PFACpnI/B6LMGMlraIpu9zz0ukeoCED12F7SpvuMzl1rgaqIQnLTon:fP+PFACJI/B6LMGMlraIpu9zz0ukeoC0
                              MD5:9BCE69B462B47651F5CFA4110DCE4C49
                              SHA1:64075D54F4018DB101F0B3230CDC24955BAC6174
                              SHA-256:107DDA64EDAC1FCB93A94177386B64511DDEC7D3AB2F74FDA7F2AAAB7DCB106D
                              SHA-512:CA53E0644227E436D423D5F95668566C9F2D9189E4632F84C5F3C69354A2F957CDCADCA78C3A1EA2AC9803CDBCB8CBF38DEBFE370BB68F3EA530A01B2374FF35
                              Malicious:false
                              Preview:[System.File].."%SystemRoot%\inf\nfssvr\$ [dsctrs.ini]".."%SystemRoot%\system32\$ [nfsmgmt.msc]".."%SystemRoot%\Diagnostics\* [*]".."%ProgramData%\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC [desktop.ini]".."%SystemRoot%\system32\Tasks\Microsoft\Windows\Windows Activation Technologies [ValidationTask]".."%SystemRoot%\system32\Tasks\Microsoft\Windows\Windows Activation Technologies [ValidationTaskDeadline]".."%ProgramData%\regid.* [regid.*.microsoft_Windows*.swidtag]"....[System.Registry].."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTask\* [*]".."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline\* [*]".."HKLM\SOFTWARE\Classes\Microsoft.InternetExplorer.Default\* [*]"....[System.GAC].."[aagmmc, version=6.3.*]".."[aagmmc.resources, version=6.3.*]".."[accessibility, version=2.0.*]".."[accessi

                              \Device\CdRom0\sources\sfpatwt.inf

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):165729
                              Entropy (8bit):4.829872920401709
                              Encrypted:false
                              SSDEEP:3072:/i1vaPFvEg7lc1s/Wylbz+gI/B6LMGMlraIpu9zz0ukeoCED12F7SpvuMzl1rgaC:/i1vaPFvEgV+gI/B6LMGMlraIpu9zz0M
                              MD5:10F5607F51727F176D38D0BE46349D58
                              SHA1:C724AA4459BBB40FA49615484AA59DC245B8FB24
                              SHA-256:5FCEA6F30E9C892B995F544B61DA21338CB236AEA717CBA1897828D5A0A62C37
                              SHA-512:FF5B574E602DA91C660353ECA28915A205345CCB0DDA07E7AB32366E374DA355B0F8BC9BD8BE6F4DD2D2439A03FC0D264871D00744CC136DA8118BB732D73C94
                              Malicious:false
                              Preview:[System.File].."%SystemRoot%\inf\nfssvr\$ [dsctrs.ini]".."%SystemRoot%\system32\$ [nfsmgmt.msc]".."%SystemRoot%\Diagnostics\* [*]".."%ProgramData%\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC [desktop.ini]".."%SystemRoot%\system32\Tasks\Microsoft\Windows\Windows Activation Technologies [ValidationTask]".."%SystemRoot%\system32\Tasks\Microsoft\Windows\Windows Activation Technologies [ValidationTaskDeadline]".."%ProgramData%\regid.* [regid.*.microsoft_Windows*.swidtag]"....[System.Registry].."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTask\* [*]".."HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline\* [*]".."HKLM\SOFTWARE\Classes\Microsoft.InternetExplorer.Default\* [*]"....[System.GAC].."[aagmmc, version=6.4.*]".."[aagmmc, version=10.0.*]".."[aagmmc.resources, version=6.4.*]".."[aagmmc.resour

                              \Device\CdRom0\sources\smiengine.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):870200
                              Entropy (8bit):6.237610371046984
                              Encrypted:false
                              SSDEEP:12288:3gSUYeE8qGHUBOUW1pAj2xgRdggigMCXgiZ9CwgWMKTWvpA/UU:3VF8THUBOUWfAj9ikXXZ7gThA/UU
                              MD5:DC4D9F4D7D12ED8CBBBF3DBB3D147953
                              SHA1:69FF9FD014CD7CFEE2BC0DF8C2225C2F71A36A5E
                              SHA-256:046663B3959CEF8A09E81491ADC89E020D77C3C4F3A0632A2E4F3F89BAE99D37
                              SHA-512:A056312BBC1E451C600075EE9258491DE459D360EBEB983FB10EDE9A4B01EDB6086AF932860DF27A008E180228711CE22E437175A39EDA8E6EA63325FE644FE1
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e..)!h.z!h.z!h.z(..z)h.z5..{0h.z5..{"h.z5..{#h.z!h.z.h.z5..{*h.z5..{ h.z5..{Qh.z5.nz h.z5..{ h.zRich!h.z........................PE..d......o.........." .........................................................`.......]....`A........................................@................`..H........N...&..8!...0...)...h..T............................a...............b..`............................text...I........................... ..`.rdata...$.......&..................@..@.data....(......."..................@....pdata...N.......P..................@..@.rsrc...H....`.......8..............@..@.reloc...)...0...*..................@..B................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\spflvrnt.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):35640
                              Entropy (8bit):6.139213249566809
                              Encrypted:false
                              SSDEEP:384:QDP3n0F9jCsCwroQHHy2ab2RI+90IOmsg0yXcAGycU4cbE2aNpX4Vw8lgtYxPkqH:Qr305CjuHvsIO4OpIhJytYxuSI1PDO
                              MD5:D000F7AB4E4BFA21FBC0A1BB61BF364B
                              SHA1:7E1A497639B0211753D59B83944472B237B31CA9
                              SHA-256:1A57DF8E04509E04B6267CBF7ACA225C3733DE646856FA68C32732F7818A5D8E
                              SHA-512:F5CD77463504CB38688E12FAF57E08DAAD90A70594BE12035804A6516A95D5FB2EFEBB8B6CAF663C4D2519239F31FC7155F909FE953FC3A775760E652DA78029
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u....eT..eT..eT..fU..eT..aU..eT..dT..eT..dU..eT..`U..eT..eU..eT..mU..eT...T..eT..gU..eTRich..eT........................PE..d....5.n.........." .....>...........<...............................................J....`A.........................................`..P....a.......................j..8!..........pZ..T........................... R..............8S.. ............................text...^=.......>.................. ..`.rdata..V....P.......B..............@..@.data........p.......\..............@....pdata...............^..............@..@.rsrc................b..............@..@.reloc...............h..............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\spprgrss.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):60728
                              Entropy (8bit):4.664477604373485
                              Encrypted:false
                              SSDEEP:768:FmsL4eun630vgyahbgRTwC5m4BCW9HjVjUj0m9yJFI1PoBETN:Fmp2harmmCeHjVgj0qyUPVN
                              MD5:BA6E0E6B9B30F4EA9BED6E1ACFCF0BD3
                              SHA1:3E1711923FC52077CEAB6554DDEE5DBA47D5D04E
                              SHA-256:F4C963161A620C3FDC324C3DF86ED7C86F5DF9910E8D0363D310A076E9054DE1
                              SHA-512:0471AF50524C338FB61DEC6E016D93EEC2A76E241635ED2050BDA6B366790A8E28814D4875950E3C0C07E7A1304C06F6B8F99AAAE40CCC5F3820A424AC18A05B
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d...d...d...g...d...`...d...e...d...e...d...a...d...d...d...l...d.......d...f...d.Rich..d.........PE..d...,..X.........." .....F..........0F....................................... ............`A.........................................y......X{..........................8!..........@s..T...........................`b..............xc..0............................text....E.......F.................. ..`.rdata..."...`...$...J..............@..@.data...xT.......P...n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\spwizeng.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):528400
                              Entropy (8bit):6.192414966410511
                              Encrypted:false
                              SSDEEP:6144:PFdA8W6XZ3FTRs80h1nEfEW2LWZj+KXWwkpfrYGDDBUS3j1xruw2t:PmaZ3FjU1lCRXWZ3uZ
                              MD5:BE61DE5DB11230159CB9975D84D045F9
                              SHA1:52F74B662C3103A4C0BFAA8B913E159D7765E03E
                              SHA-256:AC7BB42F219E302B1B91946F45A8088158148C324BE1FF512D7D2AD646E0445D
                              SHA-512:B3951817FA1A335F469D1C678B6AE53410112DD51D3CDC06A71D50F152E8818178695AA57DFC056A8DACE65166A081143974D34D36C38A2489A7850AD05ED116
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...T...T...@..P...@..E...T......@..I...@..\...@..U...@......@.z.U...@..U...RichT...................PE..d.................",.........H......P........................................@............`A.........................................9..4#..$]..,...............L2......."... ......@...T.......................(...................@................................text............................... ..`.rdata..^...........................@..@.data....1.......$...|..............@....pdata..L2.......4..................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\spwizimg.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):5865272
                              Entropy (8bit):2.9188275437370867
                              Encrypted:false
                              SSDEEP:3072:stsxIS9L+rz5iG7aB+H+Yge19NT6lBc/0yY+wcE9rCbpxTNX5vNRZWyXzyKblUuI:s6xISpQiG7aBMjNxTNX5vZg
                              MD5:D6D66AFFF8B0979A3FB896134E49C6F6
                              SHA1:15B593656DCEC045CBEF12BA997DDF2DA13DD1EC
                              SHA-256:A4A55B6CAC8745637AB9BC112B54A607B19A1746816F0CDA127F7141B0798EAB
                              SHA-512:5E1382B7F812317E7E609AF0FEFB0D0C2413DE42DCB32E147C00C6CDC3434417B462BBF15C054E112BDA4C343ACAD07F2E7CDFCBB2BFA6412EFE5DB62A73F2DC
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...3............." .........\Y...............................................Y.....3.Z...`.......................................................... ...XY..........^Y.8!..............8............................................................................rdata..............................@..@.rsrc....XY.. ...ZY.................@..@....3...........T...8...8.......3...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....%..@SY..rsrc$02.... ....>.L.I....s.....86.U.GW.7..!3...........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\spwizres.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):16696
                              Entropy (8bit):5.841253400297647
                              Encrypted:false
                              SSDEEP:384:Hn9FWNiqWvIHTZApqIa6Gz2D1IDBRJt9GlIn:HD2jsGzyI1Pn
                              MD5:82FB94E1FF1A8EE4DB896962D91FCEC4
                              SHA1:8D606A59EC5E0AF4529C0A36B095CF52C47C9F60
                              SHA-256:A41E0FBE81089EFAFFC386B6B002108BC9C0C19CE756D0A0CF0696A0A829AC37
                              SHA-512:4D07739A28285C48400CCA33C014C7DFDCD7CED678C9C632BB8EB60E49912EC327F961D7A2C27ECDCC9D8248EB7FFD4B404F4A1B8EB6B4DCEEFC76F6940B8AFD
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....G...........",.........................................................@.......\....`.......................................................... ............... ..8!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@......G.........T...8...8.........G.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#.......rsrc$02.... ...$...A.K..$...r...9...]AUO...G.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\sqmapi.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):48536
                              Entropy (8bit):6.140681321190623
                              Encrypted:false
                              SSDEEP:768:cUmuzoNLd6VL1ilAb+x4SekjRYJKRiISZ20pidakx9o9dAPkuFJI1PHdOC:Hf20wzjRuC0uaF9d8dFePHQ
                              MD5:A5D6ECC292535D2C635EE25701238173
                              SHA1:DE34B8248886E59AC72C5A1FDA9876F40312EC95
                              SHA-256:E320356D53C168DB9080BB04D5E8F4CC16D66657DEEB063F9133EAC9381BDB1D
                              SHA-512:E1CA3E6627C2C5D59F2EC931887F82514B850E567EF423D0F1CC763948A190ECBF0FEEC4F10FD697C35C252E56ACFC02BB7B163745946E791B11BAA467B00D2F
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............n...n...n....m..n.......n.......n...n..vn.......n.......n.......n.......n....o..n.......n..Rich.n..........PE..d....b............" .....Z...D............................................................`A............................................4...4...d........................#......4....w..T............................p..............0q..X............................text....Y.......Z.................. ..`.rdata...)...p...*...^..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\sxs\Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~en-GB~.cab

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Microsoft Cabinet archive data, many, 14302 bytes, 14 files, at 0x44 +A "$filehashes$.dat" +A "amd64_microsoft-windows-i..-optional.resources_31bf3856ad364e35_11.0.19041.1_en-gb_74bcbf0ef481b948\iexplore.exe.mui", flags 0x4, ID 555, number 1, extra bytes 20 in head, 2 datablocks, 0x1503 compression
                              Category:dropped
                              Size (bytes):22942
                              Entropy (8bit):7.818942840814621
                              Encrypted:false
                              SSDEEP:384:iX+cKvbHk5VgsueFg2nGD/3j0ar1FcemwoY9zzWvmwGy3Wl1eVsL:iar6uk5Gr39Qez/9zzWvmOKwsL
                              MD5:8EE0826871F3F7927F3FD0EDC7EF72F1
                              SHA1:BB6E0B223056138ACC75B7B3642636234F819EA7
                              SHA-256:B9F6E5769E54FAAFC9735A6F99D4EB367C722F5CF1077918A0521DE207D49C54
                              SHA-512:5785A42560AACB5FB9570C8368B9939D8385911229056705EBAC4A5C05B3221A481E2B2C77F9D53607E4293A0728D44737EAFAFAF9F32BF2E731F4C1D9A9C158
                              Malicious:false
                              Preview:MSCF.....7......D...............+............7...!..................|..........O.( .$filehashes$.dat.....|......O.. .amd64_microsoft-windows-i..-optional.resources_31bf3856ad364e35_11.0.19041.1_en-gb_74bcbf0ef481b948\iexplore.exe.mui.C...|4.....O.( .amd64_microsoft-windows-i..-optional.resources_31bf3856ad364e35_11.0.19041.1_en-gb_74bcbf0ef481b948.manifest......5.....O.$ .amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-gb_5e5f95ddd0dc4e8c.manifest......8.....O@$ .amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_11.0.19041.1_en-gb_5910a9acdd78d74a.manifest..(..J>.....O.( .Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~en-gb~11.0.19041.1.cat.:....g.....O.( .Microsoft-Windows-InternetExplorer-Optional-Package~31bf3856ad364e35~amd64~en-gb~11.0.19041.1.mum.H$..On.....O.( .Microsoft-Windows-InternetExplorer-Package-ua~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat.G..........O@$ .Microsoft-Windows-InternetExplorer-Pack

                              \Device\CdRom0\sources\sxs\microsoft-windows-internetexplorer-optional-package~31bf3856ad364e35~amd64~~.cab

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Microsoft Cabinet archive data, many, 283771 bytes, 20 files, at 0x44 +A "$filehashes$.dat" +A "amd64_microsoft-windows-i..ckage-ua-deployment_31bf3856ad364e35_10.0.19041.1_none_65a616996277ef5b.manifest", flags 0x4, ID 555, number 1, extra bytes 20 in head, 53 datablocks, 0x1503 compression
                              Category:dropped
                              Size (bytes):292619
                              Entropy (8bit):7.990305471415702
                              Encrypted:true
                              SSDEEP:6144:4qkN+RUiukCCh8BtkWZ3Bsn4iuX17zG6EvIN7PvTNEo9Wp0bL2:4f+RPKCh8Pnyn4PzGMEc2
                              MD5:3EB33018D02E5A0DD0E34B52E86D58BD
                              SHA1:3A44E27AC7FA422E2E2B4E1B28478D4DEF16DD3B
                              SHA-256:74D7EF838DF3627159D164EC28614C7429DF2C8972459454895A10FA8C666114
                              SHA-512:C6261201668D8BF58F9600813625A978F122F6F6B35560A9102838885F2EFDBB22652AD098E12C9EE800C7D1AC96E337D605EC9E258AC5B9F9B58EE8FDB441BE
                              Malicious:false
                              Preview:MSCF....{T......D...............+...........{T..."..............5...X-.........O.. .$filehashes$.dat.....X-.....O.. .amd64_microsoft-windows-i..ckage-ua-deployment_31bf3856ad364e35_10.0.19041.1_none_65a616996277ef5b.manifest.....c/.....O. .amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1_none_8298e4b5b7fd2c26\iexplore.exe.;...#......O.. .amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.0.19041.1_none_8298e4b5b7fd2c26.manifest.....^......O.. .amd64_microsoft-windows-i..ntrolpanel-optional_31bf3856ad364e35_11.0.19041.1_none_579c0ba3230ec558.manifest............O@. .amd64_microsoft-windows-i..optional-deployment_31bf3856ad364e35_11.0.19041.1_none_9764808a1ab89c7b.manifest............O.. .amd64_microsoft-windows-i..s-platform-optional_31bf3856ad364e35_11.0.19041.1_none_fd7b3e3690f3f159.manifest............O.. .amd64_microsoft-windows-ieframe-optional_31bf3856ad364e35_11.0.19041.1_none_cf15b463b0235838.manifest.N/.._......O.. .Microsoft-Windows

                              \Device\CdRom0\sources\sxs\microsoft-windows-netfx3-ondemand-package~31bf3856ad364e35~amd64~~.cab

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Microsoft Cabinet archive data, many, 72774989 bytes, 1896 files, at 0x44 +A "$filehashes$.dat" +A "amd64_.netframework_31bf3856ad364e35_10.0.19041.1_none_8eb3a938960a0b1d.manifest", flags 0x4, ID 555, number 1, extra bytes 20 in head, 7618 datablocks, 0x1503 compression
                              Category:dropped
                              Size (bytes):72783629
                              Entropy (8bit):7.999855330685438
                              Encrypted:true
                              SSDEEP:1572864:zCp983ZZrH3vfBAwhg1d0MBfy1oxGCwiRIjVzFHf:zCE3HH3xRg1v5XxG9XFHf
                              MD5:98781BA93D553B496A3BA1C536911A69
                              SHA1:42DD5A9B713F6FC9A4BACA89C87FC9A97E378CE7
                              SHA-256:5861074B8222152C6D2A29A159B7B5CC4733C2C6A7F78A10AE5F6585E9EF1E59
                              SHA-512:BD19FA0DAA67A5C70482B080AA7093B807679A46C50010BBA01F392A46D8332E7688562C77452F0C1E5E21790BAC17FA28D3823CBB03FD5B841812FDD2B031D7
                              Malicious:false
                              Preview:MSCF....MuV.....D...........h...+...........MuV..!...........L.................O.. .$filehashes$.dat.[".........O.. .amd64_.netframework_31bf3856ad364e35_10.0.19041.1_none_8eb3a938960a0b1d.manifest.....wA....hO.u .amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\AddInProcess32.exe...........OO`n .amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c\AddInProcess32.exe.config............O`. .amd64_addinprocess32_b77a5c561934e089_10.0.19041.1_none_3700bdc08c446a5c.manifest.....M......O`. .amd64_aspnetmmcext.registry_31bf3856ad364e35_10.0.19041.1_none_1d8690546115a18a.manifest...........hO.u .amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44\aspnet_compiler.exe.}....h.....O`. .amd64_aspnet_compiler_b03f5f7f11d50a3a_10.0.19041.1_none_9202844cd514ab44.manifest..4...i....hO.u .amd64_aspnet_regbrowsers_b03f5f7f11d50a3a_10.0.19041.1_none_82a36c559596820a\aspnet_regbrowsers.exe............O`. .amd64_aspnet_regbrowsers_b03f5f7f11

                              \Device\CdRom0\sources\uddicomp.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):49816
                              Entropy (8bit):6.1026442780302075
                              Encrypted:false
                              SSDEEP:768:93qIBm4r4ei4nZLM5W82d518kHF7krt+GHAQ3NWS41paRUHRDSp2rSK:93qIBDiqZQcd5VHF7krkGgqlNsupEr
                              MD5:63062F0DBA87D5864D774D580EF37F71
                              SHA1:4228DFC3D91DDBEAAD31C4693DEFC3A79789EE69
                              SHA-256:77452489FEF564C7BC8294E8B1998794FD6F35FF335BA3AE09962C350146A025
                              SHA-512:3FA2950F5665799DA3133344D14634C85595C1EF3195A00F89A7C15275ABD044B3CCBE6093499D94FFF2196E6DB1833D84CDCF4514D5DDF211774D9AB4F7305E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B..B..B..)..B..B.B..)..B..).B..)..B..)..B..)..B..)...B..)..B.Rich.B.........PE..d....Z............" .....X...V............................................................`A............................................\...\...<....... ................"......T.......T............................q...............r...............................text....W.......X.................. ..`.rdata...(...p...*...\..............@..@.data...@...........................@....pdata..............................@..@.rsrc... ...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\unattend.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):206352
                              Entropy (8bit):6.39263367340411
                              Encrypted:false
                              SSDEEP:3072:iOYnQ05HaWPM/JT6DYo9WdrdZzHIOKtHkWIOteDx90gvLqjmVyYBa:gRVi/JW8o9WhzzozHtkLE
                              MD5:286F982A5DD12037097288791B900BE2
                              SHA1:8D6DCD4C61459AE84314C23E7924A5F043E59F16
                              SHA-256:32A657D8E7F1364A7A9845084E4E63011443E72668F9BB1C589B2D70A9E72905
                              SHA-512:3E043251E4257172E31172BAA2E22F281E47B7BEC4E5DA6A95E7B5802D90DEA9FCEB6420F7D7532FD82A1F4DF9F8154D4AF0B9665584D783432AC12B7A414100
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3#,.RM..RM..RM..*...RM..9N~.RM..9I~.RM..RL..RM..9L~.RM..9H~.RM..9M~.RM..9E~.RM..9...RM..9O~.RM.Rich.RM.........................PE..d...*.............",.....x..........`y.......................................P............`A....................................................x....0..........,........"...@..D...p...T............................................................................text...Cv.......x.................. ..`.rdata..<e.......f...|..............@..@.data...............................@....pdata..,...........................@..@.rsrc........0......................@..@.reloc..D....@......................@..B................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\unbcl.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1099096
                              Entropy (8bit):6.182824310854598
                              Encrypted:false
                              SSDEEP:12288:+piYCl2vyrqmx32Mfban+IEMTkgWOSbyxG:IiYC0vymu3rbG2MT5WOSbyxG
                              MD5:2FABB2C3D73CF7F1C33F18D3A457594D
                              SHA1:1D0CE0536CF586297B87063E22A6F2B6A749B9A3
                              SHA-256:C84075A3C1BB941E78D8F2285805B683A3D6735D03869E006AC30F50AFAED4DE
                              SHA-512:B9D343169C3B0A700133EF15EA3A35B95CD3A1715D0E9327159EF2FB51CADFBD8892E9BD1F69B8203BFFA65187F54D12434BBE8728DE6F030766D027A434A68E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w.VD...D...D...Mn..F...P}..F...P}..U...D.......P}..I...P}..M...P}..E...P}......P}o.E...P}..E...RichD...........................PE..d...).............",.................................................................5....`A........................................@...D....................@...f......X%......(....n..p...................h...(...00..................H...x...`....................text............................... ..`.rdata.......0......................@..@.data...pr.......j..................@....pdata...f...@...h..................@..@.didat.. ............|..............@....rsrc................~..............@..@.reloc..(...........................@..B........................................................................................................................................................................................................

                              \Device\CdRom0\sources\uninstall.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):3508
                              Entropy (8bit):5.136172529061769
                              Encrypted:false
                              SSDEEP:96:vX9JKaIiRWpSY5A5H35P35Hxkv4aIxOIG9:/eUxZG9
                              MD5:826643B6BCB5420EA7B65509F22B1414
                              SHA1:D03E846F454D918957EAF5275E4A59FBA8BE38B4
                              SHA-256:2E3BA087D5767E83A6F78C4171A8B049A041F989003809B5B571C415621B7470
                              SHA-512:93015D91051E2D700C3746C6DBB020E778873AE58FEF936059AF1AA9E345241019F42C54F3DFEED010CBAA2ADB0FC979C7A4EA6B2E4B2CF3603565A575526506
                              Malicious:false
                              Preview:<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/Uninstall">.... <component type="System" phase="Upgrade">.. <displayName>Uninstall</displayName>.. <role role="Settings">.... <rules context="User">.. <include>.. <objectSet>.. <pattern type="File">%CSIDL_LOCAL_APPDATA%\Microsoft\Windows\Application Shortcuts\* [*]</pattern>.. <pattern type="File">%CSIDL_LOCAL_APPDATA%\Packages\Microsoft$\* [*]</pattern>.. <pattern type="File">%CSIDL_LOCAL_APPDATA%\Packages\Windows$\* [*]</pattern>.. <pattern type="File">%CSIDL_LOCAL_APPDATA%\Packages\Winstore$\* [*]</pattern>.. <pattern type="File">%CSIDL_LOCAL_APPDATA%\TileDataLayer\* [*]</pattern>.. </objectSet>.. </include>.. <exclude>.. <objectSet>.. <pattern type="File">%CSIDL_LOCAL_APPDATA%\Packages\microsoft.windowscommunicationsapps_$\LocalState\LiveComm\$\$\Att\* [*]</pattern>.. <pattern type

                              \Device\CdRom0\sources\uninstall_data.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):11122
                              Entropy (8bit):4.955430581902083
                              Encrypted:false
                              SSDEEP:48:v3WeYVXfJnfqCfxTBXB4F10xxlI/t3mYt443Ht3Su3oLaD3b93FP3tb3czqr3zl+:vmeyrYmmIq9z4CKH9HP9r+y9
                              MD5:8E2A80ADB7B9DE5685588FD77AF3516E
                              SHA1:9596FAD3EFDA3DE2221A25DA386B28C9560431CF
                              SHA-256:6AF6A874DBEF36AE28AD060FDF401F50E5BDCECE87D972F1135EEA1CC5DF4917
                              SHA-512:60730FF0EEE51695CC11A3615A09A70FBD2B313ED0149686AAEBFCA0E12A97A0594D0FFFD039B788BDB886BC606782277700FB61B7082D3D5714582857FDAD36
                              Malicious:false
                              Preview:<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/Uninstall">.... <component type="Documents">.. <displayName>Uninstall Data</displayName>.. <role role="Data">.... <rules context="User">.. <rules>.. <include>.. <objectSet>.. <condition>MigXmlHelper.IsInWindowsNamespace("%FOLDERID_SkyDrive%")</condition>.. <pattern type="File">%FOLDERID_SkyDrive%\* [*]</pattern>.. </objectSet>.. <objectSet>.. <condition>MigXmlHelper.IsInWindowsNamespace("%FOLDERID_SkyDriveDocuments%")</condition>.. <pattern type="File">%FOLDERID_SkyDriveDocuments%\* [*]</pattern>.. </objectSet>.. <objectSet>.. <condition>MigXmlHelper.IsInWindowsNamespace("%FOLDERID_SkyDrivePictures%")</condition>.. <pattern type="File">%FOLDERID_SkyDrivePictures%\* [*]</pattern>.. </objectSet>.. <objectSet>.. <condition>MigXmlH

                              \Device\CdRom0\sources\updateagent.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):2799472
                              Entropy (8bit):6.381331513267625
                              Encrypted:false
                              SSDEEP:49152:tHy2rI4X6k+gAz7uqXHJL5NbEYr/LoMdNN7nPkRXAV3dAEfG4pN0BzwMHvcaPWv9:tHyEI4KbLAMXySMjxMKK
                              MD5:03F18021D397E3F33E5F709E6D9B501C
                              SHA1:7DD384837CA4D8D221034719CBCD1926352C5635
                              SHA-256:47598D10DC9D803FC066F2044C5CFF9910A9F92C1428317DF89299F8479E9FD6
                              SHA-512:E6004E52408EDA02C41EFB062837D1A403C8500E7BF6825D1F5113DAC47378479A8B782CE34B315416492E51955D6EF5AB20AE22F7CFF9E0D9C52247BC1D1FB0
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R.gS...............................l...............................!..........................Rich....................PE..d... 5.b..........",.....X...~................................................+......v+...`A..........................................).....P.).......*.......*.......*.p%....*.....@.'.p.......................(.............................).@....................text....-.......................... ..`PAGE.....)...@...*...2.............. ..`.rdata..z....p.......\..............@..@.data........@)..t...*).............@....pdata........*.......).............@..@.didat........*......l*.............@....rsrc.........*......n*.............@..@.reloc........*......t*.............@..B........................................................................................................................................................................

                              \Device\CdRom0\sources\upgloader.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):121656
                              Entropy (8bit):5.865670029610626
                              Encrypted:false
                              SSDEEP:1536:hRjgHwZofxXv7rsv1OWONmok2n0a2Is0wKzHutlnAEti/R/0CPi94:hWpfl7rk1Oc2n0auNKKfnAKEFa94
                              MD5:5FDA5B224848BF04E05CE8EC7BF59F30
                              SHA1:E338BC0496371B73E368879F6FCAC3841232968C
                              SHA-256:129C724D6D16135F231AC55E1A10CB40C916E7A29725E2A4426A1B8103697069
                              SHA-512:8F976F6656EEED356A4D9F5E00F60F99AF1FEC9FA4EC0972A53D2715037F385C03E3D10160797BCA49A97E49CA03C3E5FFDADE966B2440FD7A16FEECB9168DD1
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'..MF..MF..MF..Y-..LF..Y-..@F..Y-..IF..MF...G..Y-..^F..Y-..LF..Y-..`F..Y-..LF..Y-..LF..RichMF..........................PE..d.....,...........",................@....................................................`A............................................ ...............(.......0.......8!...........~..T...........................`/..............x0..x............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..0...........................@..@.rsrc...(...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\upgrade_bulk.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:HTML document, ASCII text, with very long lines (964), with CRLF line terminators
                              Category:dropped
                              Size (bytes):208513
                              Entropy (8bit):5.267532227116429
                              Encrypted:false
                              SSDEEP:768:Udn9GFZexlL95D4eUT+dn+qyym94z9Gl7dIa2KkX+wYjtA8yV6TBO9:UXnUT0n+qynxpGvvTgBO9
                              MD5:44DC2A94E13F60712BDF8282DBCE2B81
                              SHA1:37F4C7500F4B295FB84833047E3A9A7EB9FC0580
                              SHA-256:E3D8E05E46BF9FCE34348D5456FC85996653BA44B43675527E00E50BA4A23370
                              SHA-512:B87039ED86F99DF6ACF9F377FDD86743E72A4B1DA117EF66A9E641FB9C9F3DF37AC280AC4A6A14EC59E501235AED1C810D7B460604F4711C16AB8419321BB85F
                              Malicious:false
                              Preview:<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/BulkUpgrade">.... <component type="Application">.. <displayName>Bulk Upgrade</displayName>.. <paths>.. <path type="File">%windir%\BulkUpg</path>.. </paths>.. <role role="Settings">.... <environment context="System">.. <variable name="GOOGLE_EARTH_ROOT">.. <script>MigXmlHelper.GetStringContent("Registry","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B} [InstallLocation]")</script>.. </variable>.... <variable name="SYSVOL_DIR">.. <objectSet>.. <content filter='MigXmlHelper.ExtractDirectory (NULL, "1")'>.. <objectSet>.. <pattern type="Registry">HKLM\System\CurrentControlSet\Services\Netlogon\Parameters [SysVol]</pattern>.. </objectSet>.. </content>.. </objectSet>.. </variable>.. </environment>.... <rules context="system">..

                              \Device\CdRom0\sources\upgrade_comp.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:HTML document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4320
                              Entropy (8bit):5.068214422742928
                              Encrypted:false
                              SSDEEP:96:v2+Zlko2lXzbFxOKhWTRKR7YzlzzK2ONbhQeIiuI+u7zozZz8UzkqD639:wLfFBCzs0u9
                              MD5:C7FF25B63F94F7B829345157A34637F3
                              SHA1:221A0121DBC33C132763A2A1C6154467A05403FA
                              SHA-256:6E0A22EFF52B662DF3396650A01BD74504E49BA57C97C256EC1E8FECC59E7D8E
                              SHA-512:E216C73F9710E38A017C59EA8B8117BB12B3997AC7D3AB4AC9669F9DF2E6A2D3EFDFB44CC46F280713AC86228A46E723A0790FD0992786132354CE55848F1B94
                              Malicious:false
                              Preview:<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/upgrade">.. <component type="Application" offlineGather="No" offlineApply="No">.. <displayName>Upgrade Online Only</displayName>.. <role role="Settings">.... <rules context="User">.... <include>.. <objectSet>.. <pattern type="Registry">HKCU\SOFTWARE\Microsoft\OneDrive\* [*]</pattern>.. </objectSet>.. </include>.... <merge script="MigXmlHelper.SourcePriority()">.. <objectSet>.. <pattern type="Registry">HKCU\SOFTWARE\Microsoft\OneDrive\* [*]</pattern>.. </objectSet>.. </merge>.... </rules>.... <rules context="System">.... <include>.. <objectSet>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\ACService\* [*]</pattern>.. <pattern type="Registry">HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\* [*]</pattern>.. </objectSe

                              \Device\CdRom0\sources\upgrade_data.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:HTML document, ASCII text, with very long lines (964), with CRLF line terminators
                              Category:dropped
                              Size (bytes):41108
                              Entropy (8bit):5.053157784558583
                              Encrypted:false
                              SSDEEP:384:tqdzOnjPKA6Z74sZwM4iS53iScpexlL9Dx9qByRRN99tN59m2KHQZEX9:tmZ74sZCiS53i7exlL9D3qM9KHQZ09
                              MD5:3D6E9A12CC7B7DAE789BB8E77902B0AA
                              SHA1:46F3B293DADA06BF04493A69F4324D1AC82F31C7
                              SHA-256:0F72E9DF380EA3F45104F50494ADEF74EA1D9FDA61289A5B7ACF14B3918F0B6E
                              SHA-512:42B8A48213C08E0E7A90FEEA63B70F2C28C23A633F2D5003DFAA453C99892A31CEB61869FF2889374BF7A116CCD821595E0410B3CF8D349FD723F5CF4A622FAE
                              Malicious:false
                              Preview:<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/DataUpgrade">.... <component type="Documents">.. <displayName>Data Upgrade</displayName>.. <role role="Data">.... <environment context="User">.. <variable name="FOLDERID_SkyDrive_Win8">.. <script>MigXmlHelper.GetStringContent("Registry","HKCU\Software\Microsoft\SkyDrive[UserFolder]")</script>.. </variable>.. </environment>...... <rules context="User">.. <conditions>.. <condition>MigXmlHelper.IsMigrationScope("Data")</condition>.. </conditions>.. <include>.. <objectSet>.. @*: from dpapi_keys.man.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\Protect\*[*]</pattern>.. @*: from CAPI2_certs.man.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\SystemCertificates\My\Certificates[*]</pattern>.. <pattern type="File">%CSIDL_APPDATA%\Microsoft\SystemCertificates\Request\Certif

                              \Device\CdRom0\sources\upgrade_frmwrk.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):18614
                              Entropy (8bit):4.971437184646271
                              Encrypted:false
                              SSDEEP:192:9dkpZ7d1oENLrTH+lyHEKkaJPTJjl3J8UwH29:9dkpZ7d1oE56lLKk8ZlGUJ9
                              MD5:9750A4A12BAC7AB861EC5078D6A07204
                              SHA1:159C8DF9B4E29A4C7F0AD30CFCBEBADA96D62EB3
                              SHA-256:4CA2ED8DD34856464E9AC57589D99F8EAE3A7C4F13C0A54008F68EFF29A3589A
                              SHA-512:1392EA747B0548DFD09E59B7BEFDFB382131092D7B38427ED898236344EC142A7E7267F70DC118C69E60D41BA2EB47D406CF6C90A6C1E7A38A93CCDCAA8E973C
                              Malicious:false
                              Preview:<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/frameworkupgrade">.. <component type="System" context="System">.. <displayName>UpgradeFramework</displayName>.. <role role="Settings">.... <rules>.. <conditions>.. <condition>MigXmlHelper.IsMigrationScope("FrameworkBasic")</condition>.. </conditions>.... <excludeAttributes attributes="Security">.. <objectSet>.. <pattern type="File">* [*]</pattern>.. <pattern type="Registry">* [*]</pattern>.. </objectSet>.. </excludeAttributes>.... <include>.. <objectSet>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\SQMClient [MachineId]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\SQMClient [IsTest]</pattern>.. <pattern type="Registry">HKLM\SOFTWARE\Microsoft\SQMClient\$ [StudyId]</pattern>.. </objectSet>.. </include>.. <include>.. <objectSet>..

                              \Device\CdRom0\sources\upgradeagent.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):3143992
                              Entropy (8bit):6.081315396218449
                              Encrypted:false
                              SSDEEP:24576:NDxPDGmKZHxrsZfJln5XIvAGpfNdLYgFgF1LXvqfnEOuXpv:NEZHxrsZfJln5YvAGpfNdLlcvqcOw
                              MD5:F92325B50428437C6EEE9A5A0324BE2D
                              SHA1:FA8B873D5CD80E899379087C9F653BBC316B2915
                              SHA-256:7FB92754F2B5770B00C59298746A4431273F8B351C7C4223268C13FA801C95CE
                              SHA-512:0B7A748C3CF5022F00E47BE5E57B97371368D97DB06510120C975CFFD01C47C7DE8CE8F7DE679057BFE93EDB459E107482DFBAD9FF9EC102BEB7340449228C7B
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................Rich...........................PE..d......1..........",.................=....................................... 0.....*`0...`A.........................................(..D..d.+......./.............../.8!..../. d..Pl!.T...................8Q..(... P..............`Q...............................text............................... ..`.rdata..,...........................@..@.data...(6....,..,...v,.............@....pdata..............................@..@.rsrc........./......n/.............@..@.reloc.. d..../..f...r/.............@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\upgradeagent.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):70907
                              Entropy (8bit):4.970420812645697
                              Encrypted:false
                              SSDEEP:768:DiEYbCWaa1jY2p1GwN38aJNtdpw8wfEOmCPKic7CYhYe:GLVaa9jRN38edp68OzDwt
                              MD5:4AFAAF88EEF83DADA4CB5563542D5411
                              SHA1:68BE1C8E1B9DD33A3BD21A9779DD6729D1EAD142
                              SHA-256:8A8C0188D78D699824194645221AF7F4B57D52615AC30F1A45DC9A7AE36343EF
                              SHA-512:2E7B17FA4A5BDB91980501568DBCB7428B72320753AA088A4EDE60890E29648151F368E7CBFE05C7CADB299AD4FF38BDABFE7FBC0A73A3CE1A7052481217B6B8
                              Malicious:false
                              Preview:<upgrade urlid="http://www.microsoft.com/migration/1.0/migxmlext/BulkUpgrade">.. <uninstall>.. <uninstallString>.. <condition type="exclude" name="%SystemRoot%\IE7$\*"/>.. <condition type="exclude" name="%SystemRoot%\^$NtServicePackUninstall$\*"/>.. <condition type="exclude" name="%SystemRoot%\^$NtUninstall$\*"/>.. <condition type="exclude" name="%SystemRoot%\^$Msi$Uninstall$\*"/>.. </uninstallString>.. <values>.. <parentKeyName name="OperatingSystem"/>.. <parentKeyName name="Microsoft .NET Framework 2.0*"/>.. <parentDisplayName name="Windows*"/>.. <displayName name="Microsoft .NET Framework 3.5*"/>.. <displayName name="Microsoft .NET Framework 4* Client Profile*"/>.. <displayName name="Microsoft .NET Framework 4* Extended*"/>.. <displayName name="Microsoft ActiveSync*"/>.. <displayName name="Microsoft AntiSpyware*"/>.. <

                              \Device\CdRom0\sources\upgwow_bulk.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):114569
                              Entropy (8bit):5.337955488302864
                              Encrypted:false
                              SSDEEP:384:6lDZSNPeAhKdfSPLBt5NIpGgkFFucp3yo0kMyWbSuWbjq6yh6hpBcvqm2UhZNGCX:IuqSPSknytbSuW7mp8r5wee4FRC9
                              MD5:78A4B2BD037ED3508070F26857732D68
                              SHA1:1D8D2C34E071585B3161C3F53C7C3B671B9C8B1F
                              SHA-256:AF909F8A6198A0E4D2F07D804B95A94DADB226B0099C3FCEFC2F3CDCC7DB0025
                              SHA-512:467652AEBBA7BE2D650D39A7D50FC46031E6F9489A59FA9ADD629BB34E747B0ACFC395653A56480015A40AFFC71486386FB6B1B595C164DEB67FA030A5197203
                              Malicious:false
                              Preview:.<migration urlid="http://www.microsoft.com/migration/1.0/migxmlext/BulkUpgrade(Wow)">...... <component type="Application">.. <displayName>Bulk Upgrade(Wow)</displayName>.. <paths>.. <path type="File">%windir%\BulkUpg(Wow)</path>.. </paths>.. <role role="Settings">.... <rules context="System">.. <exclude>.. <objectSet>.. <pattern type="Registry">HKU\.DEFAULT\Software\Wow6432Node\Microsoft\Windows\* [*]</pattern>.. </objectSet>.. </exclude>.. <include>.. <objectSet>.. <pattern type="Registry">HKU\.DEFAULT\Software\Wow6432Node\* [*]</pattern>.. </objectSet>.. </include>.. </rules>.... <rules context="User">.... <include>.. <objectSet>.. <pattern type="Registry">HKCU\Software\Wow6432Node\* [*]</pattern>.. <pattern type="Registry">HKCU\Software\Classes\Wow6432Node\* [*]</pattern>.. </objectSet>.. </include>....

                              \Device\CdRom0\sources\uup\metadata\desktoptargetcompdb_neutral.xml.cab

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:Microsoft Cabinet archive data, single, 39872 bytes, 1 file, at 0x44 +A "DesktopTargetCompDB_Neutral.xml", flags 0x4, ID 555, number 1, extra bytes 20 in head, 15 datablocks, 0xf03 compression
                              Category:dropped
                              Size (bytes):48512
                              Entropy (8bit):7.965493966067655
                              Encrypted:false
                              SSDEEP:768:Zf+smMz5xHcdHD1K57cr1ycfUndEefLV1reKvDW:p+sRT+1K5YrRUndE81rW
                              MD5:D9F9C701EA9F865A01263E748D198BDD
                              SHA1:22410637619F0FF173EF0633F97D0B53F399D203
                              SHA-256:75F07AF022521956FE46C54D073DE6CEAA334DE1D0647C0185866662B60C39E5
                              SHA-512:2D71B54DC4E7E691A4A4DB9CBF8154994F6AB204EAF4D69D5DE8048AB6BCB7CF5E060428A96338DC18F8B1EF3C354E6FD35A08FB751877B1B4D2CBFA2F013280
                              Malicious:false
                              Preview:MSCF............D...............+................!..........t........I.........O@. .DesktopTargetCompDB_Neutral.xml..eJ7....[...t...U.gu ...Of.T.k~:.4....\..9..*.U..:.%...Z...y........Q..<..v}K]..="......`.k..#...@.....E"LxMK..n}yml......).v..Hq+K.G......#..L6....x..<.p-....8...\.|...@3.$3.P.......{.PD...J..h.:md...L.{{Z...+..+Zid.1V....l.:6BJ..".9...f....-.g.7..3.._.?l....|....+K.........X..CfZ..../........$]...~.* .....v.,.w.o.`l...]......o..e.O.k.......`....>\.Y..<._!...z..&BE....R..:@.b...6........>.Mr....B{...&{..R(IxtV\<.E!.<...A.Nr.Q(2:P.....3....*.[c.8...<g......r.=2.*..i6...|+...1...>.Y .^n..qT.]../...?E.S.1....XJ\..-l.i..>.l.q....r..i.~} .+0{.>u.>....(..............8&.....i.O.T...U.^q.Gj?.>>V7.....L...0.8?...XIt3.....fY.B..YW.....q.1g.e.C>6~....t.F.......J.....................x.:r..^.L..V....A.p.......v..h.{......4Gv=x..S./......Y.kM..o.....ya.:]Pl.=.......5....I......Y.V.fU. .;x.o.....E=.!..t..?............X.&....P}.X.<....=.....t

                              \Device\CdRom0\sources\uxlib.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):181048
                              Entropy (8bit):6.234199711911089
                              Encrypted:false
                              SSDEEP:1536:g49Z3LE/jqGPDdoJJlclqrDcETzfXY1injU8exagOV3GRDGdHuoniYjMOcLIRMSI:gIE/2lAKo+njUzJOyGAkjJc0Rb3/4Kq
                              MD5:839E9428EB230C4E7D870510C1F4BD3B
                              SHA1:EC9654C4CAD88ABEE7A5FEB3822573FF21CBA2DE
                              SHA-256:4AC927A6F15A78F6DD4267BD46FB29D4F4B5BAE7C22DCE67886878E5F545310B
                              SHA-512:9D7E09503331935CEF00F66569FDACBE634A42E3D82D013450954AA2AEC99D9507A1936E068F8930A5E3AFC8DD86BB0112437E4EEE35456A82BC920B61B61816
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Emd_.............g.......g...............g.......g.......g..'....g.......g.......g......Rich............................PE..d.................",.....T...T......PS...................................................`A............................................<~...~..........................8!......<...P...T............................................................................text....S.......T.................. ..`.rdata..P....p... ...X..............@..@.data................x..............@....pdata..............................@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\uxlibres.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):11576
                              Entropy (8bit):6.6335430770095165
                              Encrypted:false
                              SSDEEP:192:vWo3WoGQZD1S8f4DBQABJt6feM6ArNc4qnajr7vcO:vWo3WoGQZD1IDBRJtT94lrvB
                              MD5:FEEAFDBC46543725B9ACB9B85C5EDA44
                              SHA1:093179FCF48B35070EF0072B0BDB353F67CC4666
                              SHA-256:6854B1788DF3BF2A5757FB798A54D5E09E0C50407233786CADE45E11F3752B74
                              SHA-512:1235B1A49EF6BABFE8D494B762B1BE0316809A00D204396FF3827BCF9FC071D77E58769E00B11FE4091C325A9D2CCBC8FB6C6B7B7FC9F372B45FBEC1B4A2A508
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...v..D.........." .........................................................0............`.......................................................... ..................8!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....v..D........T...8...8.......v..D........$...................8....rdata..8...x....rdata$zzzdbg.... .. ....rsrc$01.... !.......rsrc$02.... ...R.4..=..b.85..1Dj5..<.$.{.kv..D........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\vhdprovider.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):571704
                              Entropy (8bit):6.125218747691829
                              Encrypted:false
                              SSDEEP:6144:hpE5P/Q6O9auO6SVhImTnn1+MDFPotbQphOsTuOHIC64o0Br7sKNzt/eZwg:hpOTju7S8mTnHRABCUsTuOoN4fg
                              MD5:C02E1642519818D0FB94BC5742CC1B8A
                              SHA1:6D66A06EE8D34BE735D96D4CD936E61E3F5AC879
                              SHA-256:C2F0E8BDE6A6AB1671A4D1F0B1C1077E53F5B1B05377C0CDE2A1346BFA8C2A8A
                              SHA-512:103BC9054115CA3EE86C1217BBFCF4F7CBBB6F277AFDBB84BE064016CFED70E51E21FA39AFA0DA989AFFAF34C83C6D6BA6654F4BA4378D231F42F93279FDE937
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y..?..l..l..l..(l..l...m..l...m..l..lj.l...m..l...m..l...m..l...m..l..Dl..l...m..lRich..l........................PE..d...0..0..........",................P................................................]....`A.............................................................$...`..(/......8!......4....Q..T...........................0...................x...8...@....................text... ........................... ..`.rdata..<d.......f..................@..@.data...H6... ...0..................@....pdata..(/...`...0...2..............@..@.didat...............b..............@....rsrc....$.......&...d..............@..@.reloc..4...........................@..B........................................................................................................................................................................................................

                              \Device\CdRom0\sources\vista\webservices.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1103872
                              Entropy (8bit):6.127765111426917
                              Encrypted:false
                              SSDEEP:24576:baTv24JdIu2IsE1Lk6cMWYsIKBeGRXz3jTbJZ0mZaFcMNutu9BMK:WCeGRXzNZ0zmMNutu9
                              MD5:2EEAFB668358C3F42E192F95383D86C6
                              SHA1:81CCAC1A2209C16BFA5CBEF9011EA613021B5197
                              SHA-256:BAABA4C7C603A6F68026A88095FEFCE4761EA44A2E18D702DC75494AF912196C
                              SHA-512:D1BBD9B25FD2BD1076E615F1F028B666AA4328B6703086029E2EF0A8A7D2A60AC6BD35DAA9B85678253012FFB9624C17392696CB5E48E4E713076EB989CE0F43
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........LDW.-*..-*..-*..-+..-*...Q..-*...W..-*...G..-*...P..-*...X..,*...V..-*...R..-*.Rich.-*.........................PE..d...q.wJ.........." ................L.........@.....................................&s....@.................................................p...P........ ......l...............<6..............................................................@....................text............................... ..`.data...............................@....pdata..l...........................@..@.rsrc.... ......."...t..............@..@.reloc..d@.......B..................@..B........................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\w32uiimg.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):2897720
                              Entropy (8bit):5.880088556238909
                              Encrypted:false
                              SSDEEP:12288:PuSqSvMTuSqSvM6agvGokAAQ4UPTyiJV+:PuSqtTuSqtT0RQ
                              MD5:7D05B16EEAA215AE85292353222876C6
                              SHA1:BF4372579CD888E66318B35495607A99EA93C950
                              SHA-256:A15A7B605C756E2A808EC69DF1BE4C1AD01763DDC1D15AE54B7BC33C96E8567E
                              SHA-512:FEABAD32E2E09578F57589D340BDA62C362B6B9517B64E47962FE9B313C0778B0E2AB4F28D52841C96F97144C2287039A002939833E609B49B0948896CF00E49
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...u.}..........",..........,..............................................@,.....0.,...`.......................................................... ....,...........,.8!..............8............................................................................rdata..............................@..@.rsrc.....,.. ....,.................@..@....u.}........T...8...8.......u.}........$...................8....rdata..8...x....rdata$zzzdbg.... ..@....rsrc$01....@>..`.+..rsrc$02.... ......T.Oi.C.0..$...zU.y.Yz.u.}........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\w32uires.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):212280
                              Entropy (8bit):5.3104362748182785
                              Encrypted:false
                              SSDEEP:1536:O+0zzOMdAV8yEyePaauLXLbfm2Xp0jcM2qKMtzgeO971OuvQwyV6PcN:n0zzOMSLnKuwUePuvQw/UN
                              MD5:681D063BA491A383E18B7023560E29D2
                              SHA1:2B8B41C968AE0CB4D7B69C1FCC32324DA8F77F22
                              SHA-256:9F798E39E12C9F89D4209E8B72547964758879CF93894BAB437C0C04F3283A36
                              SHA-512:69F91F2D784E8600EE3820DF1264376CC3A089545126350015E914AA6632CCDE458D65A9F8FECD800B805A339A0F0BB67B0B6F6B99F2934D24FBBF51082695E3
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....B...........",.........................................................@............`.......................................................... ..................8!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@......B.........T...8...8.........B.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....-..(....rsrc$02.... .......V~..d84Z.b.9..)..q.K.b..B.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\warning.gif

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:GIF image data, version 89a, 16 x 16
                              Category:dropped
                              Size (bytes):597
                              Entropy (8bit):6.272811206905399
                              Encrypted:false
                              SSDEEP:12:SmywYxOOeLe4l7/0l+rl+HQtpq1FmUVMmUyOTU:SmkAMl+PMjmUmxQ
                              MD5:3BBFB7561BA3FFC64043F66A2075B1CD
                              SHA1:E360ADBBF877871ABEAEE889D6DE632FAA1F0693
                              SHA-256:41D54D223402D52E0CB778ED0E144EF6B965B85D6874A23222DD493986168070
                              SHA-512:68A88E0F56B7A4C02E492B4F1DC950B99E490B73C244BC07EDF284FA02F59BA6EAA0BB78EA4479144E6E2FC23D90BCD5C9BEF82B2275A5F5EF515D038FF23C81
                              Malicious:false
                              Preview:GIF89a............R..[..K..I..K..K..N..O..O..Q..E..G..E..H..J..I..H..<..=qh...>..?..@..,..-..3..4..;.!.$.&..,..-..).....*..+..0..2.....!.."..!..!..'..&..%..(..%..&......................................".&.7.H..r......................................................................................................................................................................!.....W.,............W..3CC3...D..D..K7..:K...D......WJ8...:J.LD..VV..DL.I:.....:I.UD".....%DU.H<.......<H.(D%........$D(.G>.&! #&&'.<GW4D2.)A@.B.-0b..a..6.Ly.... +v.!."..'M.h|.%..*,...A..I.EB....;

                              \Device\CdRom0\sources\wdsclient.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):994248
                              Entropy (8bit):6.2518875861047585
                              Encrypted:false
                              SSDEEP:12288:JZdl4pVse/4XmTSVcKYzY1AREbwa7WFtST90Qe4kWVPmVsrMVYrlEnKZF9MJwfti:GVsvukR7GSo6ssoVYPk4Ab/
                              MD5:D4C238D95271C7816DE53E2CFC24002F
                              SHA1:847C208A105AD93A6D39FBE4DCD141D08A4F7465
                              SHA-256:BF29576CF919C7BE748033DC60F938B90A280636A6EE6B2003D2A83B396E7F6F
                              SHA-512:4382ABFAB9D616C1A0806CB2983E40AC5AC01E886D3BAD0989FE80D535E3C54FDCADB33E92768D9FC6A1ACA43A6EC124F58BE798F23639C7592897B574F90C87
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.........................................2.......................,.....=.............Rich............PE..d.................",.....:...........$.......................................P............`A.........................................Y..`...P[..l.... .. ........D.......!...@......`...T...................H...(...0...............p................................text...P9.......:.................. ..`.rdata...H...P...J...>..............@..@.data....%..........................@....pdata...D.......F..................@..@.rsrc... .... ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\wdsclientapi.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):308168
                              Entropy (8bit):6.2018746379063145
                              Encrypted:false
                              SSDEEP:6144:ex3vvwKKamkmaIB3kGJRE8rCQbxdCOGbwCCQM+tf9vDxkkgStX5fcf:ex3wKVmkWHJRE8rCQbxdCOW
                              MD5:5B898743B576CF5968E7FD86BC79B20D
                              SHA1:E17CF72E1E8964FBEE37FBAA4FF319866775A7D0
                              SHA-256:4BD6A1F66D774CA98A8C92D9B6E9AA13E9551860CFC42117B703EB7B143A530C
                              SHA-512:3764CFA413CC8AA9273F4C96E885AAEB918D67C1D725876FB8F245A7193B041AEA57DA44A025C2A4CD633F2DA6704DF383019DD8DEC4ADC03A84517606BE40B9
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P/_..N1..N1..N1..%2..N1..%5..N1..N0.RO1..%0.;N1..%4..N1..%1..N1..%9.uN1..%..N1..%3..N1.Rich.N1.................PE..d...S.7..........." .....@...V.......>....................................................`A........................................`4......p<..|.......H.......H........!..............T....................v..(....u..............@v..p............................text....?.......@.................. ..`.rdata.......P.......D..............@..@.data....!...`.......L..............@....pdata..H............f..............@..@.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\wdscore.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):261944
                              Entropy (8bit):6.0918146822107415
                              Encrypted:false
                              SSDEEP:6144:9JPlpveGIXvixnJpJyAFU5k4QFTn4xS1j0:9LPI/ixg5kTj0
                              MD5:B873A07FE0F133DBD7EDE720D34FB924
                              SHA1:6799A994626B71D22381A53F3CA381DE7226055E
                              SHA-256:D288FE3873FF3F49775D39463113D4DA0F734E3148E62613418142970099F585
                              SHA-512:BE61492225512F3E0634E9C5FE249ED478AAD5D29AF33AAAA35D994A7737F16A393C714603A464E511FF5066011B286BE5571E2B89038C1B337E1AC4A60F33F6
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Qe.T.............|.......o.......o...............o.......o.......o.......o..5....ow......o......Rich............PE..d.....9...........",................0........................................ ............`A........................................0...@...p...x...............L.......8!......h....a..T...............................................X............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..L...........................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\wdscsl.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):62264
                              Entropy (8bit):6.147823122783922
                              Encrypted:false
                              SSDEEP:1536:9jqvkMhaIztW73Zd0AEDmEy1xQ/9zpTXWyNwfAUPv:9jSztgZdDEDmnxQ/9NTXWyNwfAU3
                              MD5:47DFCA91CE4024426FEA98B43336D0C5
                              SHA1:2B20E889E1F50AC941447B32E1BD614542B3441C
                              SHA-256:91F41799B09C4F932A8AB4A6FC9EC047F10167751328A7B22F91F80B9F688C6E
                              SHA-512:04DCF14D30BD8C61846BBFE937FA588D15B0E9F0BFA0EC9A376E9A03CAE6202B39D8EB5F47E28002E6DE10B89B10C5182515FC77B59314F3FEC47329162164E7
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..in..in..in..}...kn..}...dn..in..n..}...vn..}...on..}...hn..}...pn..}.^.hn..}...hn..Richin..........................PE..d......A.........." .........N......0........................................ ......S-....`A............................................T...............0.......l.......8!..........0...T...................H...(...0...............p................................text.............................. ..`.rdata...2.......4..................@..@.data...............................@....pdata..l...........................@..@.rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\wdsimage.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):946632
                              Entropy (8bit):6.299998003455738
                              Encrypted:false
                              SSDEEP:24576:p1uU/SvMKyHyloLV1V+ksvDsFEF3ROsn:3DK5qLV1EFvgo0sn
                              MD5:2AE85A84FAF080149228B8863A118CA9
                              SHA1:BB0612E380E5B2BF5C11686B593ADA909844D66C
                              SHA-256:14D999A3FB9454ADFB66E595ED6A38BDED350CB5160C54C617A64523092582EC
                              SHA-512:AB8E1967FDA6E07C7CD954177D8AFC2A510CFB296516A98A04CC7FA57871CF093F136F93EAC26769B9D0152B9CFA293F44F3B107597623EB0E38F7B7E814AC60
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........VI.Z7'QZ7'QZ7'QN\$P_7'QN\#PT7'QZ7&Q.6'QN\&P}7'QN\"P]7'QN\'P[7'QN\/P]6'QN\.Q[7'QN\%P[7'QRichZ7'Q................PE..d...p............" .....D.........../....................................................`A....................................................@............ ..(P...P...!...........,..T...................8...(... ...............`................................text....B.......D.................. ..`.rdata.......`.......H..............@..@.data...P!..........................@....pdata..(P... ...R..................@..@.rsrc................0..............@..@.reloc...............D..............@..B................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\wdstptc.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):650392
                              Entropy (8bit):6.385595606891771
                              Encrypted:false
                              SSDEEP:12288:SE9BNL5lE9odN6VT9bf8fJF/e5OXt3Y+mD59:5Bt5lEv7wF25OXq+m59
                              MD5:26B4608BF76A26FE33EAB63F20BCA551
                              SHA1:789B4A9BE0F78BE7B903312A8ED04E6F554FFEBD
                              SHA-256:C294181B3320F8D2D272C4843B986C1AFA659ABCA67815340847DD803606C2ED
                              SHA-512:8AC4D8BA8C495029CC7AB6B56DD53B27C8E1623600C57536D891F8853BC6B45434866583D5995A82F6B27A7B24AA47A9E4D78DD35CA44605897DC61096AAF64A
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._*...K..K..K.. ..K.. ..K..K..J.. .<K.. ..K.. ..K.. ..K.. 4..K.. ..K.Rich.K.........................PE..d................." .....(..........p................................................D....`A.........................................l..T...do..,.......(........>......."...........+..T....................P..(....O...............P...............................text...2&.......(.................. ..`.rdata...O...@...P...,..............@..@.data................|..............@....pdata...>.......@..................@..@.rsrc...(...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\wdsupgcompl.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):19904
                              Entropy (8bit):6.107119960165683
                              Encrypted:false
                              SSDEEP:384:3e8ophWmZNmIHbhM+tWnCOWAwGyQKqS14JeRlF6w:9ofIvCw3bw
                              MD5:71DDDC5C007770E205A8791170A8DE7D
                              SHA1:320FD2C0DBECE532CBA137F563991A960A36CC31
                              SHA-256:6E9DD20767D16D47AE35DB878183D288BB04C61C7339AC46E14BD75E39DE5C81
                              SHA-512:4EC3229B1078B4A0627E1C1119872FDB52AED22B876C0CE715CAF4FD99CBE49AA9369FF2BC21A44C89E0CEF5E6E5A8109E49CD3236122383EE12332DBD3D04FE
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x..I..]I..]I..]]r.\K..]]r.\E..]I..]W..]]r.\N..]]r.\H..]]r.\K..]]r.]H..]]r.\H..]RichI..]................PE..d...F)............" .........................................................p.......q....`A........................................ '..\...|'..P....P..H....@..,....,...!...`......0#..T............................ ..............(!...............................text............................... ..`.rdata....... ......................@..@.data...P....0....... ..............@....pdata..,....@......."..............@..@.rsrc...H....P.......$..............@..@.reloc.......`.......*..............@..B........................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\wdsutil.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):303928
                              Entropy (8bit):6.211401288967025
                              Encrypted:false
                              SSDEEP:6144:3p5NdYRSsbgWFtskhA14KR21AkqbVxKDklCh59:55NdYRSs/GP22kWKV59
                              MD5:3D7A9B21D64EFF7E3F6110343F2E4C51
                              SHA1:DF2237EA8FE1244FC7BE257FCC0124624396CE20
                              SHA-256:5AC9BEB2835BA091F95A63B4C6532D2105813FA8EBABA00096F32A6ECE7C455A
                              SHA-512:ADD262ACDCD7A559B6BDB123EBB265B4F2D65B0EA623C799D7176BD2174EFC9A2ED6F554EA397A3DD42AA37CD7EF21FE1B6FE88D32A024C5EB0C100AD1118367
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D.O...O...O...$...O...$...O...O...N...$...O...$...O...$...O...$...O...$U..O...$...O..Rich.O..........................PE..d...r.\...........",................................................................!i....`A........................................@...L@.../...................!......8!..........p...T........................... ..............@3..........@....................text............................... ..`.rdata...&... ...(..................@..@.data....&...P.......2..............@....pdata...!......."...P..............@..@.didat..@............r..............@....rsrc................t..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\wicadevicefilters.xml

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):13734
                              Entropy (8bit):4.55061760934011
                              Encrypted:false
                              SSDEEP:96:MA74VTQ6v6V/g6NeM0eFdyeQvejjupUcipU8pUEDpUbpUppU+pU4pUypUUpU/pmu:jU8g1x8DJDCErfnTCRGCP5uja
                              MD5:CA5992F3FA546392B45AF1F488FC1D49
                              SHA1:B7A5A0D8520B93F9B17D01ACCF900BBC8727172E
                              SHA-256:F7AFCF9B782A9FD19A22155639D9141DB2B6BE1C7996403E45B540268C51BC49
                              SHA-512:24E23E0922100DB09195A5A51C1FDD47B0AB6941A6504097C6512595E71A566CD7F186115B746FA612965A8E42BFFDA823EA2FB5BD53BCAA0618880A772BA8D7
                              Malicious:false
                              Preview:.<?xml version="1.0" encoding="utf-8" ?>..<DeviceFilters ver="0004">.... =========================================================== -->.. == Include any of the following devices before they get == -->.. == excluded by the exclude rules: == -->.. == == -->.. == HwId starts with "HDAUDIO\FUNC_01" == -->.. == HwId starts with "HDAUDIO\FUNC_02" == -->.. == == -->.. =========================================================== -->.. <filter exclude="Never">.. <expression name="HwId" match="HDAUDIO\\FUNC_01.*" />.. </filter>.. <filter exclude="Never">.. <expression name="HwId" match="HDAUDIO\\FUNC_02.*" />.. </filter>.. .. =========================================================== -->.. == Exclude any of the followi

                              \Device\CdRom0\sources\wimprovider.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):601616
                              Entropy (8bit):6.001092981718799
                              Encrypted:false
                              SSDEEP:6144:g1Ro5P3/RTh7IaEKVupVGp52lowRJefWVaPDTeZTAID7iLFrBTC+k8WoeXZbACdk:sR23DI20sf5PmZTND2LtBTC6BetNQ
                              MD5:05AEA826674EFEE0F4C0EE23E51385F2
                              SHA1:513B750A958B9249E53BBB4DA61F838F1BE1BF88
                              SHA-256:088436576EF217D08A6F7EFD24998B1ED44E120B17C28C4EB2A7125D4933ACF9
                              SHA-512:898788F465C3EF902A1021FC18C9BDAA43D6E387EAF07250EC0BFAA623CA138AAE9C3FC4CC3D487598CD1AE0EC0BAFBBAA7D89D47A7CD6A6DF73E3623D5D1DA1
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|...@...@...@..e...@..vC...@..vD...@...A...@..vA...@..vE...@..v@...@..vH...@..v....@..vB...@.Rich..@.................PE..d....].Z..........",.........0...............................................`.......I....`A................................................L............|.......0......."...P..T.......T........................... ................%..X.......@....................text...{........................... ..`.rdata..6...........................@..@.data...0j.......b..................@....pdata...0.......2...N..............@..@.didat..H...........................@....rsrc....|.......~..................@..@.reloc..T....P......................@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\win32ui.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):664888
                              Entropy (8bit):6.042930148115743
                              Encrypted:false
                              SSDEEP:6144:TiovP8/y5XqQwO1Z/xVDtMJVMopVS0z6OQaSX4wHqHHmigpIRAsjto1Nx8eLer4y:Go8/y5XUO1ZZYJ2EcdXveUO
                              MD5:E47C4F3B1E1AEF0F15C1F0DD7510726B
                              SHA1:3155CCBD46B13780484EBC02EEAADDFDA5890806
                              SHA-256:C85974348A349E5242B3ADC9876C36460B31D8DD42C90A5D85882439DD5E8527
                              SHA-512:CAC6DC08D8E856870CD753F32AD91B5C13DE88026B164EC1C73D71CB785BFB449C78A1A31461A0389F389A64FD6CCD19FC690EB145C927A7C283FB8FE60778FA
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................................K........................'....1..........Rich............PE..d....V~...........",.........B......`................................................#....`A.........................................m..d...tD..h....`..........|;......8!...p..<...p...T....................t..(....s...............u..X....l..@....................text... ........................... ..`.rdata..Rv... ...x..................@..@.data....o.......,...~..............@....pdata..|;.......<..................@..@.didat.......P......................@....rsrc........`......................@..@.reloc..<....p......................@..B................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\windlp.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1427960
                              Entropy (8bit):6.257781253980962
                              Encrypted:false
                              SSDEEP:24576:euAhAS7ScBL8eUe1OlvwgSMCY1e+4093MxK:eZaS9BLplwTSMCGm0VMxK
                              MD5:BC6E8E33ACD6088D7D3F01035B916E5F
                              SHA1:67460BE88AA3FBD087189A05E6CF65F754CECD44
                              SHA-256:AD94D1016F095026F64BBF1B2BC80D7C67643918DD92EF583BD0D875E8C116C2
                              SHA-512:9424A9A7BEF75C0A11610C0EEF429A4F0E090B0FB21AE5F347072A4644C620E30C9F32D6CC82C86639207E65002BC23F4595B90016BD8927A574F4C72B1D5832
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........O....................................................y..........Rich...........................PE..d....D@...........",.................................................................!....`A....................................................,.......(....P..@_.......%...........R..p............................#...............$...............................text............................... ..`.rdata...N.......P..................@..@.data........0......."..............@....pdata..@_...P...`...&..............@..@.rsrc...(...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\winsetup.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):3690336
                              Entropy (8bit):6.069066515519586
                              Encrypted:false
                              SSDEEP:49152:EXHn8q5ymNARHS/YHn4aYnyKMCfJUb4d+8RD5CfnQD5JRe2PLA64+:pn47NMCfJp5tXPLl
                              MD5:0ABD274E1218D88D89C6FE1192E7F6A6
                              SHA1:48AA835058FD4085153F56E9676986F0E5FB6B15
                              SHA-256:6379C4BCD9D5B7556576D38C634158CDC654C1ADE8429FFF9E434B8122F5C299
                              SHA-512:96DA913E1F8DACE45773691D70C7239EAB8E8BC01DA70E87E47EAA12328B1C606209A8A885FD1FE898904CCA480FD5ED6B80F06BAE14DB5E563B42880E71961A
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]-h.<C;.<C;.<C;.W@:.<C;.WG:.<C;.<B;.8C;.WB:.<C;.WC:.<C;.WK:.>C;.WF:.<C;.W.;.<C;.WA:.<C;Rich.<C;........................PE..d.....D...........",...... ..........d .......................................8.......8...`A..........................................4.......5......`7.......6......*8.`%...@8..T....2.p...................._".(.....!.............._".....(.4......................text..... ....... ................. ..`.rdata.......!....... .............@..@.data... .....5.......5.............@....pdata........6......26.............@..@.didat.......P7.......6.............@....rsrc........`7.......6.............@..@.reloc...T...@8..V....7.............@..B................................................................................................................................................................................................................

                              \Device\CdRom0\sources\winsetupboot.hiv

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):8192
                              Entropy (8bit):1.1924412939205524
                              Encrypted:false
                              SSDEEP:24:hetu8p5hjkuZkSu9wtkp6cTPY4ddjmVmVNvPqPIakt4DgR7Vpwggp0gev:H8xjk0kSuo4NvmMnvqkyOVpAr
                              MD5:CD48F85F59FD7EFB29BEE7AD222E377F
                              SHA1:9411D004EC3A84A05502F905C020B58610DD7CC7
                              SHA-256:2D25C5B327C32135F45CBF9749DADE8920BEDBC6D8EBF2DE4DC147BEE7CC6A5C
                              SHA-512:678387B02292F473E7DC92CE6C5934E212750BAF95A2B72E75A610680C885366BFC5B76473EEB98A03641600275F3578912758FD479B52373AA0589B47DC8B3D
                              Malicious:false
                              Preview:regf..........\.)................... ...........u.p.\.S.o.u.r.c.e.s.\.W.i.n.S.e.t.u.p.B.o.o.t...n.e.w...h.i.v.....y..=....P.L=.V..y..=....P.L=.V......y..=....P.L=.Vrmtmr...)...............................................................................................................................................................................................................................................................................................................................................A..!........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\sources\winsetupboot.sys

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):74088
                              Entropy (8bit):5.929215372839464
                              Encrypted:false
                              SSDEEP:768:Jh+mlvVQsH1ptDFKeN0p7mjdHkgbLaZp10RmbWhdbcyzypTqywN1PXLvTNx9z8q:Zj1ptJKk0uHkgPaZWbc/pw7PXL7pz8q
                              MD5:B4A0A7B5E3BB0E37CECAFEE2056D300F
                              SHA1:290F98E2AB013AF8E485C2B0FD640A905A7E0DBF
                              SHA-256:14CF06309D35389CF13C7A5E7446F993BEC29FC4B6CB47CBE7B960724A751F58
                              SHA-512:921BBAB597F7E032B54D306AE5097D74ECF86910F30ACB744ECD0F8961B631933AC98ED9AA357C83C325AA95F363066E7C5832FE94A3AFDE9346242F08BF880E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z.M.....................p.......p.......p.......p.......p ......p......Rich............................PE..d...q.6..........."......x.......... 6.......................................p......4.....`A....................................................<....P.. ...............h%...`..D...P...T............................@...............................................text...)-.......................... ..h.rdata..x`...@...b...2..............@..H.data...x...........................@....pdata..............................@..H.idata..............................@..HPAGE.....A.......B.................. ..`INIT.........0...................... ..bGFIDS... ....@......................@..B.rsrc... ....P......................@..B.reloc.......`......................@..B........................................................................................................

                              \Device\CdRom0\sources\wpx.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1327416
                              Entropy (8bit):6.0817431439563645
                              Encrypted:false
                              SSDEEP:24576:mLMaSR+W6FLDX+1XFnkWdp//MDKoFp/C8sVtiA:mLMaSkW6FvUXC+oFU87A
                              MD5:7151C1D1F615D74C3AD58D57D72FA685
                              SHA1:31FBF10CF509F601E454F1D9E7CC564BAFB3D8BB
                              SHA-256:038B48C5598656E354F80DF05484C2A545F9D38DB66A71BFAB8BB0A1970E8334
                              SHA-512:DFC4BBE36160CCC169B3574E21901F9C3DE68F3CDA16CFBA7C123BF6470DE7AFA9353CB7C55F5BD0FE82C6900EA307927DEED52B972AACCDA867D736E1560B62
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y9...X.Q.X.Q.X.Q. lQ.X.Q.3.P.X.Q.3.P.X.Q.X.Q.X.Q.3.P.X.Q.3.P.X.Q.3.P.X.Q.3.PAX.Q.3.Q.X.Q.3.P.X.QRich.X.Q........................PE..d...X.G..........." .....@...................................................p.......p....`A.........................................*.......+...........@......XG... ..8!...P.......c..T.......................(...................@................................text............................... ..`PAGE....t*...0...,.................. ..`.rdata.......`.......D..............@..@.data...Pb...@...Z..."..............@....pdata..XG.......H...|..............@..@.rsrc....@.......B..................@..@.reloc.......P......................@..B........................................................................................................................................................................................................

                              \Device\CdRom0\sources\xp\webservices.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1297248
                              Entropy (8bit):5.956539163549476
                              Encrypted:false
                              SSDEEP:24576:4QdxQ5Fda9nC45Uk1llr18TIF2ZvGMYxfNa+HIBElYJQOJY3:JiZvGMYxfABElYJQOJ2
                              MD5:8157135ADD5D6124C02ABA692DF08240
                              SHA1:4E2578ECFB1482BE34C6540663AC394A5D948520
                              SHA-256:0A298CC72F292D1E39946861963E0C83DF35C1F6B1A658240B94CDC4B72E85F7
                              SHA-512:2F167015298E9092575351F799BCEDAE1AE47A6D54D754BA578DE0EB9CEA743DC2CF15AFDFECFD39DEC15A1B1CD6C5F58E03A85A54730D6204AE33F1BEE53718
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`,...B...B...B...C...B...9...B...?...B.../...B...8...B...0...B...>...B...:...B.Rich..B.........PE..d...p.wJ.........." ................,.........@.....................................D)....@.........................................0..........d.......P.......p.......`.......L7..0...................................................0............................text............................... ..`.data...............................@....pdata..p...........................@..@.rsrc...P............`..............@..@.reloc..@C.......D...p..............@..B........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\support\logging\actionqueueetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):13248
                              Entropy (8bit):6.40017638389556
                              Encrypted:false
                              SSDEEP:192:XhICWIgWYqVsAZ9uQfFaWSawTyihVWQ4yW1AuV17vJ4qnajlAU9p:pWIgWYwlKeHwGynC1x4leq
                              MD5:E0A655D1C95C3DF664979A64AB106233
                              SHA1:C3CE0BE2307F1D8F259B5E4C41DA05EB1B06D7D9
                              SHA-256:D11E1026237BB88F21A3715C3974ADD6D38EBC67E0BDF49EFDADA8C0F2325E21
                              SHA-512:7F6E3D12B714FE7AA582E948E4D8082F43F941F547C6149E1F0799E56DE650CF8E7FE43A5323DF2F9DB4AADAE2C2CBAA3EC5A9411E4AC55515D5B4F211E160BF
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....0..........." .........................................................0............`.......................................................... ...................!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@......0.........T...8...8.........0.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ...!`......;...V~..L._..n.......0.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\support\logging\auditetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):14280
                              Entropy (8bit):6.218820573953743
                              Encrypted:false
                              SSDEEP:192:EWiSWcCbc6VqUWiOyooBpNd8gVpWSawTyihVWQ4eWoCNxXeRqnajRoAX:EWiSWnVV/so/Nd8gkwGyJ4JeRlFj
                              MD5:F1F1C1B87F90B32A7DFD5E0585397640
                              SHA1:982F26D732346B2790ABEF9661F064F10B4CCF11
                              SHA-256:FC7804F1D8BF1950B706D098AB3E9458188FA5166BCF3F1B82EFAD837EE2B96F
                              SHA-512:FBB8BF75FD3E3BA40F21A2D05C7C4BB1BDF2F32ADF0A39E27875605EBB97A210DA65CBDF335A406E9D048F369E1A1538051D7ACBFCB5708E6FADD5588AE53CBD
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...Z............." .........................................................@............`.......................................................... .. ................!..............8............................................................................rdata..............................@..@.rsrc... .... ......................@..@....Z...........T...8...8.......Z...........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....P.]..N.v>.... .......Q.R-Z...........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\support\logging\cmisetupetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):14488
                              Entropy (8bit):6.299904311809546
                              Encrypted:false
                              SSDEEP:192:5W2fWaNKnSdsL0pbkkWSawTyihVWQ4WWbLOMGw4ZLqnajVxo+twaWs:5W2fWa0SuQwwGyGzGw6lx2+tV
                              MD5:35775B2F4BFDE90DEDF3B0447CF31CD1
                              SHA1:B06D57A7A012C1340CC302CBA2206E75306D9CE8
                              SHA-256:BB63982B678EAA9FD27F38EC4BDD0C8C1E6823FCF63BA6EF163C3A76F906C19E
                              SHA-512:94C94FBB96917568DA08F0CC74CBEC69C9E288465B96DDAC50C9414E500C18898B98DF1CFD7E42B646A8A5FD74DE0BB42CA4331777102B274CFF9C8BA7C0BC21
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d..../............" .........................................................@......`.....`.......................................................... ..................."..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@...../..........T...8...8......../..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....My...:)/'S...^RRP...?.[..../..........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\support\logging\en-gb\actionqueueetw.dll.mui

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3584
                              Entropy (8bit):3.6958624173591867
                              Encrypted:false
                              SSDEEP:48:yl7ncjQgJ6u7l7luZjlofZWyXgun3Yy5WwHgc:Gr4QgJT7pXW8/Ww/
                              MD5:C4E168BAA1666243EA3B3D16C4042AE5
                              SHA1:5920A3CC13ADE94FC273A41084FBFFAEF240FAA0
                              SHA-256:7BE21526023BE44794B5CAFA184F92AC72265CAA7BB356586BBF8622B9042743
                              SHA-512:368E8D5439819416832C3E8CF38A4EEF49647E834553D48297DB50FA068BB534114D4B6D1D5FA0E08F28967A9F98FF7B66622A8829611C8EDD62ADF52D404241
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0......(O....@.......................................... ..p...............................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....IWM.........T...8...8.......IWM.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....n...-...^KU...".E.k.I..v..IWM.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\support\logging\etwproviderinstall.vbs

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6868
                              Entropy (8bit):4.88243271415529
                              Encrypted:false
                              SSDEEP:192:IFoOIXXztb+ih7zIRU605MNd611/mqv0c9K40/zI1A4HSjG2UcNG2hATuluzS5M:IfiXzk8nodXqe3G2Ul2WCluzS5M
                              MD5:46E876C55F0B4A5EAC1DD6F36B10156D
                              SHA1:D9B0877FD91F6BD28987915B417E90FD4DF8F323
                              SHA-256:1AB7AE96D9588E7ED6C3A44AFA67F02A01CA3360967C4333F23F73DBAD273860
                              SHA-512:577B969D5B1B36E0A00686B1627CBD2628CCAEF0BF15AEF4605A7CF1202BA299D8F15071570502E14AA119828B06BC1A2539C580D2B98E496F8C6E8A138DF3B6
                              Malicious:false
                              Preview:Option Explicit....' Globals..'..Dim ObjShell, ObjFS....Dim manual,targetDir....Set ObjShell = CreateObject ("WScript.Shell")..Set ObjFS = CreateObject ("Scripting.FileSystemObject")....' Regular Expressions..'..Dim RegExFolderPart, RegExExtensionPart, RegExIsManifest....Set RegExFolderPart = New RegExp..RegExFolderPart.Pattern = "^.*\\"..RegExFolderPart.Global = True..RegExFolderPart.IgnoreCase = True..RegExFolderPart.MultiLine = False....Set RegExExtensionPart = New RegExp..RegExExtensionPart.Pattern = "\.[^.\\]+$"..RegExExtensionPart.Global = True..RegExExtensionPart.IgnoreCase = True..RegExExtensionPart.MultiLine = False....Set RegExIsManifest = New RegExp..RegExIsManifest.Pattern = ".+\.man$"..RegExIsManifest.Global = True..RegExIsManifest.IgnoreCase = True..RegExIsManifest.MultiLine = False....' There is no convenient way to check whether WScript is defined...' This code captures the possible undefined error to perform the check...' ..On Error Resume Next..manual =

                              \Device\CdRom0\support\logging\microsoft-windows-actionqueue-instrumentation.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5875
                              Entropy (8bit):5.3557551859250125
                              Encrypted:false
                              SSDEEP:96:/34QEeA5Ro2hiP/X0kOwKCW4KSQkzt0w9o59o99px9/ypSszh105dVmeUe://cQHXOSQkzt0w9o59o99px9/ypSUhyH
                              MD5:50E89BF01A3A4863558AC455E327F67D
                              SHA1:30918E2EEBDD6A8B57C01FB9D4D2E67001718556
                              SHA-256:A09055272B101ECB26CCA7A2074760089310D36A5A99EA323AFAE6C5A40994FB
                              SHA-512:673B8C57C3650A06B3F71CAE68CC2364FC9378DC247CB51AAD892121EA4772E48E89F045F54EC343A329C8E294D624DDFAFAF117A2F576CD54C1FD53DA8FFD55
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Microsoft-Windows-ActionQueue-Instrumentation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<registryKeys>.... ActionQueue Provider -->....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\Microsoft-Windows-Setup\{0DD4D48E-2BBF-452f-A7EC-BA3DBA8407AE}">.....<registryValue name="Enabled" value="1" valueType="REG_DWORD"></registryValue>.....<registryValue name="EnableLevel" value="4" valueType="REG_DWORD"></registryValue>....</registryKey>...</registryKeys>...<instrumentation xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xs="http://www.w3.org/2001/XMLSche

                              \Device\CdRom0\support\logging\microsoft-windows-audit-instrumentation.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (308), with CRLF line terminators
                              Category:dropped
                              Size (bytes):6729
                              Entropy (8bit):5.317784896789317
                              Encrypted:false
                              SSDEEP:192://nKwBXRSvS8zX9b03a3C3c3s3j3RlI0er89CwX:/RtAzX9iksWGrLq5Q
                              MD5:E5FE08A22E9320EF0A3C2A9B38C1EE5A
                              SHA1:47D1273C385ABF608BB320AEF38A959D876BB67E
                              SHA-256:760776B8226BCB92023A263827C538FA6EA8101AB6BC3C26E16DBF0CE4B9BDA1
                              SHA-512:3E4AA4617F6D8840CD765EBF3D12CAD30007E564E137701CD28F26C48D2876B2EF1BD8EF14EC13E05E7F2C405EE7C62661D97274462CF5FDA173309B513D7CA9
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Microsoft-Windows-Audit-Instrumentation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<registryKeys>.... Audit Provider -->....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\Microsoft-Windows-Setup\{75EBC33E-0936-4a55-9D26-5F298F3180BF}">.....<registryValue name="Enabled" value="1" valueType="REG_DWORD"></registryValue>.....<registryValue name="EnableLevel" value="4" valueType="REG_DWORD"></registryValue>....</registryKey>...</registryKeys>...<instrumentation xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xs="http://www.w3.org/2001/XMLSchema">....<eve

                              \Device\CdRom0\support\logging\microsoft-windows-cmisetup-instrumentation.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6734
                              Entropy (8bit):5.3888303949800225
                              Encrypted:false
                              SSDEEP:192:/0SEfxX0gtSgTCElEKETEyEaE4pBQh5l0X:/0X0g1ZmN4Vdfe
                              MD5:3AC4680E385DB49B70F40CF72ABB9ECF
                              SHA1:982AAEC54957996AA44C471217FA2A0ED09E04EE
                              SHA-256:BC85FF7F176F572FC08A0F64C1883929CFA7D69C15D7D5055BA83EED53D89CEC
                              SHA-512:F80DB13E6334F634A9733893B1FD5F8E7AB4892AD07FB857560662FFF712B5DDBD5CCF05418712CCB986EEAC6FDF99681FB3AC93278669EC1367752CDD3D114D
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Microsoft-Windows-CmiSetup-Instrumentation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<registryKeys>.... CmiSetup Provider -->....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\Microsoft-Windows-Setup\{75EBC33E-0CC6-49da-8CD9-8903A5222AA0}">.....<registryValue name="Enabled" value="1" valueType="REG_DWORD"></registryValue>.....<registryValue name="EnableLevel" value="4" valueType="REG_DWORD"></registryValue>....</registryKey>....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SetupPlatform\{75EBC33E-0CC6-49da-8CD9-8903A5222AA0}">.....<r

                              \Device\CdRom0\support\logging\microsoft-windows-oobeldr-instrumentation.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (329), with CRLF line terminators
                              Category:dropped
                              Size (bytes):8649
                              Entropy (8bit):5.398095437005717
                              Encrypted:false
                              SSDEEP:192:/XsX7qGamXcSvSDSLSvSIS8z7JhQXHX1XfXfXsXeXGXulMFe7ElKtokX:/8XKiaz7JA3FvvKU85qJCk
                              MD5:9011C690890B450CDD3C66B0D39320FA
                              SHA1:BADEB0C6E5AC6B27CA46C13B97BE43E09A21F894
                              SHA-256:E036A06571BE39E79E7747CEEC0E74E421EAE213E0D0F849A2F7A319CD34EC7B
                              SHA-512:17AD6F5595DDA381C21EF2CB424AF97FDBB5205CD5A863EDDAC9C392E8927FC0984A02F84FB71FE0987B0089BC13B5C9F4B2C1C0EF97B3F7F1526557A3D5A595
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Microsoft-Windows-OobeLdr-Instrumentation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<registryKeys>.... OobeLdr Provider -->....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\Microsoft-Windows-Setup\{75EBC33E-8670-4eb6-B535-3B9D6BB222FD}">.....<registryValue name="Enabled" value="1" valueType="REG_DWORD"></registryValue>.....<registryValue name="EnableLevel" value="4" valueType="REG_DWORD"></registryValue>....</registryKey>....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SetupPlatform\{75EBC33E-8670-4eb6-B535-3B9D6BB222FD}">.....<reg

                              \Device\CdRom0\support\logging\microsoft-windows-setup-events.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (336), with CRLF line terminators
                              Category:dropped
                              Size (bytes):19567
                              Entropy (8bit):5.3107228470995205
                              Encrypted:false
                              SSDEEP:384:/RluxJo9Cz3DJpqvWG0O2FS789Moz6PkqcJfOnV7ZLyM:Jlhma0iJzp
                              MD5:64E2C5EB038FB41FC0EC80D62B0B5602
                              SHA1:DDD65033147C092018E0F87E7DC6065B35D68BF5
                              SHA-256:BBFFA9E547DB2A24CD9E59B57D7F5D570A75A243D5BDCDA8133E6E7FF97A4879
                              SHA-512:575E4AAB1376845D252C95CCA377ABB3F5DBF975FC1B68536FA9F9C88A66E2F853D67526BFA554E4E0301111FEBC5AA157E7A5235B0545050C55438DB6739C79
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Microsoft-Windows-Setup-Events" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<file destinationPath="$(runtime.system32)\" importPath="$(build.nttree)\" name="setupetw.dll" sourceName="setupetw.dll" sourcePath=".\"></file>...<registryKeys>.... Deplorch Provider -->....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\Microsoft-Windows-Setup\{B9DA9FE6-AE5F-4f3e-B2FA-8E623C11DC75}">.....<registryValue name="Enabled" value="1" valueType="REG_DWORD"></registryValue>.....<registryValue name="EnableLevel" value="4" valueType="REG_DWORD"></registryValue>....</registryKey>.... SetupQueue

                              \Device\CdRom0\support\logging\microsoft-windows-setup-instrumentation.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):9178
                              Entropy (8bit):5.37475841413593
                              Encrypted:false
                              SSDEEP:192:/kyqAnXTSGSDSLSvSISgpRbQ5Bg3dnedwd7dmlRlyxrYrX:/pUpRb+cKoJE
                              MD5:6C0651E37E0864BBD319599DCCB5D687
                              SHA1:50529EA09A03F49486C4FDBDE961016802387017
                              SHA-256:DEAE9A4B5A79587A4603D3E07C408D2835C10F9B6DE2FC130E344D30E09E681D
                              SHA-512:236EB9D03DBC864F00BF1C90041142FFB85E95433283710B264F70F3E5805171E789B7C532F7422F85336B6B3315EEB409F15C70EEA29D93AF9E45F70EA7E0EE
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Microsoft-Windows-Setup-Instrumentation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<registryKeys>.... Main Setup.exe Provider -->....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\Microsoft-Windows-Setup\{75EBC33E-997F-49cf-B49F-ECC50184B75D}">.....<registryValue name="Enabled" value="1" valueType="REG_DWORD"></registryValue>.....<registryValue name="EnableLevel" value="4" valueType="REG_DWORD"></registryValue>....</registryKey>....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SetupPlatform\{75EBC33E-997F-49cf-B49F-ECC50184B75D}">....

                              \Device\CdRom0\support\logging\microsoft-windows-setupcl-instrumentation.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):14624
                              Entropy (8bit):5.205709491398286
                              Encrypted:false
                              SSDEEP:384:/DNBxPhVOxzpi3BWB21HoqBL8A7XCq7/MdEBnNMYdZh1gI:LZJZh13
                              MD5:48921F57351877A84C350A9B2DABDC2A
                              SHA1:2C2EDF404A9C5BAA3EE0B4FAAFEC7A28F707AEF7
                              SHA-256:FE702AD2FCF6081582214E7E87B1501AFB9AE5A8052CF012E7DEEF21D8769E12
                              SHA-512:504860B1F7456D06AF121E5BBDF3738656EAAF8C9F7437FD5773AA627A96A1EA8C4224FD9862FD2406D387D52D4F54FE8FC96770A667002599C4BAC392FDAE56
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Microsoft-Windows-SetupCl-Events" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<registryKeys>.... AutoLogger Configuration -->....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\Microsoft-Windows-Setup\{75EBC33E-D017-4D0F-93AB-0B4F86579164}">.....<registryValue name="Enabled" value="1" valueType="REG_DWORD"></registryValue>.....<registryValue name="EnableLevel" value="4" valueType="REG_DWORD"></registryValue>....</registryKey>....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SetupPlatform\{75EBC33E-D017-4D0F-93AB-0B4F86579164}">.....<regi

                              \Device\CdRom0\support\logging\microsoft-windows-setupugc-instrumentation.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6725
                              Entropy (8bit):5.3732966318905095
                              Encrypted:false
                              SSDEEP:192:/DSpaXTOS8z6kGhOhO8OsOBO/Okpv9eUIUvX:/D+z6k1It9oGQ/5
                              MD5:9D58493C36137BE7617CDD7FF4921816
                              SHA1:60C7691D4A1D80D0D43CE0D65A5FB704A35266E5
                              SHA-256:F7D2AEC80BD88C13935862787319E95D66B7366583843AFF0275CECBF4761911
                              SHA-512:157123C921F50BA5D7466861AFD6AC97CDDC49480D8E99415C4F128D39E6522D48BD04ED1839EDFE664E197CC4F00E374E93D790F2C2B441CB937C3555322B80
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Microsoft-Windows-SetupUGC-Instrumentation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<registryKeys>.... SetupUGC Provider -->....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\Microsoft-Windows-Setup\{75EBC33E-0870-49e5-BDCE-9D7028279489}">.....<registryValue name="Enabled" value="1" valueType="REG_DWORD"></registryValue>.....<registryValue name="EnableLevel" value="4" valueType="REG_DWORD"></registryValue>....</registryKey>...</registryKeys>...<instrumentation xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xs="http://www.w3.org/2001/XMLSchema">..

                              \Device\CdRom0\support\logging\microsoft-windows-sysprep-instrumentation.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (307), with CRLF line terminators
                              Category:dropped
                              Size (bytes):13721
                              Entropy (8bit):5.3293991810296335
                              Encrypted:false
                              SSDEEP:384:/g4F3BzFToloWbubn1ut5VmXCDRUbNH28ugHQYuNSAjiyNmWUECzS:ZGitutgt28uUQYu2ydpCzS
                              MD5:D2FBAE2E0730981F668C37E43D24EA21
                              SHA1:07D9D8B393B88B1078FF6F689EDA436AC54229BB
                              SHA-256:CF386154B225B2180DDFAAA2301E283F3740AFE10C3700641AB49DCC7ADA980D
                              SHA-512:9B1C89C5697F685C8632CF5B85113F181FE8431D51F6CDA234872254DDAF30CE090D93887671B9D1841B826FE3B1DA717A6CCE199AEE65E0024F62A74E651645
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Microsoft-Windows-Sysprep-Instrumentation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<registryKeys>.... Sysprep Provider -->....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\Microsoft-Windows-Setup\{75EBC33E-77B8-4ba8-9474-4F4A9DB2F5C6}">.....<registryValue name="Enabled" value="1" valueType="REG_DWORD"></registryValue>.....<registryValue name="EnableLevel" value="4" valueType="REG_DWORD"></registryValue>....</registryKey>....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SetupPlatform\{75EBC33E-77B8-4ba8-9474-4F4A9DB2F5C6}">.....<reg

                              \Device\CdRom0\support\logging\microsoft-windows-windeploy-instrumentation.man

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (315), with CRLF line terminators
                              Category:dropped
                              Size (bytes):8517
                              Entropy (8bit):5.410673459979849
                              Encrypted:false
                              SSDEEP:192:/HE5NqAKCXISDSLSvSIS8z4XXWcE9WJZJPJmJuJRJRBbaJRCimJR2ompa2eKPSPQ:/4bz4nWavxaCHiowP
                              MD5:0906421A167772C098D9DA6BFA6D15D7
                              SHA1:5B7BE3F98969D2D4AC351E94E7774F459481ECED
                              SHA-256:10843D16B5051F1C1F2D17A7DCABBE9F521B172E1EE8D5165DA199286830C0D6
                              SHA-512:8879420F4EC62E19AEBCB1C9AF54DEA1EBF3BEF111D3C363AD13F59336134DC5DA78D657F9E2C1ECCC6C8FCE0EF7C3DF8EFFF2E261C57750D40083BD0E8CD9D9
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v3" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">...<assemblyIdentity buildType="release" language="neutral" name="Microsoft-Windows-Windeploy-Instrumentation" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" version="10.0.10011.16384" versionScope="nonSxS"></assemblyIdentity>...<registryKeys>.... Windeploy Provider -->....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\Microsoft-Windows-Setup\{75EBC33E-C8AE-4f93-9CA1-683A53E20CB6}">.....<registryValue name="Enabled" value="1" valueType="REG_DWORD"></registryValue>.....<registryValue name="EnableLevel" value="4" valueType="REG_DWORD"></registryValue>....</registryKey>....<registryKey keyName="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SetupPlatform\{75EBC33E-C8AE-4f93-9CA1-683A53E20CB6}">.....

                              \Device\CdRom0\support\logging\oobeldretw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):14792
                              Entropy (8bit):6.183621207126473
                              Encrypted:false
                              SSDEEP:192:x7WTQCWNNa+UuqjIzCp7GWSawTyihVWQ4eWGG4IjpeLirKqnaj/:x7WTQCWNNar0CPwGybAcLIKlz
                              MD5:858B7F81EBB2772EA63BA562624ED82C
                              SHA1:F6E12D33A84D52CD26CCD81865AB01DD3F5F3669
                              SHA-256:AD423279F85B6E3AD4AA940875D0C0FBF205CD5968784306DE148039CFB55DFE
                              SHA-512:9AF0EC9B67EF1C4285DE0A4A5AB8166FDB110F4858D55801607236DAD57EEA606F45B277816F46D3A2D83E00EA8F496741580F3F96ACE8676D06CBAA62041203
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....n..........." .........................................................@............`.......................................................... ...................!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@......n.........T...8...8.........n.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!..x....rsrc$02.... ......:.s2P0.e.V...bq...a........n.........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\support\logging\setupcletw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):19096
                              Entropy (8bit):5.754460461850601
                              Encrypted:false
                              SSDEEP:384:MWK7PPWAPgrpp1icTnA6lLSW4KwGy67TplxboCT:6L6lu6eCT
                              MD5:8ECCB47A853E70694383FFDBA28AEB70
                              SHA1:7A6457749D49490358F6E126C649D3116B5F10B9
                              SHA-256:AA05FFD3168741723B49F900AC5425435BA415C6B78921FE3AAD950014090DDD
                              SHA-512:75A70242074953D1334635225AE576D5C2EBBE29355ACFF35D0E2E533C8987FFD2491EE995D8B277B9F08CF27989AD87D0F6460B6974CA690EC9006D4C927CD3
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....mK.........." .........&...............................................P.......5....`.......................................................... .. "...........(..."..............8............................................................................rdata..............................@..@.rsrc... "... ...$..................@..@......mK........T...8...8.........mK........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!...!...rsrc$02.... .......j.#H.....{5..=..k8#.gS..mK........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\support\logging\setupetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):20792
                              Entropy (8bit):5.70438683755216
                              Encrypted:false
                              SSDEEP:384:7Wgj4WNxP9LxCyMasQijiA/QxfkD1IDBRJtsimfklFQ8:xDxZlSI1PP
                              MD5:4C490549323CC59DEEA68B273B5B252C
                              SHA1:B927341F50749EDE1BAE49EE058307510AEDE12C
                              SHA-256:ED6EB80987CA999CDD9B13EA8FD80B01845F42D628273E607BEC580AB992127C
                              SHA-512:CF7826267B4D08036862F0A24AC10578CEDD4C04D4619F1A8E55D93C8C63FF1B77B98F6CC374DE02EB71DA152419A2857DC0844931F989AE041E8A8AF7E27C5A
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d.....Dg.........." .........................................................P......;"....`.......................................................... ..`+...........0..8!..............8............................................................................rdata..............................@..@.rsrc...`+... ...,..................@..@......Dg........T...8...8.........Dg........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!..P*...rsrc$02.... ......K=..H..&E..JM...v.>..1....Dg........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\support\logging\setupugcetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):13768
                              Entropy (8bit):6.376918354478161
                              Encrypted:false
                              SSDEEP:384:y7QWMrpW/l9vF1wOVsfXS6IxXHwGyAzIwS+klTx:y70uG8HRdO
                              MD5:8FAFFAF507EAADCC16337FE12D5BE6F7
                              SHA1:CC2AAAA59656ADBC11BA572D152F8C047039E27E
                              SHA-256:D98DAB3D10D5D59A8D96C095837B36BC1BB88413B636925897320C56A87ED416
                              SHA-512:BF510956D190520B9A01083B8C55C9C0539DD01F9E79DE1AA5F8DFF409EE4767E278E0A96E2FAB85C45D19D029E69364C485495A3ADEAE2BBD8B8387445F337F
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d................" .........................................................0......).....`.......................................................... ...................!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@...............T...8...8..................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... .....x.!.0.....(....b...0...X.............................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\support\logging\sysprepetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):18376
                              Entropy (8bit):5.881388134887721
                              Encrypted:false
                              SSDEEP:192:L5W+XRhWm4m7xKI0E1TWiR41wkw2GoK+d9Bz5CS1WSawTyihVWQ4eWn4imXD4ZGT:L5WuRhWm1LP2Z5c1wGy1imfklFQ
                              MD5:6F8ADA2095C3EA39A2A2878AAA4974EB
                              SHA1:2F1926604C6F99B3A5BFA7786FE0E3FFEF61B880
                              SHA-256:1032A9CAAE1C5F46A3C9D50F0E9125BEAEFC8D8C74EAC5E5A862B57000CAA31B
                              SHA-512:4750F4D4E1F9E876D4943BB799F24ABD570325A85EEC4C584CF7114D42E8CFD55611F7F502A7F7843414DA1522C9400C0DDFEC42B40BB230BA3AFCA7D0ADE648
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....C.o.........." .........$...............................................P............`.......................................................... ... ...........&...!..............8............................................................................rdata..............................@..@.rsrc.... ... ..."..................@..@.....C.o........T...8...8........C.o........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....bw.L.\}ztB.N.@...W.W...O.p..C.o........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\support\logging\windeployetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):14280
                              Entropy (8bit):6.3010581813709985
                              Encrypted:false
                              SSDEEP:192:wbWOkWON1Ae84gUGNHSXTFZ0WSawTyihVWQ4eW/ed8QRW52fqnaj7zdKT:QWOkWOXAe84p+SrtwGynd8ifl/zdK
                              MD5:3F46FC97FD9FA40DFBC64B5D11FCA873
                              SHA1:F4478C6A4C0B4F6CC0E5C26C8616568BB6520718
                              SHA-256:B5A1A3777AF283135132C001A1405A06C9541DB7854EF3E694EC1EB71B3BC61E
                              SHA-512:FC7962BA4561BBEDDB65D5E6C07982825F0B52E3FF398EC062F2DF7C6E65C188E165A6CA2C640C55572E8F1CBBDC7A76E52F9557920B0F1EDEAA1F44AC89D4AC
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d...Y..(.........." .........................................................@.......T....`.......................................................... ...................!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@....Y..(........T...8...8.......Y..(........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ...#.^*..t..f....Ey...[....E.]Y..(........................................................................................................................................................................................................................................................................................................................

                              \Device\CdRom0\support\logging\winsetupetw.dll

                              Download File
                              Process:C:\Users\user\Desktop\TMX.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):66504
                              Entropy (8bit):4.252021822352454
                              Encrypted:false
                              SSDEEP:768:9hsDaSWMW7KvBjM42Hib89Z108OCJVwvwM7pEoYPWnwbE+qdDdRTbk1acX/smDKq:9JPhDanTqLlqjH/oGA
                              MD5:EBC4351BC220DDE964BE04AC1621DDAE
                              SHA1:F8D5D6691A56C0C10E78078478B69F6C04C920A4
                              SHA-256:7FF4D3134B0C6049BABB0D2A3B301909B7803602AF25F03466DE3B4796F7FC83
                              SHA-512:4A10D880075F370DE7BD074D6E5FE83815EEE8CCAD18A0179CFC11A8E1885B25A0CD86AB576FA0210DCE0EEB305BA747B1825484A3176A6188BCE3A3E494734E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....D#..........." ................................................................k.....`.......................................................... ...................!..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@.....D#.........T...8...8........D#.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....gA.)...u{Q>2.D.........._..D#.........................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.982722957169909
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:TMX.exe
                              File size:4'610'952 bytes
                              MD5:c3ac80cb293b407a4f4065c9fa978b97
                              SHA1:9ebb9bc726023abe689bfdf5d7e7be5193896771
                              SHA256:a4b87f426a36ea97a0f437eea63774f7949fc1f24d293ab9bd79b77fb8355e5b
                              SHA512:70b184dbbe99caa3b0c7c25cddbd139314c511c0c6875cb862cf32a15d4f7726c0d202011266377369afd5cc508631d7d07f39ee419ea38ec2069b421153af70
                              SSDEEP:98304:fHv6YtCyTPLi1kVsjgHtl6NTHF8wVBHsY3cjzOZLkNVFv:YyTrV7HtlqlrVBHsY3cPOZLQVB
                              TLSH:8726337FC18098E4C45A58F81B47C8C1929B51626071EFAA6B0F77C0E1FDBC9645E3EA
                              File Content Preview:MZ..............@.......@................................................(.................@.......!..L.!.......5qgHiPVIAuMGcQy/rRqVip+RCApn9ZO2w+Ly8E1CDyR5LJm+5uf7CGUwB7h2bjW80sC/WBv+oKWLcWw2NBj6tPtAyhwGhKRF60B=$..........................................

                              File Icon

                              Icon Hash:42c0caf0724d0519

                              Static PE Info

                              General

                              Entrypoint:0xe49000
                              Entrypoint Section:
                              Digitally signed:true
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x667E8502 [Fri Jun 28 09:40:18 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:0267b1c2c2f8c084a732df41ad1c1773

                              Authenticode Signature

                              Signature Valid:true
                              Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                              Signature Validation Error:The operation completed successfully
                              Error Number:0
                              Not Before, Not After
                              • 21/02/2022 00:00:00 20/02/2025 23:59:59
                              Subject Chain
                              • CN=ing. Michal Mutl, O=ing. Michal Mutl, S="Praha, Hlavn\xed m\u011bsto", C=CZ
                              Version:3
                              Thumbprint MD5:25F54ABF16EC79C193F385341BDFA0B3
                              Thumbprint SHA-1:ACEEBDADAF8E139C5B5B62A835440BED74747EDF
                              Thumbprint SHA-256:F2443BF7493DFEC3958C203997FFFE350CA80A7BD52BC39DA9BEB941D5DE3DF5
                              Serial:7FB2DC3C0F1D43E1D1FE625E055C1480

                              Entrypoint Preview

                              Instruction
                              jmp 00007F3F7CE3A454h

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x8cc0000x164
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x8cd0000x17a234.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x462e400x2d48
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xa486800x10
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0xa480000x18
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x8c00000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_MEM_READ
                              0x8c10000x6dfa0x6e006005eaec5dab3a0a772038f6dd91d58eFalse0.23678977272727272data5.017057577047592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x8c80000x40000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ
                              0x8cc0000x10000x200cbae1998e4a959df702e9471fc563fa6False0.388671875data2.8207790808514375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x8cd0000x17a2340x929240b3747930b5a13cbff09f0502e09fa88False0.7098271692129337data7.655796284408263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              0xa480000x10000x800ac5b915600228c1661c3add1c04b0f48False0.0224609375data0.09468455378427074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0xa490000x180000x17cd536ddc903fd8fe94a2a28c3b142594334False0.9994050854933175DOS executable (COM)7.996625635372898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              VCLSTYLE0xa293ec0x1de46emptyEnglishUnited States0
                              RT_CURSOR0xa292b80x134emptyEnglishUnited States0
                              RT_CURSOR0xa291840x134emptyEnglishUnited States0
                              RT_CURSOR0xa290500x134emptyEnglishUnited States0
                              RT_CURSOR0xa28f1c0x134emptyEnglishUnited States0
                              RT_CURSOR0xa28de80x134emptyEnglishUnited States0
                              RT_CURSOR0xa28cb40x134emptyEnglishUnited States0
                              RT_CURSOR0xa28b800x134emptyEnglishUnited States0
                              RT_CURSOR0xa288940x2ecemptyGermanGermany0
                              RT_CURSOR0xa285a80x2ecemptyGermanGermany0
                              RT_CURSOR0xa282bc0x2ecemptyGermanGermany0
                              RT_CURSOR0xa27fd00x2ecemptyGermanGermany0
                              RT_CURSOR0xa27e9c0x134emptyGermanGermany0
                              RT_CURSOR0xa27d680x134empty0
                              RT_CURSOR0xa27c340x134emptyEnglishUnited States0
                              RT_CURSOR0xa27b000x134emptyGermanGermany0
                              RT_CURSOR0xa278140x2ecemptyGermanGermany0
                              RT_CURSOR0xa275280x2ecemptyGermanGermany0
                              RT_CURSOR0xa2723c0x2ecemptyGermanGermany0
                              RT_CURSOR0xa26f500x2ecemptyGermanGermany0
                              RT_CURSOR0xa26c640x2ecemptyGermanGermany0
                              RT_CURSOR0xa269780x2ecemptyGermanGermany0
                              RT_CURSOR0xa268440x134emptyEnglishUnited States0
                              RT_BITMAP0xa2675c0xe8emptyEnglishUnited States0
                              RT_BITMAP0xa260f40x668emptyEnglishUnited States0
                              RT_BITMAP0xa25a8c0x668emptyEnglishUnited States0
                              RT_BITMAP0xa254240x668emptyEnglishUnited States0
                              RT_BITMAP0xa24dbc0x668emptyEnglishUnited States0
                              RT_BITMAP0xa24cac0x110emptyEnglishUnited States0
                              RT_BITMAP0xa24b9c0x110emptyEnglishUnited States0
                              RT_BITMAP0xa245340x668emptyEnglishUnited States0
                              RT_BITMAP0xa23ecc0x668emptyEnglishUnited States0
                              RT_BITMAP0xa238640x668emptyEnglishUnited States0
                              RT_BITMAP0xa235fc0x268empty0
                              RT_BITMAP0xa233940x268empty0
                              RT_BITMAP0xa2312c0x268empty0
                              RT_BITMAP0xa230080x124empty0
                              RT_BITMAP0xa22ee40x124empty0
                              RT_ICON0x8ce29c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.150093808630394
                              RT_ICON0x8cf36c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3129432624113475
                              RT_ICON0x8cf7fc0x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720EnglishUnited States0.1386094674556213
                              RT_ICON0x8d128c0x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.325
                              RT_ICON0x8d196c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.12717842323651452
                              RT_ICON0x8d3f3c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.2786885245901639
                              RT_ICON0x8d48ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.07699574870099198
                              RT_ICON0x8d8b3c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.1801125703564728
                              RT_ICON0x8d9c0c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3129432624113475
                              RT_ICON0x8da09c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.2786885245901639
                              RT_ICON0x8daa4c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.150093808630394
                              RT_ICON0x8dbb1c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.12717842323651452
                              RT_ICON0x8de0ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.07699574870099198
                              RT_DIALOG0xa22e900x52empty0
                              RT_DIALOG0xa22e3c0x52empty0
                              RT_STRING0xa22cfc0x140empty0
                              RT_STRING0xa22c1c0xe0empty0
                              RT_STRING0xa22b2c0xf0empty0
                              RT_STRING0xa229a40x188empty0
                              RT_STRING0xa224dc0x4c8empty0
                              RT_STRING0xa21f6c0x570empty0
                              RT_STRING0xa21af40x478empty0
                              RT_STRING0xa217dc0x318empty0
                              RT_STRING0xa213ac0x430empty0
                              RT_STRING0xa20e0c0x5a0empty0
                              RT_STRING0xa204640x9a8empty0
                              RT_STRING0xa1fa400xa24empty0
                              RT_STRING0xa1f5f40x44cempty0
                              RT_STRING0xa1f0d40x520empty0
                              RT_STRING0xa1ec740x460empty0
                              RT_STRING0xa1e84c0x428empty0
                              RT_STRING0xa1e4880x3c4empty0
                              RT_STRING0xa1e0740x414empty0
                              RT_STRING0xa1dc680x40cempty0
                              RT_STRING0xa1d9540x314empty0
                              RT_STRING0xa1d6240x330empty0
                              RT_STRING0xa1d1b80x46cempty0
                              RT_STRING0xa1cd280x490empty0
                              RT_STRING0xa1c9dc0x34cempty0
                              RT_STRING0xa1c9400x9cempty0
                              RT_STRING0xa1c7f40x14cempty0
                              RT_STRING0xa1c6c80x12cempty0
                              RT_STRING0xa1c2ac0x41cempty0
                              RT_STRING0xa1be780x434empty0
                              RT_STRING0xa1bacc0x3acempty0
                              RT_STRING0xa1b5d00x4fcempty0
                              RT_STRING0xa1b10c0x4c4empty0
                              RT_STRING0xa1aef40x218empty0
                              RT_STRING0xa1aa680x48cempty0
                              RT_STRING0xa1a8080x260empty0
                              RT_STRING0xa1a7040x104empty0
                              RT_STRING0xa1a5ec0x118empty0
                              RT_STRING0xa1a4b40x138empty0
                              RT_STRING0xa1a3580x15cempty0
                              RT_STRING0xa1a1b80x1a0empty0
                              RT_STRING0xa1a0300x188empty0
                              RT_STRING0xa19f140x11cempty0
                              RT_STRING0xa19de00x134empty0
                              RT_STRING0xa199880x458empty0
                              RT_STRING0xa193840x604empty0
                              RT_STRING0xa18f000x484empty0
                              RT_STRING0xa18a940x46cempty0
                              RT_STRING0xa1876c0x328empty0
                              RT_STRING0xa184400x32cempty0
                              RT_STRING0xa180280x418empty0
                              RT_STRING0xa17d380x2f0empty0
                              RT_STRING0xa17c780xc0empty0
                              RT_STRING0xa17bdc0x9cempty0
                              RT_STRING0xa178980x344empty0
                              RT_STRING0xa174080x490empty0
                              RT_STRING0xa171400x2c8empty0
                              RT_STRING0xa16e500x2f0empty0
                              RT_STRING0xa16ac40x38cempty0
                              RT_RCDATA0x8e30bc0xd5ddataEnglishUnited States1.0032154340836013
                              RT_RCDATA0x8e3e440xd57dataEnglishUnited States1.003221083455344
                              RT_RCDATA0x8e4bc40xcfcdataEnglishUnited States1.003309265944645
                              RT_RCDATA0x8e58e80xcd9dataEnglishUnited States1.0033444816053512
                              RT_RCDATA0x8e65ec0xd5ddataEnglishUnited States1.0032154340836013
                              RT_RCDATA0x8e73740xd57dataEnglishUnited States1.003221083455344
                              RT_RCDATA0x8e80f40xc4edataEnglishUnited States1.0034920634920634
                              RT_RCDATA0x8e8d6c0xc4edataEnglishUnited States1.0034920634920634
                              RT_RCDATA0x8e99e40xcb5dataEnglishUnited States1.0033814940055334
                              RT_RCDATA0x8ea6c40xcb0dataEnglishUnited States1.0033866995073892
                              RT_RCDATA0x8eb39c0xd56dataEnglishUnited States1.0032220269478618
                              RT_RCDATA0x8ec11c0xd47dataEnglishUnited States1.0032362459546926
                              RT_RCDATA0x8ece8c0xdc2dataEnglishUnited States1.0031232254400908
                              RT_RCDATA0x8edc780xdc5dataEnglishUnited States1.0031205673758865
                              RT_RCDATA0x8eea680xcf3dataEnglishUnited States1.003318250377074
                              RT_RCDATA0x8ef7840xceddataEnglishUnited States1.0033242671501965
                              RT_RCDATA0x8f049c0xda9dataEnglishUnited States1.0031455533314269
                              RT_RCDATA0x8f12700xda6dataEnglishUnited States1.0031482541499714
                              RT_RCDATA0x8f20400xcf3dataEnglishUnited States1.003318250377074
                              RT_RCDATA0x8f2d5c0xceddataEnglishUnited States1.0033242671501965
                              RT_RCDATA0x8f3a740x10data1.5625
                              RT_RCDATA0xa091e00xd8e2emptyEnglishUnited States0
                              RT_RCDATA0x8f3ad40x148bdataEnglishUnited States1.0020916524054002
                              RT_RCDATA0x8f4f880x111edataEnglishUnited States1.0025102692834322
                              RT_RCDATA0x8f60d00xd8cdataEnglishUnited States1.0031718569780854
                              RT_RCDATA0x8f6e840x4dataEnglishUnited States3.0
                              RT_RCDATA0x8f6eb00x62bedataEnglishUnited States1.0006329614684706
                              RT_RCDATA0xa017140x7ac9empty0
                              RT_RCDATA0xa012d40x43eempty0
                              RT_RCDATA0x9f9ef40x73deempty0
                              RT_RCDATA0x9f9c000x2f3empty0
                              RT_RCDATA0x9f99500x2aeempty0
                              RT_RCDATA0x9f82f40x165aempty0
                              RT_RCDATA0x9f50700x3282empty0
                              RT_RCDATA0x9f3cc40x13abempty0
                              RT_RCDATA0x9f27b40x150fempty0
                              RT_RCDATA0x9b11ec0x415c8emptyEnglishUnited States0
                              RT_RCDATA0x9ab26c0x5f80emptyEnglishUnited States0
                              RT_RCDATA0x9aa2780xff4empty0
                              RT_RCDATA0x99f4880xadefempty0
                              RT_RCDATA0x99e4980xfeeempty0
                              RT_RCDATA0x99c4ac0x1fecempty0
                              RT_RCDATA0x93f6980x5ce12data0.9731939509884303
                              RT_RCDATA0x93da480x1c4edata0.9831631244824731
                              RT_RCDATA0x93d73c0x309MySQL table definition file Version 15, type GEMINI, MySQL version 14679557081.0141570141570142
                              RT_RCDATA0x9392d40x4468data0.8253768844221105
                              RT_RCDATA0x936b6c0x2768data0.9932593180015861
                              RT_RCDATA0x9182540x1e918data0.9479106766340809
                              RT_RCDATA0x91496c0x38e7data0.991213015720464
                              RT_RCDATA0x9141fc0x76ddata1.0057864281956865
                              RT_RCDATA0x9127d40x1a25data0.9910354101299865
                              RT_RCDATA0x9120980x739dataEnglishUnited States1.005949161709032
                              RT_RCDATA0x91195c0x739dataEnglishUnited States1.005949161709032
                              RT_RCDATA0x910cd40xc88dataEnglishUnited States0.9996882793017456
                              RT_RCDATA0x91004c0xc88dataEnglishUnited States1.003428927680798
                              RT_RCDATA0x90c6dc0x3970dataEnglishUnited States0.9922470076169749
                              RT_RCDATA0x8fd6200x333ddataEnglishUnited States1.0008386063886558
                              RT_RCDATA0x9009880x4d4edataEnglishUnited States1.0008084891359272
                              RT_RCDATA0x9057000xe43dataEnglishUnited States1.0030128731854286
                              RT_RCDATA0x90656c0xbc3dataEnglishUnited States1.0036532713384259
                              RT_RCDATA0x9071580xc58dataEnglishUnited States1.0034810126582279
                              RT_RCDATA0x907dd80xbd1dataEnglishUnited States1.0036363636363637
                              RT_RCDATA0x9089d40xcfadataEnglishUnited States1.0033112582781456
                              RT_RCDATA0x90b5600x117cOpenPGP Secret KeyEnglishUnited States0.9908400357462019
                              RT_RCDATA0x90a9a00xbbfdata1.0036581310276023
                              RT_RCDATA0x9097480x124data1.0376712328767124
                              RT_GROUP_CURSOR0x90a98c0x14dataEnglishUnited States1.45
                              RT_GROUP_CURSOR0x90a9780x14dataEnglishUnited States1.45
                              RT_GROUP_CURSOR0x90a9640x14data1.4
                              RT_GROUP_CURSOR0x90a9500x14data1.45
                              RT_GROUP_CURSOR0x90a93c0x14data1.45
                              RT_GROUP_CURSOR0x90a9280x14data1.45
                              RT_GROUP_CURSOR0x90a9140x14OpenPGP Public Key1.45
                              RT_GROUP_CURSOR0x90a9000x14data1.45
                              RT_GROUP_CURSOR0x90a8ec0x14data1.45
                              RT_GROUP_CURSOR0x90a8d80x14data1.45
                              RT_GROUP_CURSOR0x90a8c40x14data1.45
                              RT_GROUP_CURSOR0x90a8b00x14data1.45
                              RT_GROUP_CURSOR0x90a89c0x14data1.45
                              RT_GROUP_CURSOR0x90a8880x14dataEnglishUnited States1.45
                              RT_GROUP_CURSOR0x90a8740x14dataEnglishUnited States1.45
                              RT_GROUP_CURSOR0x90a8600x14dataEnglishUnited States1.45
                              RT_GROUP_CURSOR0x90a84c0x14dataEnglishUnited States1.4
                              RT_GROUP_CURSOR0x90a8380x14dataEnglishUnited States1.45
                              RT_GROUP_CURSOR0x90a8240x14dataEnglishUnited States1.4
                              RT_GROUP_CURSOR0x90a8100x14COM executable for DOSEnglishUnited States1.45
                              RT_GROUP_ICON0x909c7c0xbcdataEnglishUnited States0.5159574468085106
                              RT_VERSION0x909d780x34cdataEnglishUnited States0.4834123222748815
                              RT_MANIFEST0x90a1040x70bXML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.403771491957848

                              Imports

                              DLLImport
                              kernel32.dllGetModuleHandleW
                              user32.dllSetWindowTextW
                              advapi32.dllOpenBackupEventLogW
                              comctl32.dllImageList_Write

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States
                              GermanGermany

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                              2024-09-03T09:30:54.698994+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH24973980192.168.2.4172.217.23.100

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 3, 2024 09:30:54.021665096 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.026607037 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.026722908 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.026947021 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.031959057 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.698936939 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.698956966 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.698968887 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.698980093 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.698992968 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.698993921 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.699003935 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.699016094 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.699024916 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.699035883 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.699047089 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.699048996 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.699057102 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.699080944 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.699094057 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.699131012 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.704010963 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.704052925 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.704057932 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.704094887 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.704174995 CEST8049739172.217.23.100192.168.2.4
                              Sep 3, 2024 09:30:54.704240084 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.717513084 CEST4973980192.168.2.4172.217.23.100
                              Sep 3, 2024 09:30:54.717534065 CEST4973980192.168.2.4172.217.23.100

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 3, 2024 09:30:53.409436941 CEST5540853192.168.2.41.1.1.1
                              Sep 3, 2024 09:30:53.414642096 CEST6469653192.168.2.41.1.1.1
                              Sep 3, 2024 09:30:53.416606903 CEST5628053192.168.2.41.1.1.1
                              Sep 3, 2024 09:30:53.420444965 CEST4997053192.168.2.41.1.1.1
                              Sep 3, 2024 09:30:53.422111034 CEST5979053192.168.2.41.1.1.1
                              Sep 3, 2024 09:30:53.422285080 CEST53646961.1.1.1192.168.2.4
                              Sep 3, 2024 09:30:53.423614979 CEST53562801.1.1.1192.168.2.4
                              Sep 3, 2024 09:30:53.424189091 CEST6311053192.168.2.41.1.1.1
                              Sep 3, 2024 09:30:53.425012112 CEST6189053192.168.2.41.1.1.1
                              Sep 3, 2024 09:30:53.425538063 CEST53499761.1.1.1192.168.2.4
                              Sep 3, 2024 09:30:53.427983046 CEST53499701.1.1.1192.168.2.4
                              Sep 3, 2024 09:30:53.428093910 CEST6132353192.168.2.41.1.1.1
                              Sep 3, 2024 09:30:53.428477049 CEST53554081.1.1.1192.168.2.4
                              Sep 3, 2024 09:30:53.429625988 CEST53597901.1.1.1192.168.2.4
                              Sep 3, 2024 09:30:53.430871964 CEST53631101.1.1.1192.168.2.4
                              Sep 3, 2024 09:30:53.438107967 CEST53613231.1.1.1192.168.2.4
                              Sep 3, 2024 09:30:53.454243898 CEST53618901.1.1.1192.168.2.4
                              Sep 3, 2024 09:30:54.010363102 CEST5454053192.168.2.41.1.1.1
                              Sep 3, 2024 09:30:54.017282009 CEST53545401.1.1.1192.168.2.4
                              Sep 3, 2024 09:30:54.605679989 CEST6011253192.168.2.41.1.1.1
                              Sep 3, 2024 09:30:54.613634109 CEST53601121.1.1.1192.168.2.4
                              Sep 3, 2024 09:31:01.654782057 CEST5937153192.168.2.41.1.1.1
                              Sep 3, 2024 09:31:01.662106991 CEST53593711.1.1.1192.168.2.4
                              Sep 3, 2024 09:31:02.589668989 CEST5869553192.168.2.41.1.1.1
                              Sep 3, 2024 09:31:02.589965105 CEST5204953192.168.2.41.1.1.1
                              Sep 3, 2024 09:31:02.597183943 CEST53586951.1.1.1192.168.2.4
                              Sep 3, 2024 09:31:02.599189043 CEST53520491.1.1.1192.168.2.4
                              Sep 3, 2024 09:31:03.411197901 CEST6066253192.168.2.41.1.1.1
                              Sep 3, 2024 09:31:03.412225962 CEST5790453192.168.2.41.1.1.1
                              Sep 3, 2024 09:31:03.419547081 CEST53606621.1.1.1192.168.2.4
                              Sep 3, 2024 09:31:03.420631886 CEST53579041.1.1.1192.168.2.4
                              Sep 3, 2024 09:31:17.290184021 CEST5364929162.159.36.2192.168.2.4
                              Sep 3, 2024 09:31:17.835503101 CEST4990653192.168.2.41.1.1.1
                              Sep 3, 2024 09:31:17.845235109 CEST53499061.1.1.1192.168.2.4
                              Sep 3, 2024 09:31:19.025532007 CEST5852153192.168.2.41.1.1.1
                              Sep 3, 2024 09:31:19.033078909 CEST53585211.1.1.1192.168.2.4
                              Sep 3, 2024 09:31:22.848862886 CEST5234953192.168.2.41.1.1.1
                              Sep 3, 2024 09:31:22.855932951 CEST53523491.1.1.1192.168.2.4
                              Sep 3, 2024 09:32:03.625118971 CEST5148453192.168.2.41.1.1.1
                              Sep 3, 2024 09:32:03.632476091 CEST53514841.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Sep 3, 2024 09:30:53.409436941 CEST192.168.2.41.1.1.10xe362Standard query (0)51.162.222.173.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.414642096 CEST192.168.2.41.1.1.10xebddStandard query (0)23.149.64.172.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.416606903 CEST192.168.2.41.1.1.10x8e15Standard query (0)233.38.18.104.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.420444965 CEST192.168.2.41.1.1.10x9e43Standard query (0)26.35.223.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.422111034 CEST192.168.2.41.1.1.10x7cf2Standard query (0)240.221.184.93.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.424189091 CEST192.168.2.41.1.1.10x7d48Standard query (0)3.61.159.162.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.425012112 CEST192.168.2.41.1.1.10xcb91Standard query (0)32.162.222.173.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.428093910 CEST192.168.2.41.1.1.10xe645Standard query (0)108.211.229.192.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:54.010363102 CEST192.168.2.41.1.1.10x71f6Standard query (0)www.google.comA (IP address)IN (0x0001)false
                              Sep 3, 2024 09:30:54.605679989 CEST192.168.2.41.1.1.10x7afStandard query (0)100.23.217.172.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:01.654782057 CEST192.168.2.41.1.1.10x77b1Standard query (0)172.214.232.199.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:02.589668989 CEST192.168.2.41.1.1.10xb716Standard query (0)146.78.124.51.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:02.589965105 CEST192.168.2.41.1.1.10x5055Standard query (0)157.123.68.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:03.411197901 CEST192.168.2.41.1.1.10xed6aStandard query (0)68.32.126.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:03.412225962 CEST192.168.2.41.1.1.10xb8e9Standard query (0)95.221.229.192.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:17.835503101 CEST192.168.2.41.1.1.10x827bStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:19.025532007 CEST192.168.2.41.1.1.10x7f06Standard query (0)2.36.159.162.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:22.848862886 CEST192.168.2.41.1.1.10xb15fStandard query (0)103.169.127.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:32:03.625118971 CEST192.168.2.41.1.1.10xd93bStandard query (0)168.100.16.2.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Sep 3, 2024 09:30:53.422285080 CEST1.1.1.1192.168.2.40xebddName error (3)23.149.64.172.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.423614979 CEST1.1.1.1192.168.2.40x8e15Name error (3)233.38.18.104.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.427983046 CEST1.1.1.1192.168.2.40x9e43Name error (3)26.35.223.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.428477049 CEST1.1.1.1192.168.2.40xe362No error (0)51.162.222.173.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.429625988 CEST1.1.1.1192.168.2.40x7cf2Name error (3)240.221.184.93.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.430871964 CEST1.1.1.1192.168.2.40x7d48Name error (3)3.61.159.162.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.438107967 CEST1.1.1.1192.168.2.40xe645Name error (3)108.211.229.192.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:53.454243898 CEST1.1.1.1192.168.2.40xcb91No error (0)32.162.222.173.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:54.017282009 CEST1.1.1.1192.168.2.40x71f6No error (0)www.google.com172.217.23.100A (IP address)IN (0x0001)false
                              Sep 3, 2024 09:30:54.613634109 CEST1.1.1.1192.168.2.40x7afNo error (0)100.23.217.172.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:54.613634109 CEST1.1.1.1192.168.2.40x7afNo error (0)100.23.217.172.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:30:54.613634109 CEST1.1.1.1192.168.2.40x7afNo error (0)100.23.217.172.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:01.133682966 CEST1.1.1.1192.168.2.40x645fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                              Sep 3, 2024 09:31:01.133682966 CEST1.1.1.1192.168.2.40x645fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                              Sep 3, 2024 09:31:01.662106991 CEST1.1.1.1192.168.2.40x77b1Name error (3)172.214.232.199.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:02.597183943 CEST1.1.1.1192.168.2.40xb716Name error (3)146.78.124.51.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:02.599189043 CEST1.1.1.1192.168.2.40x5055Name error (3)157.123.68.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:03.158931017 CEST1.1.1.1192.168.2.40x8e73No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                              Sep 3, 2024 09:31:03.158931017 CEST1.1.1.1192.168.2.40x8e73No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                              Sep 3, 2024 09:31:03.419547081 CEST1.1.1.1192.168.2.40xed6aName error (3)68.32.126.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:03.420631886 CEST1.1.1.1192.168.2.40xb8e9Name error (3)95.221.229.192.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:17.845235109 CEST1.1.1.1192.168.2.40x827bName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:19.033078909 CEST1.1.1.1192.168.2.40x7f06Name error (3)2.36.159.162.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:31:22.855932951 CEST1.1.1.1192.168.2.40xb15fName error (3)103.169.127.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              Sep 3, 2024 09:32:03.632476091 CEST1.1.1.1192.168.2.40xd93bNo error (0)168.100.16.2.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • www.google.com

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449739172.217.23.100807604C:\Users\user\Desktop\TMX.exe
                              TimestampBytes transferredDirectionData
                              Sep 3, 2024 09:30:54.026947021 CEST58OUTGET / HTTP/1.1
                              User-Agent: test
                              Host: www.google.com
                              Sep 3, 2024 09:30:54.698936939 CEST1236INHTTP/1.1 200 OK
                              Date: Tue, 03 Sep 2024 07:30:54 GMT
                              Expires: -1
                              Cache-Control: private, max-age=0
                              Content-Type: text/html; charset=ISO-8859-1
                              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-vbU3dGCMndtiA-BZuiebxw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                              Server: gws
                              X-XSS-Protection: 0
                              X-Frame-Options: SAMEORIGIN
                              Set-Cookie: AEC=AVYB7cqoDAQYxFPbxxRfqWwZnoGl4JVx4L8Eev9U4AdRS9dNdccvBRwlHQ; expires=Sun, 02-Mar-2025 07:30:54 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                              Set-Cookie: NID=517=fY90xxN5VxsB6VP1LWE-W7zgNUAL7qJ0WkimI2pVwZJIAw8BcAjQvDg5PlDv1Iz879HDj3-gHsibim5lAb-FFvcls_-7wK5YgyOk34KR-aQHRHpbjkWuaVAqF9RDp6p6OIRhi-_JlZ5qHSbXf12iFxawkOGljpu3qXGFrKDinM6LilxIq296iQQS; expires=Wed, 05-Mar-2025 07:30:54 GMT; path=/; domain=.google.com; HttpOnly
                              Accept-Ranges: none
                              Vary: Accept-Encoding
                              Transfer-Encoding: chunked
                              Data Raw: 33 34 65 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d
                              Data Ascii: 34e7<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and m
                              Sep 3, 2024 09:30:54.698956966 CEST1236INData Raw: 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67
                              Data Ascii: ore. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/brandin
                              Sep 3, 2024 09:30:54.698968887 CEST1236INData Raw: 2c 32 30 30 2c 31 2c 35 32 39 2c 31 38 30 35 2c 38 38 36 31 2c 31 31 38 34 2c 36 36 30 2c 31 37 32 38 2c 32 2c 31 2c 36 2c 38 34 39 2c 31 2c 31 2c 32 2c 33 2c 32 36 39 39 2c 36 32 39 2c 38 2c 33 34 34 2c 34 33 39 2c 31 30 36 2c 31 34 2c 31 33 34
                              Data Ascii: ,200,1,529,1805,8861,1184,660,1728,2,1,6,849,1,1,2,3,2699,629,8,344,439,106,14,1346,1472,736,1,310,113,136,2,362,2037,915,17,43,3,2,1,9,297,27,435,96,156,175,261,1,888,3,2,79,27,2,599,308,113,1182,63,1,156,351,788,305,82,124,19,217,4,38,752,1,
                              Sep 3, 2024 09:30:54.698980093 CEST672INData Raw: 74 28 61 2c 62 2c 63 2c 64 2c 6b 29 7b 76 61 72 20 65 3d 22 22 3b 62 2e 73 65 61 72 63 68 28 22 26 65 69 3d 22 29 3d 3d 3d 2d 31 26 26 28 65 3d 22 26 65 69 3d 22 2b 70 28 64 29 2c 62 2e 73 65 61 72 63 68 28 22 26 6c 65 69 3d 22 29 3d 3d 3d 2d 31
                              Data Ascii: t(a,b,c,d,k){var e="";b.search("&ei=")===-1&&(e="&ei="+p(d),b.search("&lei=")===-1&&(d=q(d))&&(e+="&lei="+d));d="";var g=b.search("&cshid=")===-1&&a!=="slh",f=[];f.push(["zx",Date.now().toString()]);h._cshid&&g&&f.push(["cshid",h._cshid]);c=c(
                              Sep 3, 2024 09:30:54.698992968 CEST1236INData Raw: 3b 67 6f 6f 67 6c 65 2e 6c 6f 67 55 72 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 3d 62 3d 3d 3d 76 6f 69 64 20 30 3f 6c 3a 62 3b 72 65 74 75 72 6e 20 74 28 22 22 2c 61 2c 62 29 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 28 66 75 6e
                              Data Ascii: ;google.logUrl=function(a,b){b=b===void 0?l:b;return t("",a,b)};}).call(this);(function(){google.y={};google.sy=[];var d;(d=google).x||(d.x=function(a,b){if(a)var c=a.id;else{do c=Math.random();while(google.y[c])}google.y[c]=[a,b];return!1});v
                              Sep 3, 2024 09:30:54.699003935 CEST1236INData Raw: 65 72 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 23 67 62 61 72 7b 68 65 69 67 68 74 3a 32 32 70 78 7d 23 67 75 73 65 72 7b 70 61 64 64 69 6e 67 2d 62 6f 74
                              Data Ascii: er{font-size:13px;padding-top:1px !important;}#gbar{height:22px}#guser{padding-bottom:7px !important;text-align:right}.gbh,.gbd{border-top:1px solid #c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}@media all{.gb1{heig
                              Sep 3, 2024 09:30:54.699016094 CEST256INData Raw: 68 74 3a 33 30 70 78 7d 2e 6c 73 62 62 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 23 57 71 51 41 4e 62 20 61 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20 31 32 70 78 7d 2e 6c 73 62 7b 62 61 63 6b
                              Data Ascii: ht:30px}.lsbb{display:block}#WqQANb a{display:inline-block;margin:0 12px}.lsb{background:url(/images/nav_logo229.png) 0 -261px repeat-x;color:#000;border:none;cursor:pointer;height:30px;margin:0;outline:0;font:15px arial,sans-serif;vertical-al
                              Sep 3, 2024 09:30:54.699035883 CEST1236INData Raw: 61 63 74 69 76 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 64 61 64 63 65 30 7d 2e 6c 73 74 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 76 62 55 33 64 47 43 4d 6e
                              Data Ascii: active{background:#dadce0}.lst:focus{outline:none}</style><script nonce="vbU3dGCMndtiA-BZuiebxw">(function(){window.google.erd={jsr:1,bv:2070,de:true};var g=this||self;var k,l=(k=g.mei)!=null?k:1,n,p=(n=g.sdo)!=null?n:!0,q=0,r,t=google.erd,v=
                              Sep 3, 2024 09:30:54.699048996 CEST1236INData Raw: 38 38 26 26 28 63 3d 63 2e 73 75 62 73 74 72 28 30 2c 31 32 32 38 38 29 29 3b 61 3d 63 3b 6d 7c 7c 67 6f 6f 67 6c 65 2e 6c 6f 67 28 30 2c 22 22 2c 61 29 3b 72 65 74 75 72 6e 20 61 7d 3b 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74
                              Data Ascii: 88&&(c=c.substr(0,12288));a=c;m||google.log(0,"",a);return a};window.onerror=function(a,b,d,m,e){r!==a&&(a=e instanceof Error?e:Error(a),d===void 0||"lineNumber"in a||(a.lineNumber=d),b===void 0||"fileName"in a||(a.fileName=b),google.ml(a,!1,v
                              Sep 3, 2024 09:30:54.699094057 CEST1236INData Raw: 76 65 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 74 61 62 3d 77 6f 22 3e 44 72 69 76 65 3c 2f 61 3e 20 3c 61 20 63 6c 61 73 73 3d 67 62 31 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 22 20 68 72 65 66 3d 22 68
                              Data Ascii: ve.google.com/?tab=wo">Drive</a> <a class=gb1 style="text-decoration:none" href="https://www.google.com/intl/en/about/products?tab=wh"><u>More</u> &raquo;</a></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gb
                              Sep 3, 2024 09:30:54.704010963 CEST1236INData Raw: 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 73 22 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 33 32 70 78 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 22 3e 3c 69 6e 70 75 74 20 63 6c 61 73 73 3d 22 6c 73 74 22 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e
                              Data Ascii: ><div class="ds" style="height:32px;margin:4px 0"><input class="lst" style="margin:0;padding:5px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="li


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:03:30:40
                              Start date:03/09/2024
                              Path:C:\Users\user\Desktop\TMX.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\TMX.exe"
                              Imagebase:0x9f0000
                              File size:4'610'952 bytes
                              MD5 hash:C3AC80CB293B407A4F4065C9FA978B97
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Yara matches:
                              • Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 00000000.00000002.3611897583.0000000001439000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: Windows_Trojan_RedLineStealer_d4b38e13, Description: unknown, Source: 00000000.00000002.3611897583.0000000001439000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                              • Rule: JoeSecurity_QueryWinSATClassID, Description: Yara detected QueryWinSAT ClassID, Source: 00000000.00000003.2007533311.000000000882E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 00000000.00000002.3616445614.0000000003660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_QueryWinSATClassID, Description: Yara detected QueryWinSAT ClassID, Source: 00000000.00000003.1922586734.0000000008826000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_QueryWinSATClassID, Description: Yara detected QueryWinSAT ClassID, Source: 00000000.00000003.1967410646.0000000008826000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_QueryWinSATClassID, Description: Yara detected QueryWinSAT ClassID, Source: 00000000.00000002.3654782238.0000000008826000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_QueryWinSATClassID, Description: Yara detected QueryWinSAT ClassID, Source: 00000000.00000003.1928800347.000000000882D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_QueryWinSATClassID, Description: Yara detected QueryWinSAT ClassID, Source: 00000000.00000003.2039876701.000000000882E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              Disassembly

                              No disassembly