This randomly appeared in my C: drive in a hidden folder that I don't recognize in a command executable ("AfterImageApply_BDB0C1E8-6951-46C4-AB7F-C07B29F462FD.cmd"). Seems like something to do with adding or editing registry files..
The file appeared in the C: drive in hidden folder I don't remember any updates or app installations anybody know what the breakdown of the code is and if it's malicous?
does it have to do with the echo chamber?
rem Define %TARGETOS% as the Windows folder (This later becomes C:\Windows)
for /F "tokens=1,2,3 delims= " %%A in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RecoveryEnvironment" /v TargetOS') DO SET TARGETOS=%%C
rem Define %TARGETOSDRIVE% as the Windows partition (This later becomes C
for /F "tokens=1 delims=\" %%A in ('Echo %TARGETOS%') DO SET TARGETOSDRIVE=%%A
rem delete Windows.old\Users
rmdir /s /q %TARGETOSDRIVE%\Windows.old\Users
If EXIST %TARGETOSDRIVE%\Windows.old\Users (
rem Windows.old\Users exist
wpeutil reboot
)
rem Deletion succeed
rem Check Auto Apply folder
set AUTOAPPLYFOLDER=%TARGETOSDRIVE%\Recovery\AutoApply
rem LayoutModification.xml
IF EXIST %AUTOAPPLYFOLDER%\LayoutModification.xml (
copy %AUTOAPPLYFOLDER%\LayoutModification.xml %TARGETOSDRIVE%\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml /Y
)
rem LayoutModification.json
IF EXIST %AUTOAPPLYFOLDER%\LayoutModification.json (
copy %AUTOAPPLYFOLDER%\LayoutModification.json %TARGETOSDRIVE%\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.json /Y
)
rem Unattend.xml
IF EXIST %AUTOAPPLYFOLDER%\Unattend.xml (
copy %AUTOAPPLYFOLDER%\Unattend.xml %TARGETOSDRIVE%\Windows\Panther\Unattend.xml /Y
)
rem Create Windows\OEM
IF not EXIST %TARGETOSDRIVE%\Windows\OEM (
mkdir %TARGETOSDRIVE%\Windows\OEM
)
rem TaskbarLayoutModification.xml
IF EXIST %AUTOAPPLYFOLDER%\TaskbarLayoutModification.xml (
copy %AUTOAPPLYFOLDER%\TaskbarLayoutModification.xml %TARGETOSDRIVE%\Windows\OEM\TaskbarLayoutModification.xml /Y
)
rem OOBE
IF EXIST %AUTOAPPLYFOLDER%\OOBE (
xcopy %AUTOAPPLYFOLDER%\OOBE %TARGETOSDRIVE%\Windows\System32\Oobe\Info\ /Y /S /E
)
rem TaskbarLayoutModification.xml
IF EXIST %AUTOAPPLYFOLDER%\CustomizationFiles (
xcopy %AUTOAPPLYFOLDER%\CustomizationFiles %TARGETOSDRIVE%\Windows\OEM\CustomizationFiles\ /S /E /Y
)
rem registry key changes for taskbar layout
IF EXIST %TARGETOSDRIVE%\Windows\OEM\TaskbarLayoutModification.xml (
reg load HKLM\$OfflineSoftware %TARGETOSDRIVE%\Windows\System32\config\Software
reg add HKLM\$OfflineSoftware\Microsoft\Windows\CurrentVersion\Explorer /v LayoutXMLPath /t REG_SZ /d %TARGETOSDRIVE%\Windows\OEM\TaskbarLayoutModification.xml
reg unload HKLM\$OfflineSoftware
)
rem exit
EXIT 0
The file appeared in the C: drive in hidden folder I don't remember any updates or app installations anybody know what the breakdown of the code is and if it's malicous?
does it have to do with the echo chamber?
rem Define %TARGETOS% as the Windows folder (This later becomes C:\Windows)
for /F "tokens=1,2,3 delims= " %%A in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RecoveryEnvironment" /v TargetOS') DO SET TARGETOS=%%C
rem Define %TARGETOSDRIVE% as the Windows partition (This later becomes C
for /F "tokens=1 delims=\" %%A in ('Echo %TARGETOS%') DO SET TARGETOSDRIVE=%%A
rem delete Windows.old\Users
rmdir /s /q %TARGETOSDRIVE%\Windows.old\Users
If EXIST %TARGETOSDRIVE%\Windows.old\Users (
rem Windows.old\Users exist
wpeutil reboot
)
rem Deletion succeed
rem Check Auto Apply folder
set AUTOAPPLYFOLDER=%TARGETOSDRIVE%\Recovery\AutoApply
rem LayoutModification.xml
IF EXIST %AUTOAPPLYFOLDER%\LayoutModification.xml (
copy %AUTOAPPLYFOLDER%\LayoutModification.xml %TARGETOSDRIVE%\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.xml /Y
)
rem LayoutModification.json
IF EXIST %AUTOAPPLYFOLDER%\LayoutModification.json (
copy %AUTOAPPLYFOLDER%\LayoutModification.json %TARGETOSDRIVE%\Users\Default\AppData\Local\Microsoft\Windows\Shell\LayoutModification.json /Y
)
rem Unattend.xml
IF EXIST %AUTOAPPLYFOLDER%\Unattend.xml (
copy %AUTOAPPLYFOLDER%\Unattend.xml %TARGETOSDRIVE%\Windows\Panther\Unattend.xml /Y
)
rem Create Windows\OEM
IF not EXIST %TARGETOSDRIVE%\Windows\OEM (
mkdir %TARGETOSDRIVE%\Windows\OEM
)
rem TaskbarLayoutModification.xml
IF EXIST %AUTOAPPLYFOLDER%\TaskbarLayoutModification.xml (
copy %AUTOAPPLYFOLDER%\TaskbarLayoutModification.xml %TARGETOSDRIVE%\Windows\OEM\TaskbarLayoutModification.xml /Y
)
rem OOBE
IF EXIST %AUTOAPPLYFOLDER%\OOBE (
xcopy %AUTOAPPLYFOLDER%\OOBE %TARGETOSDRIVE%\Windows\System32\Oobe\Info\ /Y /S /E
)
rem TaskbarLayoutModification.xml
IF EXIST %AUTOAPPLYFOLDER%\CustomizationFiles (
xcopy %AUTOAPPLYFOLDER%\CustomizationFiles %TARGETOSDRIVE%\Windows\OEM\CustomizationFiles\ /S /E /Y
)
rem registry key changes for taskbar layout
IF EXIST %TARGETOSDRIVE%\Windows\OEM\TaskbarLayoutModification.xml (
reg load HKLM\$OfflineSoftware %TARGETOSDRIVE%\Windows\System32\config\Software
reg add HKLM\$OfflineSoftware\Microsoft\Windows\CurrentVersion\Explorer /v LayoutXMLPath /t REG_SZ /d %TARGETOSDRIVE%\Windows\OEM\TaskbarLayoutModification.xml
reg unload HKLM\$OfflineSoftware
)
rem exit
EXIT 0
