Analysis
-
max time kernel
37s -
max time network
85s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
04-11-2022 19:52
General
-
Target
disable_defender.bat
-
Size
134KB
-
MD5
e430435cb58bf4b32f6c34662bf2399c
-
SHA1
68ef170abe380c4a9827abeaf37e3d9e8392b23b
-
SHA256
ed9d9ca4e442cb52d81a61dbc3d9d613785b929a6536623fa5c0666edbf22f55
-
SHA512
6819be2bac9e1701c62b0409328998db2ab828540334c7567d467879bc2907bb37a3ff8bea115b7d4fca8b1eaed1e63a4d9ab607af3edcb726b5412dbbd80d03
-
SSDEEP
1536:N9qlzR+K/otrK/o5gINROhPCWi/uQ5t6s0Q9x32cqmWr8igtUdwy6HT3OcK/o3+e:N9qlc91N277c66t
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 20 IoCs
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 14 IoCs
-
Modifies file permissions 1 TTPs 14 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\disable_defender.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fltMC.exefltmc2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "if(!(Get-Command 'netsh' -ErrorAction Ignore)) {; throw '"""netsh""" does not exist, is system installed correctly?'; }; $message=netsh advfirewall set allprofiles state off 2>&1; if($?) {; Write-Host """Successfully disabled firewall."""; } else {; if($message -like '*Firewall service*') {; Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?'; } else {; throw """Cannot disable: $message"""; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'PUAProtection'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -PUAProtection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\Features""" /v """TamperProtection""" /t REG_DWORD /d """4""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\Features""" /v """TamperProtectionSource""" /t REG_DWORD /d """2""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableAutoExclusions'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableAutoExclusions $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableBlockAtFirstSeen'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableBlockAtFirstSeen $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'MAPSReporting'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -MAPSReporting $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SubmitSamplesConsent'; $value = '2'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SubmitSamplesConsent $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRealtimeMonitoring'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRealtimeMonitoring $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableIntrusionPreventionSystem'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableIntrusionPreventionSystem $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableBehaviorMonitoring'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableBehaviorMonitoring $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableIOAVProtection'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableIOAVProtection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RealTimeScanDirection'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RealTimeScanDirection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RemediationScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RemediationScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'UnknownThreatDefaultAction'; $value = '9'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -UnknownThreatDefaultAction $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'QuarantinePurgeItemsAfterDelay'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'CheckForSignaturesBeforeRunningScan'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRestorePoint'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRestorePoint $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanPurgeItemsAfterDelay'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanPurgeItemsAfterDelay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCatchupFullScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCatchupFullScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCatchupQuickScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCatchupQuickScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanOnlyIfIdleEnabled'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanOnlyIfIdleEnabled $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanAvgCPULoadFactor'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanAvgCPULoadFactor $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCpuThrottleOnIdleScans'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableEmailScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableEmailScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScriptScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScriptScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScanningMappedNetworkDrivesForFullScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScanningNetworkFiles'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScanningNetworkFiles $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRemovableDriveScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRemovableDriveScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableArchiveScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableArchiveScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RandomizeScheduleTaskTimes'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RandomizeScheduleTaskTimes $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanParameters'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanParameters $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableGradualRelease'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableGradualRelease $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'EngineUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -EngineUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'PlatformUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -PlatformUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DefinitionUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DefinitionUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureUpdateCatchupInterval'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureUpdateCatchupInterval $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureDisableUpdateOnStartupWithoutEngine'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /t REG_DWORD /d 4294967295 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureUpdateInterval'; $value = '24'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureUpdateInterval $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisablePrivacyMode'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisablePrivacyMode $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d 1 /f2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration""" /v """DisablePrivacyMode""" /t REG_DWORD /d """1""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'MpsSvc'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\mpssvc.dll" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\mpssvc.dll"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WinDefend""" >nul & sc config """WinDefend""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdNisSvc""" >nul & sc config """WdNisSvc""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'Sense'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService""" /v Start /t REG_DWORD /d 4 /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\SecurityHealthService.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\SecurityHealthService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'mpsdrv'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers\mpsdrv.sys" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'net stop """WdNisDrv""" /yes >nul & sc config """WdNisDrv""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers\mpsdrv.sys"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers\WdNisDrv.sys"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers\WdNisDrv.sys" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdFilter""" >nul & sc config """WdFilter""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers\WdFilter.sys" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdBoot""" >nul & sc config """WdBoot""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers\WdFilter.sys"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers\WdBoot.sys" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers\WdBoot.sys"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'UsoSvc'; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service `"""$serviceName`""" could not be not found, no need to disable it."""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, stopping it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query """Select StartMode From Win32_Service Where Name='$serviceName'""" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter """Name='$serviceName'""" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host """$serviceName is already disabled, no further action is needed"""; }; <# -- 4. Disable service #>; try {; Set-Service -Name """$serviceName""" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD544ba883241781356672c747f95722676
SHA13e2729fb35638438cddb9eed2ad1388f68ba628a
SHA2560c3ec0e12d5cf2edfe5599f79b379aa19476c253ecca52f841ffa3a050be6916
SHA512aad6d58c9276287870c4e49a02401dbb2cbcf276b9cd929b113b5488a7f7818a99a1f90aa604f6cc4c6d07a674adb11143aae2f0ca42723c3f22104f457b327d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54f5907bfa3d56468f1dfb05873678925
SHA110c108e7a45a689d433f2f411b6d4f609040e5db
SHA2562f951fec1ff11eab7e2ff4daedc7cf2cc2f1ad514512ee4aea3ace1e478be778
SHA512c0e5b99142fae6a5b2d98ca723adff6f11c252fbb0031e0b4d0a4836b3fb91873d0ce27f1279e8d281c0ceb6faeb19c3a363f7faabbae20f3e68178789d5f77c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5919892f94e1d646ea2e9a496bac85d9c
SHA11032269fcb6273d6a7f9c4b111b29c8332f08b33
SHA256d670df2827ac904ad5264106e86e4f52cb387ecb8de36fe062215d2f14a72c13
SHA5128821366a2126c31bb6b1e5d19c27d1de425f65589188d571f5299ec59f3a2dfcd80b163d2c1b8729562d7aff3d6fb4b7e8ad702d6721df35fbedad940c4413f8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e51bd3897acaf87bf6b16fb92f6a118f
SHA109307608017ccf4f6e45664176a26a7dad789629
SHA256f2ebfb4511e07ded018e99ad722ddacb54991715e7d13b898adf3f4da4964958
SHA5121b4026b86f78de2125cb3ca47399537ba2893ef7c95d6833e398abbe317487ab48fc204a44352350a522832bd63186cbfc71a831b6ee7a3d2797afdc9173a52a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD580cdc1e50acc5eae448cd402b9dc485b
SHA10f073c545e59b8ee6c53745973629651d94fc100
SHA25668b87a62fdc0b06c0e53222b7035f391d1e83bd2e06a3803ebbfebdca2a15058
SHA51245c7d1ab23453ffd87d7518af7192933649c7e75b3e320ccf0a1ed2a6bfb9bdf7cd4da6e46128de0563c2577b985f1a360a14864543f5f4e8297155e4e6a2a3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD534738b7d5178dfc4830184e12dba2d1f
SHA1eb5351f3359a9ae16418be408c38cc6e383bc026
SHA256b0cfbf52493158ce32c5ae21aa23626be51b35c38aa24e5851d535b6766a0049
SHA512bf658e520fce2a690bc8a2d176f850a48479032f8b717053873104c140669e657e07189ee50ec5c327100f0248ff3001f23c118a8f522c08aad38a4f8798d44a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58d7d7ebd567ffe82adc138fe95a65480
SHA174ab66720a36985189344c16131314a55d39d700
SHA2566b0a3ec4e798b7f26450ba51783cc2554734ae6495c4a430761bb431a1818d21
SHA5125b0f7f3fbda348c7d98e7d039450a872edf57bbb530c300a0a4a77e6663f9b5d3b94780e86e704cd30baed8724a9a050e255806c1ddc54069a45cd47701bb5c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c857f7279a3420155c29f96ca6f30c6f
SHA1186977cb692f28458a9a79f50db8823ee183a21d
SHA256b75243949de947af7adeb103f13416ac33f5519ba88bbb3cb3734cf701c75ac2
SHA5121a6b63717ca8a71b1f1802f1d9ca563a6a85c4480a9ad3625619b162224f89e11c1feed714790340b5a084da65eadf1d2f61e46815df30945396d8faea87d69f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5990150b2adbdd1b82e2736e157b8e851
SHA12fcdcb3d7c9e845c0a96f851990de525d8a70fc6
SHA2563ef4d4503f84293b9d1b34dc0619c746540e37c768f21003f4ee08809b9d117e
SHA51218484b3ce27d90aecef3a5a06f93a7e9dc9a94de569429f96ac3b34d39b725e57839d4782d5a322b61eac42cdb79dd872ba09ebceb77a7c63e2462d460287bf4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57c95bcff89ef685dee0e973616a3ec4d
SHA1f008143530a29323067154ec4ec6d70b5d132924
SHA256aa8983de63afed026c96f6f21403eb2523d2f864703a6b40535fc96994ce0472
SHA512583ce3a2a60bf43067d993c40be3d1d77815579b5c49314334c61cd83c12242c95cbb76f416cfb3a8715b85b9f739e5d641ac9925133e1b54ee1f3e08c88e008
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c857f7279a3420155c29f96ca6f30c6f
SHA1186977cb692f28458a9a79f50db8823ee183a21d
SHA256b75243949de947af7adeb103f13416ac33f5519ba88bbb3cb3734cf701c75ac2
SHA5121a6b63717ca8a71b1f1802f1d9ca563a6a85c4480a9ad3625619b162224f89e11c1feed714790340b5a084da65eadf1d2f61e46815df30945396d8faea87d69f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c857f7279a3420155c29f96ca6f30c6f
SHA1186977cb692f28458a9a79f50db8823ee183a21d
SHA256b75243949de947af7adeb103f13416ac33f5519ba88bbb3cb3734cf701c75ac2
SHA5121a6b63717ca8a71b1f1802f1d9ca563a6a85c4480a9ad3625619b162224f89e11c1feed714790340b5a084da65eadf1d2f61e46815df30945396d8faea87d69f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c857f7279a3420155c29f96ca6f30c6f
SHA1186977cb692f28458a9a79f50db8823ee183a21d
SHA256b75243949de947af7adeb103f13416ac33f5519ba88bbb3cb3734cf701c75ac2
SHA5121a6b63717ca8a71b1f1802f1d9ca563a6a85c4480a9ad3625619b162224f89e11c1feed714790340b5a084da65eadf1d2f61e46815df30945396d8faea87d69f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ccfede9d62a265e44c9e27c933d072c3
SHA1d354fb0dce3ea1de47a450b4ff5a62012cc4d86c
SHA256c0ddf5ad77a4b18d913aef1045bbfb6974ef08beea1da759523ea2375d2a9536
SHA51244e90d9326fddff4d21ce435cf41b42b6c47338ae0c0a9e9620afa174c94289574efa5cd97c196af622a92186af08e195785be854b43b74a9351a73346e35436
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51c4a4af21bd9de12e584dfcc5250158a
SHA17cec73c63c4b1c3aeff3ebfeead8a2d299218ce8
SHA2561a29fefe2a8341389cbc4a91d82900bb29914e740067eb04db6bb34ab06a4816
SHA51210c5e6c30464650d92310307f32c837ac8b2931528a7b82a82068f6242a1b87671bfae0ae44db0b52cc443b6a5f388e2ec6866f16a69c2f806c97246ed5b8898
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50a05bf665f7cfc8ec20796ab1e7d7467
SHA1f6acc52be8143fdb665df7039acda9f6991cbde2
SHA256d89a2b3a4d9bc9f0da7db2e0531ae1855cf5a4dfdccbdcda9971ad34e84c7f81
SHA512fedca4a178e40c6a4843b712559f3062579ee6ae3eb122a96ab098bca987a290937cb93e37461896435e199f34fddb6f9ce4947cc5975bbe0ced790a2dedbadf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a8c8c5d2ab0eb7b8a5f03416ff52a170
SHA1f5b50813a2805ecbeabbfdec7855eb1efe29a3c2
SHA256e90d999adbeeb2c76598ef6cd672c038127d0a6518d224c87f54244516414fe4
SHA5120e876333d04fb2ccd7302eefd6f38035a943661594c1ce21848494c1c88a9b3b83b8c2eca44049e957b11e58d94bb0d95cfcae4d988dbfcf9aba759066ed8c88
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5acc0d32dfc4b56b96712ac8841cae52e
SHA18aa13b372198e81a4b1e4a76843f23251facec87
SHA25666788499572422a5b036ec4d1efe37c5f147c59b80b724e0d16460b63ddba24a
SHA51230a3eef1e5f74c51da2bf79c39653b25bb4a34c62a0291a06c933bf3c5c0b785aed6d970e94f8f1a645f4763eb67ea7d75450c2c19aa52d7b5e1a46068d40d34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5acc0d32dfc4b56b96712ac8841cae52e
SHA18aa13b372198e81a4b1e4a76843f23251facec87
SHA25666788499572422a5b036ec4d1efe37c5f147c59b80b724e0d16460b63ddba24a
SHA51230a3eef1e5f74c51da2bf79c39653b25bb4a34c62a0291a06c933bf3c5c0b785aed6d970e94f8f1a645f4763eb67ea7d75450c2c19aa52d7b5e1a46068d40d34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f154a77c5f714ad88623e552538df9d0
SHA1936bcddc3fcba1965772802d797e934d8439282c
SHA256bc6ae7743f2b930e2c9a6b08c7e3496540054eb873be8935cf30e324f71964b2
SHA512b79656111e590b5c3104dd400e62a0df741aba4b725dc75cf26b4a7ab4dc9afa4b2da6a9a5280c467b8279d29c1c207526e13fbe053f46d9c2c25a0c1abebf51
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5343aeafbf239c3543635ffc58a245ffe
SHA1e89d2c14be7c065c2d7a3cbd4be3e4241c73e1d3
SHA256b8e38f0f800176e0c7a2f0031423ec5af0895ad257b9d04168cac0e0d80e955f
SHA512153f40754770a033172df771063f1b52d2858367c0912eeec47a183e375866018286221a623a3c3d63f94c153f5e14846e8e8b7cb4ea050500b3e6d1b0784b4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5597941d23201a86ba7565c909f76e6a2
SHA1f350cef2596b2d9728ca36c161844cd2d7d712b6
SHA256947e827d5f8306acf47a957b8ec2830f87bafca8b4ac29c1044c074a8c443605
SHA512bedc80966506641d01907873cc270193701a6061476ad75627d1560abab516c52fc31da0ab8c0f9743cb5d81be98f7b05b5b800c6ef5b2431fef638a0e2d6d29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5353e435e7f4e4a708699d7515bfd0d6d
SHA1a7ea602cebba95000de110aa2caa7480c3021d1c
SHA256a68b7515093cd3392c6428675ea11b5e6c7bee886b859b88a2bdbfc637fa1e92
SHA5125601689c27c53a8c6a9887e79bf3b4c047a0cab388c540e27129dad9efbc474741a405ba3beedddb536737352f93e6136f1b61b6d6e2a759bde6a9948175706b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5acc0d32dfc4b56b96712ac8841cae52e
SHA18aa13b372198e81a4b1e4a76843f23251facec87
SHA25666788499572422a5b036ec4d1efe37c5f147c59b80b724e0d16460b63ddba24a
SHA51230a3eef1e5f74c51da2bf79c39653b25bb4a34c62a0291a06c933bf3c5c0b785aed6d970e94f8f1a645f4763eb67ea7d75450c2c19aa52d7b5e1a46068d40d34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ccfede9d62a265e44c9e27c933d072c3
SHA1d354fb0dce3ea1de47a450b4ff5a62012cc4d86c
SHA256c0ddf5ad77a4b18d913aef1045bbfb6974ef08beea1da759523ea2375d2a9536
SHA51244e90d9326fddff4d21ce435cf41b42b6c47338ae0c0a9e9620afa174c94289574efa5cd97c196af622a92186af08e195785be854b43b74a9351a73346e35436
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59284b1af001480c1928ea82370abbe62
SHA17edd2c3ce1644ea5e81a313d8c7b989cb7682eed
SHA256baabb8d5bea05a7e2cf722d966bc725ee04ee4c0b3569e68097283519e1132bc
SHA512da09bb87838698a08e3f522ecf6b9f1ac7c6f5ef336b075b981fb8ec5ebaf030f4147b7cfe7f99cf33b74d2594d5e786e7e70a73b8a7740b063196f586442b38
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5687fb1b8765c0ff4180f7f3d42cd8e58
SHA1255522574e6dc46911ade1b5cc5a656c8a15f2d3
SHA2566e6aec1ec1ab9a3a38b9015405e708ef4998baf4d8e7932910d05b72282f50d7
SHA5121941d8792a6d76a14495195fdcdf4268670b66abe7e84a4dbb0d0a4d93e85a4bf202af52faa650ae22e5c6c7d77e1755ac91de41ef74cf2e4d70d9317a57a4c5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5fa98fe710cd156a01bf90ae9e75cea89
SHA1fbb52911e676f38473d24e1569a6991f75e6bd9d
SHA2569727a5b76a5df9f17cc725ddc697559cc2c38b4633830d76238438c6d22ae520
SHA51200b51f183049c346dcc411a2ce0dd60baba189cccb8d2810e0f37c24fa0bfbc4736d93e3744380cdd566602341315e4412532fae866ab6f62475c7588f48e399
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5433cdd4bd9e7d6935e8f49825fd6570c
SHA117707e7071ace2bd712b7c8cf5e1c41c164b8280
SHA2564762b99b81861d8064fc894dffbc7e25e44612e213deafca0ba81f16805825aa
SHA51205ffff9d4effdcc6bb30910008bcbbaadb9dc8dab011ead445e852644fd4507364ca82fbccab55e421b2506868db22e708b7d14a705a43200f619fc243da7fc0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53de52b7abef4592e64e4b94e21f869aa
SHA1b803777078d7ad980ad2917d94ddc538114e9c38
SHA25632acaf6cfc22a3fd336c3a7b6ac4e6041af19104926310718a7ff17abd3e42e5
SHA512ca60376e2a88864dd1f766dd70da2fe0eb6ae10a296ccf871e502aad76d00a4dee65d59bd3373f684959a9dbf062416768e569a3e8d0093a6cd53519d5093aab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54c1e588d43fa18b664691b4a8028472e
SHA10041aa2d01010192a9aa88cb4fb02a25738e2f83
SHA2566355799405864ec0c92152890c880fda1e2d9a430376fd6d1c20e9fa7d05812e
SHA512e543c2d1b286bb8e2d818362e4c99881406c80c98472c22b9ded56be978834fc600302432e1c924fbb9d6e9763d67d247794632f4b68a3c52cb48f825264577e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54812065441eca92dd19ae1f7a531c9bc
SHA1578dfac7e53eda6b500627c67e6be84082be3883
SHA256974194cf6e49e9cbb8f7c6b9021d1769b5d8c2e7c99d4e89c4697e0c0d09f1f6
SHA51275ed3ca6b0cee3ef8074fc7b4297fd5ac8e5be96a02a87c7c2e7bf33fd4d6808a14751d6e98e5a3f44dd0ce5079ab1995d421d1129914d61d51481c8be0dc22d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57f09942e96e518ba4e472da85544d268
SHA12d7323b3ce7f27a2aedfd67a631b709acba7905e
SHA2562a6090f37df26020e5a096df3ad737db510ed5ea395de142e5ea231679ab5624
SHA512652f32d7bdd8a10e6d6cf9b3728d590d3933ed6c5d6240042e65caca9b15ea7ce3b89f63a8d69db3afb953b479d950fb3d7c18078edda310db0453b53be2e65e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD540b7070052f59e9731a083de655e8f23
SHA1e3192708ce837d532e6667483f62687dcf6879ad
SHA256200c9e0d73c2400235326da4f9af246848f4076a644441a42732f7066af02067
SHA51221d7b8c64c0bbf943b9011bd56f8af58d1508096ec257f77ef2c45625ccabdbe3d2f8c518c76c2af27d3bd08a81c8725c1dcf759aaced8a918c81a3b16a10948
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD583b4baf45dc58c8bf3147754063b9cb3
SHA1eb09435d818d0928e3181508f75841c43fe192d5
SHA2560f6e39e995529bd14d8dcb6cef0d0e8f2694e64966c67da136c44d4b7268256f
SHA512d6ae0ab936f4af485d8959391f3d8d3b18ff23e58d0e7a50d09561001155ad5256059444320fb3b602b606757b70ce428f57341ad0dc5315fa6bbc80c3ae32ac
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD548bb5cdfd723b823cec4588f09b31bbf
SHA1eb52da64dadf6de15190ffe35eb87db976162d9a
SHA256f0f1b50be9ad6cacf4e18f1c6274d61683afd0dfe0898e0b314f975c0cb613cf
SHA51266214db3e1cbd63f04c984c75ea1ce4d93477e60f2382440dc7f8fe402886b60d378a6a1f703e23f5ed759809c938673255441fa9904ec1d9b4db1a43bd1f4fe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2f5358c3dc79840a9290ad277857fd7
SHA15dd25757a3cc83e2695bc6ff68254741a6b628e7
SHA25663ef1301ac0ca8f0d57fca3483a36e8ee0994c018cbcaf23217d4dc9a7c3abaf
SHA51227dff4fe511199504a2879f106f5d455011293381a0b070ed0e738d0d97d057950b747ad43371f1b051ef6f17232280102bd6b16ad698e9bebf4c6ebf3e03956
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD540b7070052f59e9731a083de655e8f23
SHA1e3192708ce837d532e6667483f62687dcf6879ad
SHA256200c9e0d73c2400235326da4f9af246848f4076a644441a42732f7066af02067
SHA51221d7b8c64c0bbf943b9011bd56f8af58d1508096ec257f77ef2c45625ccabdbe3d2f8c518c76c2af27d3bd08a81c8725c1dcf759aaced8a918c81a3b16a10948
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5955cde33cb9a4dc130cc23c27c096ea0
SHA1fd048b7cc4e5a80f40233244790e5c5f69d94383
SHA2560481cefa2c7128b87af082e22142d72a550b9532f16f4e4476b6b70fd9c61bef
SHA512eb772138015ffb9c6307e9c035a8f60906c16c4c83d67b85fd8bab31d03c01a82257e77006c3be01705016c996b947084322b22bb8ad8f263214791ff4567e36
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536676bacda3399c020c6a68a04c5c5ee
SHA1bc5c92f2fee35d274a5928e9c799d3e8b66cf567
SHA256645b6f1cb6e89631e91941ca2ce5ec0363e2e684f5fafa6960bbdcfd0a8e6d48
SHA51234a68ad5d7260bd3e32890e446bf8a07268026cf79d4dbfedf2fde9f2a845b82792aad915f01bd110c2f4cbefc65e499ee84a80d37467a274d2556a6e05df4fe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c5c81cbb190c3e0c50752c0e20dc987a
SHA1c684e56761540548fb034d4ab836acda56325ce2
SHA2568b0476220670958ed591561d6ccd7577a83b8dcd233fb3a98a54b695c71c1c13
SHA5121354eef1de7011880f7c8abf0380d6f31b504ccbdb35afb82709a5d3c897eab25c03682c05d2e781d65919cb1cb241ad582bd77cf80d3d961882ea36f6157ba7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53a60f6da42c7a3a6330632c1b945ee2c
SHA13150319cc065ac748887937faf50deebe8137ad9
SHA2569bdad562db7cf71899195f331e7bead9a1cf722d7f132bcf56ea288f5daed70e
SHA5122805a5297151d0de97a2e4b28dc9f47d4b80df7a3ee49cb46977abb9a81c3bdd19b944c786a71494f168673bf26a3950766d22de91afd07c7549c24b73e71219
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bcf036c51bd403de6184995d26016ae9
SHA12438012bd489c6b641b1302b524e29daf56d63ce
SHA2560e12f66eae92dc7e8256ce68be0aefca8b87108f43a5257bd43f87e2521fb65a
SHA5126c04731592957d24434e22e1772e5136d3e37934fd1b6775e92a0703179540a00d1aef50c3dad8eec5ce3b52eaa9958a778d217d19ebb533b59d46c18fdff129
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59b184e89442e585c61a5c0009d8d4988
SHA18bba8533a0f0b7ca6edef7445d111d72914ce3ac
SHA2563c8016df5faa3eea710534e385922aa62be096c6f3f464466eb75d4db1ea136e
SHA512ea4c714710d0970cba1f0aa696a6af76b54c14a6e6a6cee6de2e9f48912a053370fb92d3f262d7730d110ab75970cebecfc95fb7f013b9ab9a5e24e7ed3580a3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57e9d9b4b86480608b0194bb2314f4007
SHA13e71a401952b704225c00bebfe14b71c30f94cc9
SHA2565190e8ef4cc64f37d073841fdd06561ecd80b05940ee28a9ca8cffa1527a179c
SHA512b01ff18ff39ae7533ccb0aa1a25a393f39423b5e70ff0bfbf0204065cc2f14b37da393a5bba51671b8c5a1684cb2480f85f42400d8ab965b815aaec8c9cddad0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD588f9cc9c43167cd330be4c22f37ea2df
SHA1914de56005403a42ebe7107983833be1f0d2154e
SHA256725618e76cc6d82cd470ebd9a7b2903441369cdd972288e7a3624f717805f833
SHA51266a33c0f08a33d0fdfa1f8888ca060e5476dfa4c1767ded8c17e36e2160f646aa02dd2c86ae970658da12b8fafe67cb0f212603b6ef38264c0fcfa34b036eb85
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54299de3483a0c946b95b7942c1f2778d
SHA1b1535cf0ce2e1f44c05e0f3aac44571a5e0fc705
SHA256a799c2b386c021f9a803f1f2c7992c6a1295fc2647374e1d82e8df10acf1d82e
SHA5122351e8e222237ea2a5c6d61a2bbd28adff4b6e6c77e5cfdc72684a12ad4618f1401ed5c31c1cfaf6eca132122d0fbb150889096b46a1051ac6a05b60ecd17d6a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56eb967f227b91474aa1082e2f7f7755d
SHA18935637e5911a2da4fea2922a5f1d8864b8715b6
SHA2567d5cc9ea8bdd77ca2b6802876deca837e1d09b001f66c0db827719d98279c0fd
SHA512e2dcded721de5f1abcb4c932f54bdcfe0c0a8b64fb56c0c3aabdc196a3abef3b97faaa6d4692477853edb1206b09ab5cebbdddc1c237b45e57a84f9ac5b04b84
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f8667bc8e3469b91072645a4b597f144
SHA107542c2f8ffc5e54cae212fc5821ef085cf7561f
SHA256cf54c79d18b372457b0db6ad279a15bfecffb9e550c925a6652e1e281a08625d
SHA512ef9a51db5f61ff695d573bed52f2d881ce575bc206f7001fa0f74cd297ff6693012c04260d17a9b3d10f2212a4e64748eea5c0076863e3e34b9f1aa689fe856f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD507273162f5c18a38976d137845e28930
SHA17371f7a532e416d73608ca9313bcdda521795286
SHA256ec47b9814e498e37cbdccd9f0d59ae8de2897d76d9c16a34207d2d1b9426ddb3
SHA51204857b9a7b6fef569f5924dbf1351f1be5915fa2c1585cfb4b9d221a99bc3961e1b591b6fba2f0a94706fe9aa30f264ebd21c998ecb300d2c62b599bccc5be56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD596169a7ce8c3643fb1ff9e82dcd6950f
SHA1516723f49077ac01175dba70f4673909cc64a1db
SHA2568617361e51f202c74c0ae4f91b2f822ece238d95fe91b82925aeeb7916b55d79
SHA5129a8c08c3e053cf27b0115e72cef5156c8c232413dc9d99b5f8afd48541ba1dc64916338f160e871e45023b73d08d19ccc7fdc4b7096b74429c90eb509abb9b32
-
memory/64-389-0x0000000000000000-mapping.dmp
-
memory/188-290-0x0000000000000000-mapping.dmp
-
memory/216-699-0x0000000000000000-mapping.dmp
-
memory/400-968-0x0000000000000000-mapping.dmp
-
memory/428-1225-0x0000000000000000-mapping.dmp
-
memory/548-263-0x0000000000000000-mapping.dmp
-
memory/588-1223-0x0000000000000000-mapping.dmp
-
memory/656-288-0x0000000000000000-mapping.dmp
-
memory/692-865-0x0000000000000000-mapping.dmp
-
memory/1020-116-0x0000000000000000-mapping.dmp
-
memory/1032-282-0x0000000000000000-mapping.dmp
-
memory/1172-866-0x0000000000000000-mapping.dmp
-
memory/1236-141-0x0000000000000000-mapping.dmp
-
memory/1352-967-0x0000000000000000-mapping.dmp
-
memory/1416-593-0x0000000000000000-mapping.dmp
-
memory/1532-592-0x0000000000000000-mapping.dmp
-
memory/1620-115-0x0000000000000000-mapping.dmp
-
memory/1812-1222-0x0000000000000000-mapping.dmp
-
memory/1936-129-0x0000000000000000-mapping.dmp
-
memory/1936-390-0x0000000000000000-mapping.dmp
-
memory/2240-700-0x0000000000000000-mapping.dmp
-
memory/2296-698-0x0000000000000000-mapping.dmp
-
memory/2628-753-0x0000000000000000-mapping.dmp
-
memory/2684-696-0x0000000000000000-mapping.dmp
-
memory/2848-1068-0x0000000000000000-mapping.dmp
-
memory/2860-138-0x0000000000000000-mapping.dmp
-
memory/2928-143-0x0000000000000000-mapping.dmp
-
memory/3016-1123-0x0000000000000000-mapping.dmp
-
memory/3292-1224-0x0000000000000000-mapping.dmp
-
memory/3300-289-0x0000000000000000-mapping.dmp
-
memory/3464-140-0x0000000000000000-mapping.dmp
-
memory/3500-493-0x0000000000000000-mapping.dmp
-
memory/3500-144-0x0000000000000000-mapping.dmp
-
memory/3532-492-0x0000000000000000-mapping.dmp
-
memory/3748-490-0x0000000000000000-mapping.dmp
-
memory/3796-693-0x0000000000000000-mapping.dmp
-
memory/3800-126-0x0000021D3AFC0000-0x0000021D3B036000-memory.dmpFilesize
472KB
-
memory/3800-123-0x0000021D3AE10000-0x0000021D3AE32000-memory.dmpFilesize
136KB
-
memory/3800-117-0x0000000000000000-mapping.dmp
-
memory/3820-692-0x0000000000000000-mapping.dmp
-
memory/3932-489-0x0000000000000000-mapping.dmp
-
memory/3968-966-0x0000000000000000-mapping.dmp
-
memory/3992-200-0x0000000000000000-mapping.dmp
-
memory/4076-1067-0x0000000000000000-mapping.dmp
-
memory/4088-139-0x0000000000000000-mapping.dmp
-
memory/4232-754-0x0000000000000000-mapping.dmp
-
memory/4276-1069-0x0000000000000000-mapping.dmp
-
memory/4332-810-0x0000000000000000-mapping.dmp
-
memory/4336-238-0x0000000000000000-mapping.dmp
-
memory/4456-867-0x0000000000000000-mapping.dmp
-
memory/4488-969-0x0000000000000000-mapping.dmp
-
memory/4560-695-0x0000000000000000-mapping.dmp
-
memory/4568-244-0x0000000000000000-mapping.dmp
-
memory/4608-811-0x0000000000000000-mapping.dmp
-
memory/4708-697-0x0000000000000000-mapping.dmp
-
memory/4720-694-0x0000000000000000-mapping.dmp
-
memory/4732-137-0x0000000000000000-mapping.dmp
-
memory/4796-199-0x0000000000000000-mapping.dmp
-
memory/4800-809-0x0000000000000000-mapping.dmp
-
memory/4820-198-0x0000000000000000-mapping.dmp
-
memory/4864-136-0x0000000000000000-mapping.dmp
-
memory/4880-491-0x0000000000000000-mapping.dmp
-
memory/4908-1070-0x0000000000000000-mapping.dmp
-
memory/5008-142-0x0000000000000000-mapping.dmp
-
memory/5028-219-0x0000000000000000-mapping.dmp
-
memory/5032-812-0x0000000000000000-mapping.dmp