Analysis
-
max time kernel
37s -
max time network
85s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
04-11-2022 19:52
Static task
static1
Behavioral task
behavioral1
Sample
disable_defender.bat
Resource
win10-20220812-en
General
-
Target
disable_defender.bat
-
Size
134KB
-
MD5
e430435cb58bf4b32f6c34662bf2399c
-
SHA1
68ef170abe380c4a9827abeaf37e3d9e8392b23b
-
SHA256
ed9d9ca4e442cb52d81a61dbc3d9d613785b929a6536623fa5c0666edbf22f55
-
SHA512
6819be2bac9e1701c62b0409328998db2ab828540334c7567d467879bc2907bb37a3ff8bea115b7d4fca8b1eaed1e63a4d9ab607af3edcb726b5412dbbd80d03
-
SSDEEP
1536:N9qlzR+K/otrK/o5gINROhPCWi/uQ5t6s0Q9x32cqmWr8igtUdwy6HT3OcK/o3+e:N9qlc91N277c66t
Malware Config
Signatures
-
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealTimeScanDirection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe -
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\EnableFirewall = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 14 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 3800 takeown.exe 4276 takeown.exe 3616 icacls.exe 3796 takeown.exe 4332 icacls.exe 2400 takeown.exe 656 takeown.exe 3648 icacls.exe 2648 icacls.exe 2736 icacls.exe 3812 icacls.exe 4816 takeown.exe 2644 icacls.exe 4456 takeown.exe -
Modifies file permissions 1 TTPs 14 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 2644 icacls.exe 2736 icacls.exe 3800 takeown.exe 3648 icacls.exe 4276 takeown.exe 3812 icacls.exe 2400 takeown.exe 4332 icacls.exe 4816 takeown.exe 2648 icacls.exe 4456 takeown.exe 3796 takeown.exe 656 takeown.exe 3616 icacls.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exereg.exepowershell.exepowershell.exepid process 3800 powershell.exe 3800 powershell.exe 3800 powershell.exe 3500 powershell.exe 3500 powershell.exe 3500 powershell.exe 3992 powershell.exe 3992 powershell.exe 3992 powershell.exe 4568 powershell.exe 4568 powershell.exe 4568 powershell.exe 188 powershell.exe 188 powershell.exe 188 powershell.exe 1936 powershell.exe 1936 powershell.exe 1936 powershell.exe 3500 powershell.exe 3500 powershell.exe 3500 powershell.exe 1416 powershell.exe 1416 powershell.exe 1416 powershell.exe 2240 powershell.exe 2240 powershell.exe 2240 powershell.exe 4232 powershell.exe 4232 powershell.exe 4232 powershell.exe 5032 powershell.exe 5032 powershell.exe 5032 powershell.exe 4456 powershell.exe 4456 powershell.exe 4456 powershell.exe 4488 powershell.exe 4488 powershell.exe 4488 powershell.exe 4908 powershell.exe 4908 powershell.exe 4908 powershell.exe 3016 powershell.exe 3016 powershell.exe 3016 powershell.exe 1988 powershell.exe 1988 powershell.exe 1988 powershell.exe 2480 powershell.exe 2480 powershell.exe 2480 powershell.exe 4496 powershell.exe 4496 powershell.exe 4496 powershell.exe 1824 powershell.exe 1824 powershell.exe 1824 powershell.exe 3180 reg.exe 3180 reg.exe 3180 reg.exe 644 powershell.exe 644 powershell.exe 644 powershell.exe 3424 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3800 powershell.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeIncreaseQuotaPrivilege 3500 powershell.exe Token: SeSecurityPrivilege 3500 powershell.exe Token: SeTakeOwnershipPrivilege 3500 powershell.exe Token: SeLoadDriverPrivilege 3500 powershell.exe Token: SeSystemProfilePrivilege 3500 powershell.exe Token: SeSystemtimePrivilege 3500 powershell.exe Token: SeProfSingleProcessPrivilege 3500 powershell.exe Token: SeIncBasePriorityPrivilege 3500 powershell.exe Token: SeCreatePagefilePrivilege 3500 powershell.exe Token: SeBackupPrivilege 3500 powershell.exe Token: SeRestorePrivilege 3500 powershell.exe Token: SeShutdownPrivilege 3500 powershell.exe Token: SeDebugPrivilege 3500 powershell.exe Token: SeSystemEnvironmentPrivilege 3500 powershell.exe Token: SeRemoteShutdownPrivilege 3500 powershell.exe Token: SeUndockPrivilege 3500 powershell.exe Token: SeManageVolumePrivilege 3500 powershell.exe Token: 33 3500 powershell.exe Token: 34 3500 powershell.exe Token: 35 3500 powershell.exe Token: 36 3500 powershell.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeIncreaseQuotaPrivilege 3992 powershell.exe Token: SeSecurityPrivilege 3992 powershell.exe Token: SeTakeOwnershipPrivilege 3992 powershell.exe Token: SeLoadDriverPrivilege 3992 powershell.exe Token: SeSystemProfilePrivilege 3992 powershell.exe Token: SeSystemtimePrivilege 3992 powershell.exe Token: SeProfSingleProcessPrivilege 3992 powershell.exe Token: SeIncBasePriorityPrivilege 3992 powershell.exe Token: SeCreatePagefilePrivilege 3992 powershell.exe Token: SeBackupPrivilege 3992 powershell.exe Token: SeRestorePrivilege 3992 powershell.exe Token: SeShutdownPrivilege 3992 powershell.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeSystemEnvironmentPrivilege 3992 powershell.exe Token: SeRemoteShutdownPrivilege 3992 powershell.exe Token: SeUndockPrivilege 3992 powershell.exe Token: SeManageVolumePrivilege 3992 powershell.exe Token: 33 3992 powershell.exe Token: 34 3992 powershell.exe Token: 35 3992 powershell.exe Token: 36 3992 powershell.exe Token: SeIncreaseQuotaPrivilege 3992 powershell.exe Token: SeSecurityPrivilege 3992 powershell.exe Token: SeTakeOwnershipPrivilege 3992 powershell.exe Token: SeLoadDriverPrivilege 3992 powershell.exe Token: SeSystemProfilePrivilege 3992 powershell.exe Token: SeSystemtimePrivilege 3992 powershell.exe Token: SeProfSingleProcessPrivilege 3992 powershell.exe Token: SeIncBasePriorityPrivilege 3992 powershell.exe Token: SeCreatePagefilePrivilege 3992 powershell.exe Token: SeBackupPrivilege 3992 powershell.exe Token: SeRestorePrivilege 3992 powershell.exe Token: SeShutdownPrivilege 3992 powershell.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeSystemEnvironmentPrivilege 3992 powershell.exe Token: SeRemoteShutdownPrivilege 3992 powershell.exe Token: SeUndockPrivilege 3992 powershell.exe Token: SeManageVolumePrivilege 3992 powershell.exe Token: 33 3992 powershell.exe Token: 34 3992 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 4260 wrote to memory of 1620 4260 cmd.exe fltMC.exe PID 4260 wrote to memory of 1620 4260 cmd.exe fltMC.exe PID 4260 wrote to memory of 1020 4260 cmd.exe reg.exe PID 4260 wrote to memory of 1020 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3800 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 3800 4260 cmd.exe powershell.exe PID 3800 wrote to memory of 1936 3800 powershell.exe netsh.exe PID 3800 wrote to memory of 1936 3800 powershell.exe netsh.exe PID 4260 wrote to memory of 4864 4260 cmd.exe reg.exe PID 4260 wrote to memory of 4864 4260 cmd.exe reg.exe PID 4260 wrote to memory of 4732 4260 cmd.exe reg.exe PID 4260 wrote to memory of 4732 4260 cmd.exe reg.exe PID 4260 wrote to memory of 2860 4260 cmd.exe reg.exe PID 4260 wrote to memory of 2860 4260 cmd.exe reg.exe PID 4260 wrote to memory of 4088 4260 cmd.exe reg.exe PID 4260 wrote to memory of 4088 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3464 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3464 4260 cmd.exe reg.exe PID 4260 wrote to memory of 1236 4260 cmd.exe reg.exe PID 4260 wrote to memory of 1236 4260 cmd.exe reg.exe PID 4260 wrote to memory of 5008 4260 cmd.exe reg.exe PID 4260 wrote to memory of 5008 4260 cmd.exe reg.exe PID 4260 wrote to memory of 2928 4260 cmd.exe reg.exe PID 4260 wrote to memory of 2928 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3500 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 3500 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 4820 4260 cmd.exe reg.exe PID 4260 wrote to memory of 4820 4260 cmd.exe reg.exe PID 4260 wrote to memory of 4796 4260 cmd.exe reg.exe PID 4260 wrote to memory of 4796 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3992 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 3992 4260 cmd.exe powershell.exe PID 3992 wrote to memory of 5028 3992 powershell.exe schtasks.exe PID 3992 wrote to memory of 5028 3992 powershell.exe schtasks.exe PID 3992 wrote to memory of 4336 3992 powershell.exe schtasks.exe PID 3992 wrote to memory of 4336 3992 powershell.exe schtasks.exe PID 4260 wrote to memory of 4568 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 4568 4260 cmd.exe powershell.exe PID 4568 wrote to memory of 548 4568 powershell.exe schtasks.exe PID 4568 wrote to memory of 548 4568 powershell.exe schtasks.exe PID 4568 wrote to memory of 1032 4568 powershell.exe schtasks.exe PID 4568 wrote to memory of 1032 4568 powershell.exe schtasks.exe PID 4260 wrote to memory of 656 4260 cmd.exe reg.exe PID 4260 wrote to memory of 656 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3300 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3300 4260 cmd.exe reg.exe PID 4260 wrote to memory of 188 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 188 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 64 4260 cmd.exe reg.exe PID 4260 wrote to memory of 64 4260 cmd.exe reg.exe PID 4260 wrote to memory of 1936 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 1936 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 3932 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3932 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3748 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3748 4260 cmd.exe reg.exe PID 4260 wrote to memory of 4880 4260 cmd.exe reg.exe PID 4260 wrote to memory of 4880 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3532 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3532 4260 cmd.exe reg.exe PID 4260 wrote to memory of 3500 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 3500 4260 cmd.exe powershell.exe PID 4260 wrote to memory of 1532 4260 cmd.exe reg.exe PID 4260 wrote to memory of 1532 4260 cmd.exe reg.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\disable_defender.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fltMC.exefltmc2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "if(!(Get-Command 'netsh' -ErrorAction Ignore)) {; throw '"""netsh""" does not exist, is system installed correctly?'; }; $message=netsh advfirewall set allprofiles state off 2>&1; if($?) {; Write-Host """Successfully disabled firewall."""; } else {; if($message -like '*Firewall service*') {; Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?'; } else {; throw """Cannot disable: $message"""; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'PUAProtection'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -PUAProtection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\Features""" /v """TamperProtection""" /t REG_DWORD /d """4""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\Features""" /v """TamperProtectionSource""" /t REG_DWORD /d """2""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableAutoExclusions'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableAutoExclusions $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableBlockAtFirstSeen'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableBlockAtFirstSeen $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'MAPSReporting'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -MAPSReporting $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SubmitSamplesConsent'; $value = '2'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SubmitSamplesConsent $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRealtimeMonitoring'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRealtimeMonitoring $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableIntrusionPreventionSystem'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableIntrusionPreventionSystem $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableBehaviorMonitoring'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableBehaviorMonitoring $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableIOAVProtection'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableIOAVProtection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RealTimeScanDirection'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RealTimeScanDirection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RemediationScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RemediationScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'UnknownThreatDefaultAction'; $value = '9'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -UnknownThreatDefaultAction $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'QuarantinePurgeItemsAfterDelay'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'CheckForSignaturesBeforeRunningScan'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRestorePoint'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRestorePoint $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanPurgeItemsAfterDelay'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanPurgeItemsAfterDelay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCatchupFullScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCatchupFullScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCatchupQuickScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCatchupQuickScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanOnlyIfIdleEnabled'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanOnlyIfIdleEnabled $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanAvgCPULoadFactor'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanAvgCPULoadFactor $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCpuThrottleOnIdleScans'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableEmailScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableEmailScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScriptScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScriptScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScanningMappedNetworkDrivesForFullScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScanningNetworkFiles'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScanningNetworkFiles $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRemovableDriveScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRemovableDriveScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableArchiveScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableArchiveScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RandomizeScheduleTaskTimes'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RandomizeScheduleTaskTimes $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanParameters'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanParameters $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableGradualRelease'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableGradualRelease $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'EngineUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -EngineUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'PlatformUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -PlatformUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DefinitionUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DefinitionUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureUpdateCatchupInterval'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureUpdateCatchupInterval $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureDisableUpdateOnStartupWithoutEngine'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /t REG_DWORD /d 4294967295 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureUpdateInterval'; $value = '24'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureUpdateInterval $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisablePrivacyMode'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisablePrivacyMode $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d 1 /f2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration""" /v """DisablePrivacyMode""" /t REG_DWORD /d """1""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'MpsSvc'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\mpssvc.dll" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\mpssvc.dll"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WinDefend""" >nul & sc config """WinDefend""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdNisSvc""" >nul & sc config """WdNisSvc""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'Sense'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService""" /v Start /t REG_DWORD /d 4 /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\SecurityHealthService.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\SecurityHealthService.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'mpsdrv'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers\mpsdrv.sys" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'net stop """WdNisDrv""" /yes >nul & sc config """WdNisDrv""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers\mpsdrv.sys"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers\WdNisDrv.sys"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers\WdNisDrv.sys" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdFilter""" >nul & sc config """WdFilter""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers\WdFilter.sys" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdBoot""" >nul & sc config """WdBoot""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers\WdFilter.sys"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers\WdBoot.sys" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers\WdBoot.sys"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'UsoSvc'; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service `"""$serviceName`""" could not be not found, no need to disable it."""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, stopping it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query """Select StartMode From Win32_Service Where Name='$serviceName'""" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter """Name='$serviceName'""" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host """$serviceName is already disabled, no further action is needed"""; }; <# -- 4. Disable service #>; try {; Set-Service -Name """$serviceName""" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD544ba883241781356672c747f95722676
SHA13e2729fb35638438cddb9eed2ad1388f68ba628a
SHA2560c3ec0e12d5cf2edfe5599f79b379aa19476c253ecca52f841ffa3a050be6916
SHA512aad6d58c9276287870c4e49a02401dbb2cbcf276b9cd929b113b5488a7f7818a99a1f90aa604f6cc4c6d07a674adb11143aae2f0ca42723c3f22104f457b327d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54f5907bfa3d56468f1dfb05873678925
SHA110c108e7a45a689d433f2f411b6d4f609040e5db
SHA2562f951fec1ff11eab7e2ff4daedc7cf2cc2f1ad514512ee4aea3ace1e478be778
SHA512c0e5b99142fae6a5b2d98ca723adff6f11c252fbb0031e0b4d0a4836b3fb91873d0ce27f1279e8d281c0ceb6faeb19c3a363f7faabbae20f3e68178789d5f77c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5919892f94e1d646ea2e9a496bac85d9c
SHA11032269fcb6273d6a7f9c4b111b29c8332f08b33
SHA256d670df2827ac904ad5264106e86e4f52cb387ecb8de36fe062215d2f14a72c13
SHA5128821366a2126c31bb6b1e5d19c27d1de425f65589188d571f5299ec59f3a2dfcd80b163d2c1b8729562d7aff3d6fb4b7e8ad702d6721df35fbedad940c4413f8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e51bd3897acaf87bf6b16fb92f6a118f
SHA109307608017ccf4f6e45664176a26a7dad789629
SHA256f2ebfb4511e07ded018e99ad722ddacb54991715e7d13b898adf3f4da4964958
SHA5121b4026b86f78de2125cb3ca47399537ba2893ef7c95d6833e398abbe317487ab48fc204a44352350a522832bd63186cbfc71a831b6ee7a3d2797afdc9173a52a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD580cdc1e50acc5eae448cd402b9dc485b
SHA10f073c545e59b8ee6c53745973629651d94fc100
SHA25668b87a62fdc0b06c0e53222b7035f391d1e83bd2e06a3803ebbfebdca2a15058
SHA51245c7d1ab23453ffd87d7518af7192933649c7e75b3e320ccf0a1ed2a6bfb9bdf7cd4da6e46128de0563c2577b985f1a360a14864543f5f4e8297155e4e6a2a3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD534738b7d5178dfc4830184e12dba2d1f
SHA1eb5351f3359a9ae16418be408c38cc6e383bc026
SHA256b0cfbf52493158ce32c5ae21aa23626be51b35c38aa24e5851d535b6766a0049
SHA512bf658e520fce2a690bc8a2d176f850a48479032f8b717053873104c140669e657e07189ee50ec5c327100f0248ff3001f23c118a8f522c08aad38a4f8798d44a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58d7d7ebd567ffe82adc138fe95a65480
SHA174ab66720a36985189344c16131314a55d39d700
SHA2566b0a3ec4e798b7f26450ba51783cc2554734ae6495c4a430761bb431a1818d21
SHA5125b0f7f3fbda348c7d98e7d039450a872edf57bbb530c300a0a4a77e6663f9b5d3b94780e86e704cd30baed8724a9a050e255806c1ddc54069a45cd47701bb5c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c857f7279a3420155c29f96ca6f30c6f
SHA1186977cb692f28458a9a79f50db8823ee183a21d
SHA256b75243949de947af7adeb103f13416ac33f5519ba88bbb3cb3734cf701c75ac2
SHA5121a6b63717ca8a71b1f1802f1d9ca563a6a85c4480a9ad3625619b162224f89e11c1feed714790340b5a084da65eadf1d2f61e46815df30945396d8faea87d69f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5990150b2adbdd1b82e2736e157b8e851
SHA12fcdcb3d7c9e845c0a96f851990de525d8a70fc6
SHA2563ef4d4503f84293b9d1b34dc0619c746540e37c768f21003f4ee08809b9d117e
SHA51218484b3ce27d90aecef3a5a06f93a7e9dc9a94de569429f96ac3b34d39b725e57839d4782d5a322b61eac42cdb79dd872ba09ebceb77a7c63e2462d460287bf4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57c95bcff89ef685dee0e973616a3ec4d
SHA1f008143530a29323067154ec4ec6d70b5d132924
SHA256aa8983de63afed026c96f6f21403eb2523d2f864703a6b40535fc96994ce0472
SHA512583ce3a2a60bf43067d993c40be3d1d77815579b5c49314334c61cd83c12242c95cbb76f416cfb3a8715b85b9f739e5d641ac9925133e1b54ee1f3e08c88e008
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c857f7279a3420155c29f96ca6f30c6f
SHA1186977cb692f28458a9a79f50db8823ee183a21d
SHA256b75243949de947af7adeb103f13416ac33f5519ba88bbb3cb3734cf701c75ac2
SHA5121a6b63717ca8a71b1f1802f1d9ca563a6a85c4480a9ad3625619b162224f89e11c1feed714790340b5a084da65eadf1d2f61e46815df30945396d8faea87d69f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c857f7279a3420155c29f96ca6f30c6f
SHA1186977cb692f28458a9a79f50db8823ee183a21d
SHA256b75243949de947af7adeb103f13416ac33f5519ba88bbb3cb3734cf701c75ac2
SHA5121a6b63717ca8a71b1f1802f1d9ca563a6a85c4480a9ad3625619b162224f89e11c1feed714790340b5a084da65eadf1d2f61e46815df30945396d8faea87d69f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c857f7279a3420155c29f96ca6f30c6f
SHA1186977cb692f28458a9a79f50db8823ee183a21d
SHA256b75243949de947af7adeb103f13416ac33f5519ba88bbb3cb3734cf701c75ac2
SHA5121a6b63717ca8a71b1f1802f1d9ca563a6a85c4480a9ad3625619b162224f89e11c1feed714790340b5a084da65eadf1d2f61e46815df30945396d8faea87d69f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ccfede9d62a265e44c9e27c933d072c3
SHA1d354fb0dce3ea1de47a450b4ff5a62012cc4d86c
SHA256c0ddf5ad77a4b18d913aef1045bbfb6974ef08beea1da759523ea2375d2a9536
SHA51244e90d9326fddff4d21ce435cf41b42b6c47338ae0c0a9e9620afa174c94289574efa5cd97c196af622a92186af08e195785be854b43b74a9351a73346e35436
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51c4a4af21bd9de12e584dfcc5250158a
SHA17cec73c63c4b1c3aeff3ebfeead8a2d299218ce8
SHA2561a29fefe2a8341389cbc4a91d82900bb29914e740067eb04db6bb34ab06a4816
SHA51210c5e6c30464650d92310307f32c837ac8b2931528a7b82a82068f6242a1b87671bfae0ae44db0b52cc443b6a5f388e2ec6866f16a69c2f806c97246ed5b8898
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50a05bf665f7cfc8ec20796ab1e7d7467
SHA1f6acc52be8143fdb665df7039acda9f6991cbde2
SHA256d89a2b3a4d9bc9f0da7db2e0531ae1855cf5a4dfdccbdcda9971ad34e84c7f81
SHA512fedca4a178e40c6a4843b712559f3062579ee6ae3eb122a96ab098bca987a290937cb93e37461896435e199f34fddb6f9ce4947cc5975bbe0ced790a2dedbadf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a8c8c5d2ab0eb7b8a5f03416ff52a170
SHA1f5b50813a2805ecbeabbfdec7855eb1efe29a3c2
SHA256e90d999adbeeb2c76598ef6cd672c038127d0a6518d224c87f54244516414fe4
SHA5120e876333d04fb2ccd7302eefd6f38035a943661594c1ce21848494c1c88a9b3b83b8c2eca44049e957b11e58d94bb0d95cfcae4d988dbfcf9aba759066ed8c88
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5acc0d32dfc4b56b96712ac8841cae52e
SHA18aa13b372198e81a4b1e4a76843f23251facec87
SHA25666788499572422a5b036ec4d1efe37c5f147c59b80b724e0d16460b63ddba24a
SHA51230a3eef1e5f74c51da2bf79c39653b25bb4a34c62a0291a06c933bf3c5c0b785aed6d970e94f8f1a645f4763eb67ea7d75450c2c19aa52d7b5e1a46068d40d34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5acc0d32dfc4b56b96712ac8841cae52e
SHA18aa13b372198e81a4b1e4a76843f23251facec87
SHA25666788499572422a5b036ec4d1efe37c5f147c59b80b724e0d16460b63ddba24a
SHA51230a3eef1e5f74c51da2bf79c39653b25bb4a34c62a0291a06c933bf3c5c0b785aed6d970e94f8f1a645f4763eb67ea7d75450c2c19aa52d7b5e1a46068d40d34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f154a77c5f714ad88623e552538df9d0
SHA1936bcddc3fcba1965772802d797e934d8439282c
SHA256bc6ae7743f2b930e2c9a6b08c7e3496540054eb873be8935cf30e324f71964b2
SHA512b79656111e590b5c3104dd400e62a0df741aba4b725dc75cf26b4a7ab4dc9afa4b2da6a9a5280c467b8279d29c1c207526e13fbe053f46d9c2c25a0c1abebf51
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5343aeafbf239c3543635ffc58a245ffe
SHA1e89d2c14be7c065c2d7a3cbd4be3e4241c73e1d3
SHA256b8e38f0f800176e0c7a2f0031423ec5af0895ad257b9d04168cac0e0d80e955f
SHA512153f40754770a033172df771063f1b52d2858367c0912eeec47a183e375866018286221a623a3c3d63f94c153f5e14846e8e8b7cb4ea050500b3e6d1b0784b4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5597941d23201a86ba7565c909f76e6a2
SHA1f350cef2596b2d9728ca36c161844cd2d7d712b6
SHA256947e827d5f8306acf47a957b8ec2830f87bafca8b4ac29c1044c074a8c443605
SHA512bedc80966506641d01907873cc270193701a6061476ad75627d1560abab516c52fc31da0ab8c0f9743cb5d81be98f7b05b5b800c6ef5b2431fef638a0e2d6d29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5353e435e7f4e4a708699d7515bfd0d6d
SHA1a7ea602cebba95000de110aa2caa7480c3021d1c
SHA256a68b7515093cd3392c6428675ea11b5e6c7bee886b859b88a2bdbfc637fa1e92
SHA5125601689c27c53a8c6a9887e79bf3b4c047a0cab388c540e27129dad9efbc474741a405ba3beedddb536737352f93e6136f1b61b6d6e2a759bde6a9948175706b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5acc0d32dfc4b56b96712ac8841cae52e
SHA18aa13b372198e81a4b1e4a76843f23251facec87
SHA25666788499572422a5b036ec4d1efe37c5f147c59b80b724e0d16460b63ddba24a
SHA51230a3eef1e5f74c51da2bf79c39653b25bb4a34c62a0291a06c933bf3c5c0b785aed6d970e94f8f1a645f4763eb67ea7d75450c2c19aa52d7b5e1a46068d40d34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ccfede9d62a265e44c9e27c933d072c3
SHA1d354fb0dce3ea1de47a450b4ff5a62012cc4d86c
SHA256c0ddf5ad77a4b18d913aef1045bbfb6974ef08beea1da759523ea2375d2a9536
SHA51244e90d9326fddff4d21ce435cf41b42b6c47338ae0c0a9e9620afa174c94289574efa5cd97c196af622a92186af08e195785be854b43b74a9351a73346e35436
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59284b1af001480c1928ea82370abbe62
SHA17edd2c3ce1644ea5e81a313d8c7b989cb7682eed
SHA256baabb8d5bea05a7e2cf722d966bc725ee04ee4c0b3569e68097283519e1132bc
SHA512da09bb87838698a08e3f522ecf6b9f1ac7c6f5ef336b075b981fb8ec5ebaf030f4147b7cfe7f99cf33b74d2594d5e786e7e70a73b8a7740b063196f586442b38
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5687fb1b8765c0ff4180f7f3d42cd8e58
SHA1255522574e6dc46911ade1b5cc5a656c8a15f2d3
SHA2566e6aec1ec1ab9a3a38b9015405e708ef4998baf4d8e7932910d05b72282f50d7
SHA5121941d8792a6d76a14495195fdcdf4268670b66abe7e84a4dbb0d0a4d93e85a4bf202af52faa650ae22e5c6c7d77e1755ac91de41ef74cf2e4d70d9317a57a4c5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5fa98fe710cd156a01bf90ae9e75cea89
SHA1fbb52911e676f38473d24e1569a6991f75e6bd9d
SHA2569727a5b76a5df9f17cc725ddc697559cc2c38b4633830d76238438c6d22ae520
SHA51200b51f183049c346dcc411a2ce0dd60baba189cccb8d2810e0f37c24fa0bfbc4736d93e3744380cdd566602341315e4412532fae866ab6f62475c7588f48e399
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5433cdd4bd9e7d6935e8f49825fd6570c
SHA117707e7071ace2bd712b7c8cf5e1c41c164b8280
SHA2564762b99b81861d8064fc894dffbc7e25e44612e213deafca0ba81f16805825aa
SHA51205ffff9d4effdcc6bb30910008bcbbaadb9dc8dab011ead445e852644fd4507364ca82fbccab55e421b2506868db22e708b7d14a705a43200f619fc243da7fc0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53de52b7abef4592e64e4b94e21f869aa
SHA1b803777078d7ad980ad2917d94ddc538114e9c38
SHA25632acaf6cfc22a3fd336c3a7b6ac4e6041af19104926310718a7ff17abd3e42e5
SHA512ca60376e2a88864dd1f766dd70da2fe0eb6ae10a296ccf871e502aad76d00a4dee65d59bd3373f684959a9dbf062416768e569a3e8d0093a6cd53519d5093aab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54c1e588d43fa18b664691b4a8028472e
SHA10041aa2d01010192a9aa88cb4fb02a25738e2f83
SHA2566355799405864ec0c92152890c880fda1e2d9a430376fd6d1c20e9fa7d05812e
SHA512e543c2d1b286bb8e2d818362e4c99881406c80c98472c22b9ded56be978834fc600302432e1c924fbb9d6e9763d67d247794632f4b68a3c52cb48f825264577e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54812065441eca92dd19ae1f7a531c9bc
SHA1578dfac7e53eda6b500627c67e6be84082be3883
SHA256974194cf6e49e9cbb8f7c6b9021d1769b5d8c2e7c99d4e89c4697e0c0d09f1f6
SHA51275ed3ca6b0cee3ef8074fc7b4297fd5ac8e5be96a02a87c7c2e7bf33fd4d6808a14751d6e98e5a3f44dd0ce5079ab1995d421d1129914d61d51481c8be0dc22d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57f09942e96e518ba4e472da85544d268
SHA12d7323b3ce7f27a2aedfd67a631b709acba7905e
SHA2562a6090f37df26020e5a096df3ad737db510ed5ea395de142e5ea231679ab5624
SHA512652f32d7bdd8a10e6d6cf9b3728d590d3933ed6c5d6240042e65caca9b15ea7ce3b89f63a8d69db3afb953b479d950fb3d7c18078edda310db0453b53be2e65e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD540b7070052f59e9731a083de655e8f23
SHA1e3192708ce837d532e6667483f62687dcf6879ad
SHA256200c9e0d73c2400235326da4f9af246848f4076a644441a42732f7066af02067
SHA51221d7b8c64c0bbf943b9011bd56f8af58d1508096ec257f77ef2c45625ccabdbe3d2f8c518c76c2af27d3bd08a81c8725c1dcf759aaced8a918c81a3b16a10948
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD583b4baf45dc58c8bf3147754063b9cb3
SHA1eb09435d818d0928e3181508f75841c43fe192d5
SHA2560f6e39e995529bd14d8dcb6cef0d0e8f2694e64966c67da136c44d4b7268256f
SHA512d6ae0ab936f4af485d8959391f3d8d3b18ff23e58d0e7a50d09561001155ad5256059444320fb3b602b606757b70ce428f57341ad0dc5315fa6bbc80c3ae32ac
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD548bb5cdfd723b823cec4588f09b31bbf
SHA1eb52da64dadf6de15190ffe35eb87db976162d9a
SHA256f0f1b50be9ad6cacf4e18f1c6274d61683afd0dfe0898e0b314f975c0cb613cf
SHA51266214db3e1cbd63f04c984c75ea1ce4d93477e60f2382440dc7f8fe402886b60d378a6a1f703e23f5ed759809c938673255441fa9904ec1d9b4db1a43bd1f4fe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2f5358c3dc79840a9290ad277857fd7
SHA15dd25757a3cc83e2695bc6ff68254741a6b628e7
SHA25663ef1301ac0ca8f0d57fca3483a36e8ee0994c018cbcaf23217d4dc9a7c3abaf
SHA51227dff4fe511199504a2879f106f5d455011293381a0b070ed0e738d0d97d057950b747ad43371f1b051ef6f17232280102bd6b16ad698e9bebf4c6ebf3e03956
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD540b7070052f59e9731a083de655e8f23
SHA1e3192708ce837d532e6667483f62687dcf6879ad
SHA256200c9e0d73c2400235326da4f9af246848f4076a644441a42732f7066af02067
SHA51221d7b8c64c0bbf943b9011bd56f8af58d1508096ec257f77ef2c45625ccabdbe3d2f8c518c76c2af27d3bd08a81c8725c1dcf759aaced8a918c81a3b16a10948
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5955cde33cb9a4dc130cc23c27c096ea0
SHA1fd048b7cc4e5a80f40233244790e5c5f69d94383
SHA2560481cefa2c7128b87af082e22142d72a550b9532f16f4e4476b6b70fd9c61bef
SHA512eb772138015ffb9c6307e9c035a8f60906c16c4c83d67b85fd8bab31d03c01a82257e77006c3be01705016c996b947084322b22bb8ad8f263214791ff4567e36
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536676bacda3399c020c6a68a04c5c5ee
SHA1bc5c92f2fee35d274a5928e9c799d3e8b66cf567
SHA256645b6f1cb6e89631e91941ca2ce5ec0363e2e684f5fafa6960bbdcfd0a8e6d48
SHA51234a68ad5d7260bd3e32890e446bf8a07268026cf79d4dbfedf2fde9f2a845b82792aad915f01bd110c2f4cbefc65e499ee84a80d37467a274d2556a6e05df4fe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c5c81cbb190c3e0c50752c0e20dc987a
SHA1c684e56761540548fb034d4ab836acda56325ce2
SHA2568b0476220670958ed591561d6ccd7577a83b8dcd233fb3a98a54b695c71c1c13
SHA5121354eef1de7011880f7c8abf0380d6f31b504ccbdb35afb82709a5d3c897eab25c03682c05d2e781d65919cb1cb241ad582bd77cf80d3d961882ea36f6157ba7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53a60f6da42c7a3a6330632c1b945ee2c
SHA13150319cc065ac748887937faf50deebe8137ad9
SHA2569bdad562db7cf71899195f331e7bead9a1cf722d7f132bcf56ea288f5daed70e
SHA5122805a5297151d0de97a2e4b28dc9f47d4b80df7a3ee49cb46977abb9a81c3bdd19b944c786a71494f168673bf26a3950766d22de91afd07c7549c24b73e71219
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bcf036c51bd403de6184995d26016ae9
SHA12438012bd489c6b641b1302b524e29daf56d63ce
SHA2560e12f66eae92dc7e8256ce68be0aefca8b87108f43a5257bd43f87e2521fb65a
SHA5126c04731592957d24434e22e1772e5136d3e37934fd1b6775e92a0703179540a00d1aef50c3dad8eec5ce3b52eaa9958a778d217d19ebb533b59d46c18fdff129
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59b184e89442e585c61a5c0009d8d4988
SHA18bba8533a0f0b7ca6edef7445d111d72914ce3ac
SHA2563c8016df5faa3eea710534e385922aa62be096c6f3f464466eb75d4db1ea136e
SHA512ea4c714710d0970cba1f0aa696a6af76b54c14a6e6a6cee6de2e9f48912a053370fb92d3f262d7730d110ab75970cebecfc95fb7f013b9ab9a5e24e7ed3580a3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57e9d9b4b86480608b0194bb2314f4007
SHA13e71a401952b704225c00bebfe14b71c30f94cc9
SHA2565190e8ef4cc64f37d073841fdd06561ecd80b05940ee28a9ca8cffa1527a179c
SHA512b01ff18ff39ae7533ccb0aa1a25a393f39423b5e70ff0bfbf0204065cc2f14b37da393a5bba51671b8c5a1684cb2480f85f42400d8ab965b815aaec8c9cddad0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD588f9cc9c43167cd330be4c22f37ea2df
SHA1914de56005403a42ebe7107983833be1f0d2154e
SHA256725618e76cc6d82cd470ebd9a7b2903441369cdd972288e7a3624f717805f833
SHA51266a33c0f08a33d0fdfa1f8888ca060e5476dfa4c1767ded8c17e36e2160f646aa02dd2c86ae970658da12b8fafe67cb0f212603b6ef38264c0fcfa34b036eb85
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54299de3483a0c946b95b7942c1f2778d
SHA1b1535cf0ce2e1f44c05e0f3aac44571a5e0fc705
SHA256a799c2b386c021f9a803f1f2c7992c6a1295fc2647374e1d82e8df10acf1d82e
SHA5122351e8e222237ea2a5c6d61a2bbd28adff4b6e6c77e5cfdc72684a12ad4618f1401ed5c31c1cfaf6eca132122d0fbb150889096b46a1051ac6a05b60ecd17d6a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56eb967f227b91474aa1082e2f7f7755d
SHA18935637e5911a2da4fea2922a5f1d8864b8715b6
SHA2567d5cc9ea8bdd77ca2b6802876deca837e1d09b001f66c0db827719d98279c0fd
SHA512e2dcded721de5f1abcb4c932f54bdcfe0c0a8b64fb56c0c3aabdc196a3abef3b97faaa6d4692477853edb1206b09ab5cebbdddc1c237b45e57a84f9ac5b04b84
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f8667bc8e3469b91072645a4b597f144
SHA107542c2f8ffc5e54cae212fc5821ef085cf7561f
SHA256cf54c79d18b372457b0db6ad279a15bfecffb9e550c925a6652e1e281a08625d
SHA512ef9a51db5f61ff695d573bed52f2d881ce575bc206f7001fa0f74cd297ff6693012c04260d17a9b3d10f2212a4e64748eea5c0076863e3e34b9f1aa689fe856f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD507273162f5c18a38976d137845e28930
SHA17371f7a532e416d73608ca9313bcdda521795286
SHA256ec47b9814e498e37cbdccd9f0d59ae8de2897d76d9c16a34207d2d1b9426ddb3
SHA51204857b9a7b6fef569f5924dbf1351f1be5915fa2c1585cfb4b9d221a99bc3961e1b591b6fba2f0a94706fe9aa30f264ebd21c998ecb300d2c62b599bccc5be56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD596169a7ce8c3643fb1ff9e82dcd6950f
SHA1516723f49077ac01175dba70f4673909cc64a1db
SHA2568617361e51f202c74c0ae4f91b2f822ece238d95fe91b82925aeeb7916b55d79
SHA5129a8c08c3e053cf27b0115e72cef5156c8c232413dc9d99b5f8afd48541ba1dc64916338f160e871e45023b73d08d19ccc7fdc4b7096b74429c90eb509abb9b32
-
memory/64-389-0x0000000000000000-mapping.dmp
-
memory/188-290-0x0000000000000000-mapping.dmp
-
memory/216-699-0x0000000000000000-mapping.dmp
-
memory/400-968-0x0000000000000000-mapping.dmp
-
memory/428-1225-0x0000000000000000-mapping.dmp
-
memory/548-263-0x0000000000000000-mapping.dmp
-
memory/588-1223-0x0000000000000000-mapping.dmp
-
memory/656-288-0x0000000000000000-mapping.dmp
-
memory/692-865-0x0000000000000000-mapping.dmp
-
memory/1020-116-0x0000000000000000-mapping.dmp
-
memory/1032-282-0x0000000000000000-mapping.dmp
-
memory/1172-866-0x0000000000000000-mapping.dmp
-
memory/1236-141-0x0000000000000000-mapping.dmp
-
memory/1352-967-0x0000000000000000-mapping.dmp
-
memory/1416-593-0x0000000000000000-mapping.dmp
-
memory/1532-592-0x0000000000000000-mapping.dmp
-
memory/1620-115-0x0000000000000000-mapping.dmp
-
memory/1812-1222-0x0000000000000000-mapping.dmp
-
memory/1936-129-0x0000000000000000-mapping.dmp
-
memory/1936-390-0x0000000000000000-mapping.dmp
-
memory/2240-700-0x0000000000000000-mapping.dmp
-
memory/2296-698-0x0000000000000000-mapping.dmp
-
memory/2628-753-0x0000000000000000-mapping.dmp
-
memory/2684-696-0x0000000000000000-mapping.dmp
-
memory/2848-1068-0x0000000000000000-mapping.dmp
-
memory/2860-138-0x0000000000000000-mapping.dmp
-
memory/2928-143-0x0000000000000000-mapping.dmp
-
memory/3016-1123-0x0000000000000000-mapping.dmp
-
memory/3292-1224-0x0000000000000000-mapping.dmp
-
memory/3300-289-0x0000000000000000-mapping.dmp
-
memory/3464-140-0x0000000000000000-mapping.dmp
-
memory/3500-493-0x0000000000000000-mapping.dmp
-
memory/3500-144-0x0000000000000000-mapping.dmp
-
memory/3532-492-0x0000000000000000-mapping.dmp
-
memory/3748-490-0x0000000000000000-mapping.dmp
-
memory/3796-693-0x0000000000000000-mapping.dmp
-
memory/3800-126-0x0000021D3AFC0000-0x0000021D3B036000-memory.dmpFilesize
472KB
-
memory/3800-123-0x0000021D3AE10000-0x0000021D3AE32000-memory.dmpFilesize
136KB
-
memory/3800-117-0x0000000000000000-mapping.dmp
-
memory/3820-692-0x0000000000000000-mapping.dmp
-
memory/3932-489-0x0000000000000000-mapping.dmp
-
memory/3968-966-0x0000000000000000-mapping.dmp
-
memory/3992-200-0x0000000000000000-mapping.dmp
-
memory/4076-1067-0x0000000000000000-mapping.dmp
-
memory/4088-139-0x0000000000000000-mapping.dmp
-
memory/4232-754-0x0000000000000000-mapping.dmp
-
memory/4276-1069-0x0000000000000000-mapping.dmp
-
memory/4332-810-0x0000000000000000-mapping.dmp
-
memory/4336-238-0x0000000000000000-mapping.dmp
-
memory/4456-867-0x0000000000000000-mapping.dmp
-
memory/4488-969-0x0000000000000000-mapping.dmp
-
memory/4560-695-0x0000000000000000-mapping.dmp
-
memory/4568-244-0x0000000000000000-mapping.dmp
-
memory/4608-811-0x0000000000000000-mapping.dmp
-
memory/4708-697-0x0000000000000000-mapping.dmp
-
memory/4720-694-0x0000000000000000-mapping.dmp
-
memory/4732-137-0x0000000000000000-mapping.dmp
-
memory/4796-199-0x0000000000000000-mapping.dmp
-
memory/4800-809-0x0000000000000000-mapping.dmp
-
memory/4820-198-0x0000000000000000-mapping.dmp
-
memory/4864-136-0x0000000000000000-mapping.dmp
-
memory/4880-491-0x0000000000000000-mapping.dmp
-
memory/4908-1070-0x0000000000000000-mapping.dmp
-
memory/5008-142-0x0000000000000000-mapping.dmp
-
memory/5028-219-0x0000000000000000-mapping.dmp
-
memory/5032-812-0x0000000000000000-mapping.dmp