Analysis
-
max time kernel
91s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2022 19:52
Static task
static1
Behavioral task
behavioral1
Sample
disable_defender.bat
Resource
win10-20220812-en
General
-
Target
disable_defender.bat
-
Size
134KB
-
MD5
e430435cb58bf4b32f6c34662bf2399c
-
SHA1
68ef170abe380c4a9827abeaf37e3d9e8392b23b
-
SHA256
ed9d9ca4e442cb52d81a61dbc3d9d613785b929a6536623fa5c0666edbf22f55
-
SHA512
6819be2bac9e1701c62b0409328998db2ab828540334c7567d467879bc2907bb37a3ff8bea115b7d4fca8b1eaed1e63a4d9ab607af3edcb726b5412dbbd80d03
-
SSDEEP
1536:N9qlzR+K/otrK/o5gINROhPCWi/uQ5t6s0Q9x32cqmWr8igtUdwy6HT3OcK/o3+e:N9qlc91N277c66t
Malware Config
Signatures
-
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exeConhost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealTimeScanDirection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" Conhost.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Processes:
Conhost.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications Conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" Conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" reg.exe -
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\EnableFirewall = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile reg.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" powershell.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3940 takeown.exe 1448 icacls.exe 1716 takeown.exe 4264 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1716 takeown.exe 4264 icacls.exe 3940 takeown.exe 1448 icacls.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2468 sc.exe 2276 sc.exe 2064 sc.exe 4396 sc.exe 1576 sc.exe 4340 sc.exe 4572 sc.exe 4844 sc.exe 1144 sc.exe -
Modifies registry class 13 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\PreventOverride = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows reg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exereg.exepowershell.exepowershell.exepowershell.exeConhost.exereg.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3792 powershell.exe 3792 powershell.exe 2344 powershell.exe 2344 powershell.exe 1680 powershell.exe 1680 powershell.exe 1516 powershell.exe 1516 powershell.exe 4720 powershell.exe 4720 powershell.exe 4760 powershell.exe 4760 powershell.exe 3912 powershell.exe 3912 powershell.exe 4376 powershell.exe 4376 powershell.exe 5020 powershell.exe 5020 powershell.exe 5016 powershell.exe 5016 powershell.exe 3852 powershell.exe 3852 powershell.exe 4584 powershell.exe 4584 powershell.exe 1480 powershell.exe 1480 powershell.exe 4296 powershell.exe 4296 powershell.exe 1856 powershell.exe 1856 powershell.exe 1072 powershell.exe 1072 powershell.exe 3636 powershell.exe 3636 powershell.exe 664 reg.exe 664 reg.exe 4284 powershell.exe 4284 powershell.exe 5016 powershell.exe 5016 powershell.exe 2336 powershell.exe 2336 powershell.exe 1596 powershell.exe 1596 powershell.exe 4288 Conhost.exe 4288 Conhost.exe 2340 reg.exe 2340 reg.exe 4124 powershell.exe 4124 powershell.exe 2040 powershell.exe 2040 powershell.exe 3100 powershell.exe 3100 powershell.exe 4060 powershell.exe 4060 powershell.exe 1788 powershell.exe 1788 powershell.exe 4284 powershell.exe 4284 powershell.exe 4344 powershell.exe 4344 powershell.exe 2336 powershell.exe 2336 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3792 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeIncreaseQuotaPrivilege 1680 powershell.exe Token: SeSecurityPrivilege 1680 powershell.exe Token: SeTakeOwnershipPrivilege 1680 powershell.exe Token: SeLoadDriverPrivilege 1680 powershell.exe Token: SeSystemProfilePrivilege 1680 powershell.exe Token: SeSystemtimePrivilege 1680 powershell.exe Token: SeProfSingleProcessPrivilege 1680 powershell.exe Token: SeIncBasePriorityPrivilege 1680 powershell.exe Token: SeCreatePagefilePrivilege 1680 powershell.exe Token: SeBackupPrivilege 1680 powershell.exe Token: SeRestorePrivilege 1680 powershell.exe Token: SeShutdownPrivilege 1680 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeSystemEnvironmentPrivilege 1680 powershell.exe Token: SeRemoteShutdownPrivilege 1680 powershell.exe Token: SeUndockPrivilege 1680 powershell.exe Token: SeManageVolumePrivilege 1680 powershell.exe Token: 33 1680 powershell.exe Token: 34 1680 powershell.exe Token: 35 1680 powershell.exe Token: 36 1680 powershell.exe Token: SeIncreaseQuotaPrivilege 1680 powershell.exe Token: SeSecurityPrivilege 1680 powershell.exe Token: SeTakeOwnershipPrivilege 1680 powershell.exe Token: SeLoadDriverPrivilege 1680 powershell.exe Token: SeSystemProfilePrivilege 1680 powershell.exe Token: SeSystemtimePrivilege 1680 powershell.exe Token: SeProfSingleProcessPrivilege 1680 powershell.exe Token: SeIncBasePriorityPrivilege 1680 powershell.exe Token: SeCreatePagefilePrivilege 1680 powershell.exe Token: SeBackupPrivilege 1680 powershell.exe Token: SeRestorePrivilege 1680 powershell.exe Token: SeShutdownPrivilege 1680 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeSystemEnvironmentPrivilege 1680 powershell.exe Token: SeRemoteShutdownPrivilege 1680 powershell.exe Token: SeUndockPrivilege 1680 powershell.exe Token: SeManageVolumePrivilege 1680 powershell.exe Token: 33 1680 powershell.exe Token: 34 1680 powershell.exe Token: 35 1680 powershell.exe Token: 36 1680 powershell.exe Token: SeIncreaseQuotaPrivilege 1680 powershell.exe Token: SeSecurityPrivilege 1680 powershell.exe Token: SeTakeOwnershipPrivilege 1680 powershell.exe Token: SeLoadDriverPrivilege 1680 powershell.exe Token: SeSystemProfilePrivilege 1680 powershell.exe Token: SeSystemtimePrivilege 1680 powershell.exe Token: SeProfSingleProcessPrivilege 1680 powershell.exe Token: SeIncBasePriorityPrivilege 1680 powershell.exe Token: SeCreatePagefilePrivilege 1680 powershell.exe Token: SeBackupPrivilege 1680 powershell.exe Token: SeRestorePrivilege 1680 powershell.exe Token: SeShutdownPrivilege 1680 powershell.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeSystemEnvironmentPrivilege 1680 powershell.exe Token: SeRemoteShutdownPrivilege 1680 powershell.exe Token: SeUndockPrivilege 1680 powershell.exe Token: SeManageVolumePrivilege 1680 powershell.exe Token: 33 1680 powershell.exe Token: 34 1680 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exepowershell.execmd.exepowershell.execmd.exedescription pid process target process PID 4500 wrote to memory of 4232 4500 cmd.exe fltMC.exe PID 4500 wrote to memory of 4232 4500 cmd.exe fltMC.exe PID 4500 wrote to memory of 3956 4500 cmd.exe reg.exe PID 4500 wrote to memory of 3956 4500 cmd.exe reg.exe PID 4500 wrote to memory of 3792 4500 cmd.exe powershell.exe PID 4500 wrote to memory of 3792 4500 cmd.exe powershell.exe PID 3792 wrote to memory of 3124 3792 powershell.exe netsh.exe PID 3792 wrote to memory of 3124 3792 powershell.exe netsh.exe PID 4500 wrote to memory of 5016 4500 cmd.exe reg.exe PID 4500 wrote to memory of 5016 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4784 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4784 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4852 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4852 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4748 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4748 4500 cmd.exe reg.exe PID 4500 wrote to memory of 3136 4500 cmd.exe reg.exe PID 4500 wrote to memory of 3136 4500 cmd.exe reg.exe PID 4500 wrote to memory of 1600 4500 cmd.exe reg.exe PID 4500 wrote to memory of 1600 4500 cmd.exe reg.exe PID 4500 wrote to memory of 3680 4500 cmd.exe reg.exe PID 4500 wrote to memory of 3680 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4348 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4348 4500 cmd.exe reg.exe PID 4500 wrote to memory of 2344 4500 cmd.exe powershell.exe PID 4500 wrote to memory of 2344 4500 cmd.exe powershell.exe PID 4500 wrote to memory of 2348 4500 cmd.exe reg.exe PID 4500 wrote to memory of 2348 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4380 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4380 4500 cmd.exe reg.exe PID 4500 wrote to memory of 1680 4500 cmd.exe powershell.exe PID 4500 wrote to memory of 1680 4500 cmd.exe powershell.exe PID 1680 wrote to memory of 208 1680 powershell.exe schtasks.exe PID 1680 wrote to memory of 208 1680 powershell.exe schtasks.exe PID 1508 wrote to memory of 1716 1508 cmd.exe reg.exe PID 1508 wrote to memory of 1716 1508 cmd.exe reg.exe PID 1680 wrote to memory of 5108 1680 powershell.exe schtasks.exe PID 1680 wrote to memory of 5108 1680 powershell.exe schtasks.exe PID 4500 wrote to memory of 1516 4500 cmd.exe powershell.exe PID 4500 wrote to memory of 1516 4500 cmd.exe powershell.exe PID 1516 wrote to memory of 1492 1516 powershell.exe schtasks.exe PID 1516 wrote to memory of 1492 1516 powershell.exe schtasks.exe PID 2260 wrote to memory of 4744 2260 cmd.exe reg.exe PID 2260 wrote to memory of 4744 2260 cmd.exe reg.exe PID 1516 wrote to memory of 4056 1516 powershell.exe schtasks.exe PID 1516 wrote to memory of 4056 1516 powershell.exe schtasks.exe PID 4500 wrote to memory of 4264 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4264 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4296 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4296 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4720 4500 cmd.exe powershell.exe PID 4500 wrote to memory of 4720 4500 cmd.exe powershell.exe PID 4500 wrote to memory of 3372 4500 cmd.exe reg.exe PID 4500 wrote to memory of 3372 4500 cmd.exe reg.exe PID 4500 wrote to memory of 4760 4500 cmd.exe powershell.exe PID 4500 wrote to memory of 4760 4500 cmd.exe powershell.exe PID 4500 wrote to memory of 4492 4500 cmd.exe schtasks.exe PID 4500 wrote to memory of 4492 4500 cmd.exe schtasks.exe PID 4500 wrote to memory of 2656 4500 cmd.exe reg.exe PID 4500 wrote to memory of 2656 4500 cmd.exe reg.exe PID 4500 wrote to memory of 376 4500 cmd.exe reg.exe PID 4500 wrote to memory of 376 4500 cmd.exe reg.exe PID 4500 wrote to memory of 2452 4500 cmd.exe reg.exe PID 4500 wrote to memory of 2452 4500 cmd.exe reg.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\disable_defender.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:4232
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:3956
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "if(!(Get-Command 'netsh' -ErrorAction Ignore)) {; throw '"""netsh""" does not exist, is system installed correctly?'; }; $message=netsh advfirewall set allprofiles state off 2>&1; if($?) {; Write-Host """Successfully disabled firewall."""; } else {; if($message -like '*Firewall service*') {; Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?'; } else {; throw """Cannot disable: $message"""; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:3124 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵PID:5016
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵PID:4784
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵PID:4852
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵PID:4748
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
PID:3136 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
PID:1600 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
PID:3680 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
PID:4348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'PUAProtection'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -PUAProtection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:2348
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f2⤵PID:4380
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\Features""" /v """TamperProtection""" /t REG_DWORD /d """4""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:208
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:5108
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\Features""" /v """TamperProtectionSource""" /t REG_DWORD /d """2""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:1492
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:4056
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f2⤵PID:4264
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f2⤵PID:4296
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableAutoExclusions'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableAutoExclusions $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4720 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f2⤵PID:3372
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableBlockAtFirstSeen'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableBlockAtFirstSeen $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4760 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:4492
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f2⤵PID:2656
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f2⤵PID:376
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f2⤵PID:2452
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'MAPSReporting'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -MAPSReporting $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3912 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1204
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SubmitSamplesConsent'; $value = '2'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SubmitSamplesConsent $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4376 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f2⤵PID:3488
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f2⤵PID:4548
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f2⤵PID:360
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f2⤵PID:3956
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f2⤵PID:3632
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRealtimeMonitoring'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRealtimeMonitoring $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f2⤵PID:4888
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f2⤵PID:1324
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f2⤵PID:1788
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableIntrusionPreventionSystem'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableIntrusionPreventionSystem $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:5016
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:2488
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableBehaviorMonitoring'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableBehaviorMonitoring $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3852 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4596 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:220 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:32 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableIOAVProtection'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableIOAVProtection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1200
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4744 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4104 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RealTimeScanDirection'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RealTimeScanDirection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1480 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2164 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f2⤵PID:912
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵PID:4628
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RemediationScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RemediationScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:4296
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'UnknownThreatDefaultAction'; $value = '9'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -UnknownThreatDefaultAction $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1856 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f2⤵PID:2712
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "9" /f2⤵PID:384
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /t "REG_SZ" /d "9" /f2⤵PID:2464
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t "REG_SZ" /d "9" /f2⤵PID:1756
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "9" /f2⤵PID:3888
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'QuarantinePurgeItemsAfterDelay'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1072 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t "REG_SZ" /d "9" /f2⤵PID:3228
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f2⤵PID:1460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'CheckForSignaturesBeforeRunningScan'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3636 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f2⤵PID:1444
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRestorePoint'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRestorePoint $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:664
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f2⤵PID:1696
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanPurgeItemsAfterDelay'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanPurgeItemsAfterDelay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:4284
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCatchupFullScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCatchupFullScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f2⤵PID:3320
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f2⤵PID:4860
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "1" /f2⤵PID:4344
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCatchupQuickScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCatchupQuickScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:2336
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f2⤵PID:4268
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f2⤵PID:4428
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanOnlyIfIdleEnabled'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanOnlyIfIdleEnabled $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f2⤵PID:2584
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f2⤵PID:4056
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanAvgCPULoadFactor'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanAvgCPULoadFactor $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:4288
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f2⤵PID:912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCpuThrottleOnIdleScans'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:2340
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f2⤵PID:924
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableEmailScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableEmailScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4124 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScriptScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScriptScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "1" /f2⤵PID:3464
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f2⤵PID:2904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScanningMappedNetworkDrivesForFullScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3100 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f2⤵PID:3920
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f2⤵PID:4112
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScanningNetworkFiles'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScanningNetworkFiles $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:4060
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /t REG_DWORD /d "1" /f2⤵PID:1132
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f2⤵PID:2240
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRemovableDriveScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRemovableDriveScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1788 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f2⤵PID:4800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableArchiveScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableArchiveScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2488 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f2⤵PID:1304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4344 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f2⤵PID:2168
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f2⤵PID:5116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RandomizeScheduleTaskTimes'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RandomizeScheduleTaskTimes $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanParameters'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanParameters $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:620
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f2⤵PID:4116
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f2⤵PID:2864
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableGradualRelease'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableGradualRelease $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:4780
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f2⤵PID:4616
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'EngineUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -EngineUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:3904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'PlatformUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -PlatformUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4296 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DefinitionUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DefinitionUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:1664
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f2⤵PID:956
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureUpdateCatchupInterval'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureUpdateCatchupInterval $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:2556
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "0" /f2⤵PID:900
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f2⤵PID:4704
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f2⤵PID:2232
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /t REG_DWORD /d 4294967295 /f2⤵PID:4340
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f2⤵PID:2064
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureDisableUpdateOnStartupWithoutEngine'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:440
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f2⤵PID:1264
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:5012
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f2⤵PID:2312
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f2⤵PID:1912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureUpdateInterval'; $value = '24'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureUpdateInterval $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060 -
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:4856
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f2⤵PID:1344
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f2⤵PID:4984
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f2⤵
- Suspicious behavior: EnumeratesProcesses
PID:664 -
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2204
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f2⤵PID:4048
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f2⤵PID:2288
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f2⤵PID:1976
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f2⤵PID:4832
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f2⤵PID:3788
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /f2⤵PID:2348
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d 1 /f2⤵PID:2600
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:4408
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisablePrivacyMode'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisablePrivacyMode $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵PID:1960
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵PID:1744
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f2⤵PID:4380
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f2⤵PID:4944
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f2⤵PID:4784
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration""" /v """DisablePrivacyMode""" /t REG_DWORD /d """1""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵PID:5116
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:3736
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:620
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵PID:2864
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵PID:1516
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵PID:3188
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵PID:864
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵PID:912
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵PID:3164
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f2⤵PID:3236
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f2⤵PID:996
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f2⤵PID:544
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵PID:1328
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f2⤵PID:4964
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3732
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f2⤵PID:3936
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f2⤵PID:2800
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender notification settings
PID:5040 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:4492
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:4512
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1664
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:2232
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2368
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:384
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'MpsSvc'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
- Modifies security service
PID:3920 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:4600
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f2⤵PID:3464
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f2⤵PID:3948
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f2⤵PID:4688
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\mpssvc.dll"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WinDefend""" >nul & sc config """WinDefend""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵PID:2548
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:360
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:3488
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\mpssvc.dll" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdNisSvc""" >nul & sc config """WdNisSvc""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵PID:1912
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:1964
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:2316
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'Sense'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵PID:4860
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService""" /v Start /t REG_DWORD /d 4 /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵PID:2488
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:1356
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:2688
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'mpsdrv'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵PID:524
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers\mpsdrv.sys"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1716 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers\mpsdrv.sys" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'net stop """WdNisDrv""" /yes >nul & sc config """WdNisDrv""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵PID:4248
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:2864
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:4256
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdFilter""" >nul & sc config """WdFilter""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵PID:3904
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:3212
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdBoot""" >nul & sc config """WdBoot""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵PID:2232
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:2904
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵PID:3940
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:4384
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:3956
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:4572
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f2⤵PID:4416
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f2⤵PID:4104
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:2044
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f2⤵PID:788
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵
- Modifies registry class
PID:1792 -
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f2⤵
- Modifies registry class
PID:4112 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f2⤵PID:4544
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f2⤵PID:2432
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f2⤵PID:4632
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f2⤵PID:4164
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f2⤵PID:2548
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵PID:4060
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵PID:1964
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f2⤵PID:664
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f2⤵PID:1344
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f2⤵PID:4944
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f2⤵PID:4772
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'UsoSvc'; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service `"""$serviceName`""" could not be not found, no need to disable it."""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, stopping it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query """Select StartMode From Win32_Service Where Name='$serviceName'""" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter """Name='$serviceName'""" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host """$serviceName is already disabled, no further action is needed"""; }; <# -- 4. Disable service #>; try {; Set-Service -Name """$serviceName""" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵PID:4696
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp99E4.bat" > C:\Users\Admin\AppData\Local\Temp\tmp99D4.tmp 2>&11⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f2⤵PID:1716
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmpBD0C.bat" > C:\Users\Admin\AppData\Local\Temp\tmpBCFC.tmp 2>&11⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f2⤵PID:4744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies Windows Defender Real-time Protection settings
PID:1200
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp6B3E.bat" > C:\Users\Admin\AppData\Local\Temp\tmp6B1E.tmp 2>&11⤵PID:4100
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f2⤵PID:3044
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp783E.bat" > C:\Users\Admin\AppData\Local\Temp\tmp780E.tmp 2>&11⤵PID:1016
-
C:\Windows\system32\sc.exesc stop "WinDefend"2⤵
- Launches sc.exe
PID:2468 -
C:\Windows\system32\sc.exesc config "WinDefend" start=disabled2⤵
- Launches sc.exe
PID:4572
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp802D.bat" > C:\Users\Admin\AppData\Local\Temp\tmp7FFD.tmp 2>&11⤵PID:4748
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"2⤵
- Launches sc.exe
PID:4844 -
C:\Windows\system32\sc.exesc config "WdNisSvc" start=disabled2⤵
- Launches sc.exe
PID:2276
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp8EE3.bat" > C:\Users\Admin\AppData\Local\Temp\tmp8EB3.tmp 2>&11⤵PID:320
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f2⤵PID:1976
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp9D3B.bat" > C:\Users\Admin\AppData\Local\Temp\tmp9D1B.tmp 2>&11⤵PID:3188
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288 -
C:\Windows\system32\net.exenet stop "WdNisDrv" /yes2⤵PID:912
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WdNisDrv" /yes3⤵PID:4364
-
C:\Windows\system32\sc.exesc config "WdNisDrv" start=disabled2⤵
- Launches sc.exe
PID:1144
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmpA857.bat" > C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp 2>&11⤵PID:3124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies Windows Defender notification settings
PID:3464 -
C:\Windows\system32\sc.exesc stop "WdFilter"2⤵
- Launches sc.exe
PID:4396 -
C:\Windows\system32\sc.exesc config "WdFilter" start=disabled2⤵
- Launches sc.exe
PID:1576
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmpB3C0.bat" > C:\Users\Admin\AppData\Local\Temp\tmpB381.tmp 2>&11⤵PID:3196
-
C:\Windows\system32\sc.exesc stop "WdBoot"2⤵
- Launches sc.exe
PID:4340 -
C:\Windows\system32\sc.exesc config "WdBoot" start=disabled2⤵
- Launches sc.exe
PID:2064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58f3040f26e17b8ad601db22eb9da9111
SHA16fe1bda64a2a0c1d0ac14ba6a0bd1ed6632e00bb
SHA25637ed726be97668bad04d9c0a4b7ce8bfd209308740ad6125ef8c0bd3c9494abe
SHA51279e5c6ada2fd8dd9bec71b32c3f63c9261d57d19b2638e0aed0aac5d90e02a7ca62ac201e861b53c96c407496d461ed2e028ec3335ae0e87a58fe368f1630cfc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51d6896c4c7da2a126b582f2a22782498
SHA19ff9b706e69ff4e918a4a67a577eaf9ba0da01a4
SHA25659e8f1a75432dc4a0fdd84c2d6fdcb0c6b380e00a23274f1589f6101402b0ed0
SHA5126213d1e1f377dfda437fe22b117ec9d2a4d1e49c55f350e0818e01625f61a30fbe2d652790e69ab1aadc84c42f6ae7ce69566741827ec048369b4023d1c29823
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5152c62350ba0b7093738773845530b06
SHA1ee1832530b5c2f3db58c5d3cd95afa36a9c56b9b
SHA25604ac6c0e1b3e37ff272ddf0b5e091df4c1db85c30f99bbfe2bc800ff01d944df
SHA512ae28547c76f8d003771a041fc18926e0e4305ee208ab02974d25ddbdac77e92957dbbfb59374c78a62c9d08547c26a893160d044e6394fa337ea41b1114e9808
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f5f268a3d8760169bde3db6e00da5e6c
SHA100dc2443a967bf09147612f53ea5fc6a2cfb0b40
SHA256b0f800d487f826601ef6a21ddd141c41d57182c1601e2adf1c0132b98c8d73b5
SHA512c067de9cfefea861a08a29a1b10bcf93d360ec555bdd9fd24fb8f6ce6be432961a1acc4ccef786e953d86ef836db27fdef5fd5951930edd00e1c4fcfa3a9d67e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e1fb26de120faadab3c093b78644964f
SHA1bb587dd3b1ad8384b6d612bc4bb806f41562982f
SHA256e1ce351162cae7e8671f980192da54b8440d309985687d8eef56fec0b3180a85
SHA5126e4d18e9506e72f90aea0c93d190b9817566bbbfa2409c1ae6ca98c2b81f8a2bd4204270ce951444d49dfc85c9f1b913952afe6b8fceea918dd97006cf322518
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57acd834bec540dce186bea234404e6de
SHA141d9ba20141beb093f5b5e4b1d1a2e68655f76da
SHA25680bc7eeffe4fe50e0a74fc9d5bc6d451161504af995bbe822bfa5b63c30ec601
SHA512f4097f2c8f787663a67f1826c0df6656d0bb5ee01bf5adaf59cebe7e16da0d8246c707ec0c721f2d921310deb6ecd863424ea1ebad662c4dd72d5788d3e4e290
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54b25154ab577f1b4ea3d21bf50fd98d7
SHA1c090af4774e83d67c9f77d5049caa72339f20b78
SHA256dc6cdea40271ac60b15363c4354c5c89078e892cb0732be22fbc026deb5f689d
SHA512a8a9b4ccee60a6ca8645189008b608a8102dd5cd1aa95fa519b62484cff791130e34b2361f840066b7dac96db93c2863fc5fdbde614f9518374cb7064cc30953
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD593cb4762051c76ef612cb1d1d3d2239b
SHA1422e15da3533916c8c202f10419ae256d3294b98
SHA2562a71d735c4783ea63445e7a9edbed8d284dd0127a97419e7274aac2c14bfe6c1
SHA512dd125954450fcd5eb4804852478b8d2356c60ad03441996aff0163b293fe5f40d3cf5c3130690896c0cf12d7f48c3d36a0bbed5a996413d4672a706a83852b34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD561ad12851f296507524bc2d70ed4a928
SHA11c083f0edadf5e7d6f4efec6ffea44bfc57d9656
SHA25671bdb47e552049516c76f9fe8fe67018a4f3a27b82682e73efe8814f6feb1094
SHA5120f50008a39d9416d3efcf2bf2f36997330f532fb690bfcef9660d0a49c2b740806b6744959d8134148e51a240b671af0e39570532278dd207e9d9abeab71fb23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD566898dbf1d1f32af63256328731f2c9e
SHA121f5828b21fae6d81e57a11e113440c95e1752de
SHA256258ea4ccbc181f6b86d3a819981d9cf526950f1aa7517b12cda14b856aad8c90
SHA51265ab1f1224ba418a733b6fe9aecead3c97cb92bf236ffddd77ab70361d81d3d02c24e45c7db1019724d52a0556e2248ed23f696cb49b970efce0bba1666b5e94
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50917d0135cdf3e553fcc13dc5c8315d6
SHA1da45cc5fa86ab25bfdeb0b54a09b9ea47413b6b3
SHA2561c36c4e7036fbc38a4b5bd412975a03dd0917d285a599c2885d2c61d98927492
SHA512776de122588d678b467876339800ca08884d9568a2acfc11390c488214a2a540f3fa10854311bf21fb2dda2e069220d16f422b097f20b45981f0a0c448b1172c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59e1c88335b2e7e17ee2088c29be44125
SHA12942039db622f5683c8273b1952fbe9b4071560b
SHA2569727800fe334f3bd85422c0a34237a46ddba4e2c7daa9e71459934346e454bce
SHA5127895b35f842a988d135c504a30b80578f8414da7bec7d091021dc5c01e76fdc5ae783a6f31bee880efd332d02eb6a0ea7df11f7f8dccbe83f6dc1d5490287975
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54736cfe1a1af9bf38a4dac453690b773
SHA1e4f25d47f7d5342259f100bd8daf9f29956846e8
SHA256327c8466f59c70eec25ca39c2f15846c7cb862328e30ced0a3654d3ec113c6f6
SHA512d77676db6c482cc9e4f369dce8922c7764b1c11191d6ea480d458a227b22148578b2863d265da68ab20161e9e765406e32b0ea675f7b372914d94ff153c4144b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5152c62350ba0b7093738773845530b06
SHA1ee1832530b5c2f3db58c5d3cd95afa36a9c56b9b
SHA25604ac6c0e1b3e37ff272ddf0b5e091df4c1db85c30f99bbfe2bc800ff01d944df
SHA512ae28547c76f8d003771a041fc18926e0e4305ee208ab02974d25ddbdac77e92957dbbfb59374c78a62c9d08547c26a893160d044e6394fa337ea41b1114e9808
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c6b29e43ed80d889b3ffa1387797c22b
SHA18623f793db4401197f98b11bf7a5246ee09ddd55
SHA2569516d609d0ebfb6f35bc87171de5712aca2d5ab680c2594f795ce67ac14e2b93
SHA5125be9b41197b552affa5e003358e9fa77ba6b8c3e36c241e8a8cba3036420bbca74c695f1123bcc9d0d59a945f3e0f79a1744cbf54133faa8be27979e827529cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5dfcfbbe4ed41fafc0e9e9f432da33452
SHA12a7355283a4e8838683d6cea4896631d26fac082
SHA256b0d3194cf003906de3e757dcbd5a402682d61c5b2b3806ba54c2564de697039e
SHA51274c0f6f72a539c6bb714161e30ae664a67f40c230fa00a29022720b8c15b6e46e7414924bdc1032634ef8db3e01f801737d0d532f1a1abef49b8131f2aa4de64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c6b29e43ed80d889b3ffa1387797c22b
SHA18623f793db4401197f98b11bf7a5246ee09ddd55
SHA2569516d609d0ebfb6f35bc87171de5712aca2d5ab680c2594f795ce67ac14e2b93
SHA5125be9b41197b552affa5e003358e9fa77ba6b8c3e36c241e8a8cba3036420bbca74c695f1123bcc9d0d59a945f3e0f79a1744cbf54133faa8be27979e827529cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54736cfe1a1af9bf38a4dac453690b773
SHA1e4f25d47f7d5342259f100bd8daf9f29956846e8
SHA256327c8466f59c70eec25ca39c2f15846c7cb862328e30ced0a3654d3ec113c6f6
SHA512d77676db6c482cc9e4f369dce8922c7764b1c11191d6ea480d458a227b22148578b2863d265da68ab20161e9e765406e32b0ea675f7b372914d94ff153c4144b
-
C:\Users\Admin\AppData\Local\Temp\tmp6B1E.tmpFilesize
40B
MD513015015dd907d28996153df14881252
SHA1532c595baae0a027d02d1b28d7b83d57350a310e
SHA2564499283166530ce395cbc12677fef2bd52759eacdcc5bdde56c039b1a2e99c0b
SHA512b81fb62ab27e7722bfcb386766ffa1d1eba05b8b03cd5d2160bb2570f87568381d923ac75017d785e1dec1685769023727f4280e27c2a69cde69772ca62e2a92
-
C:\Users\Admin\AppData\Local\Temp\tmp6B3E.batFilesize
135B
MD53016fa8eb92a85d6abf190b43df0ad62
SHA1335b8bc3d378dc6d8dd534715ccfa9f0bc6d8f61
SHA2565f9631d19b9629ff9e64b654da614bef046c74374f863266099c6cf029c4fd78
SHA512e1d161ee5270097c4ee53c1493b333ba8f203b4b2b011b5d0b8b86666b7e8590860050c6543025de123793de436097d359c6af8de3b282aa07fc6fd6c12835b1
-
C:\Users\Admin\AppData\Local\Temp\tmp780E.tmpFilesize
98B
MD59dabdbfaddfc26a09cfff304ee68172a
SHA12417eef91cccd5c736146063dec26c20497b6c32
SHA256a89681a1f82f2aaa1cc21492ca070dd217415f2adb1f94ab340453b13aeb12f4
SHA51222c3ff32f59eccd926cf774697cb1c0ea44b9a90adc1698090eac9a3d8ab07ff9414a968f3ecb0e820e69eccb0532074fac78e1883e9d5d8153a32019eea6722
-
C:\Users\Admin\AppData\Local\Temp\tmp783E.batFilesize
84B
MD5628a42de069ca48429c331fab11c38a5
SHA142489fc8bd566a52f288ac86f528d611562719cd
SHA2563b14ba2afddccff263078fe78d3eb6d91a5eb6e387155d31d8c7be34547bd50c
SHA5122202a14a5c8d0213833a7089067d1a44e929f9e2db7a78932658f65942128620af962eef8d4e8094baf38350b745168add0aad85c39f805eab0647827e2685d2
-
C:\Users\Admin\AppData\Local\Temp\tmp7FFD.tmpFilesize
98B
MD59dabdbfaddfc26a09cfff304ee68172a
SHA12417eef91cccd5c736146063dec26c20497b6c32
SHA256a89681a1f82f2aaa1cc21492ca070dd217415f2adb1f94ab340453b13aeb12f4
SHA51222c3ff32f59eccd926cf774697cb1c0ea44b9a90adc1698090eac9a3d8ab07ff9414a968f3ecb0e820e69eccb0532074fac78e1883e9d5d8153a32019eea6722
-
C:\Users\Admin\AppData\Local\Temp\tmp802D.batFilesize
82B
MD58ef10a8c2c36fdff38efb2075055703e
SHA1a76657695a67ab13bfb85620c20f210701891e4a
SHA2563116ba6301896284fbcef4718db4565f9b41e09d4db242dfcdc34011a827d4c3
SHA5125db71cca84a2e5c35e8627fcd0b90524e80c5f7509814f48e0514d0f2bf35b4804b1ee1b9adebf686ff78c56138a6649cd1c5709455e79585ce74cbdb63e54e0
-
C:\Users\Admin\AppData\Local\Temp\tmp8EB3.tmpFilesize
40B
MD513015015dd907d28996153df14881252
SHA1532c595baae0a027d02d1b28d7b83d57350a310e
SHA2564499283166530ce395cbc12677fef2bd52759eacdcc5bdde56c039b1a2e99c0b
SHA512b81fb62ab27e7722bfcb386766ffa1d1eba05b8b03cd5d2160bb2570f87568381d923ac75017d785e1dec1685769023727f4280e27c2a69cde69772ca62e2a92
-
C:\Users\Admin\AppData\Local\Temp\tmp8EE3.batFilesize
121B
MD56fc47a93471fd46bb041c1c9026c4f38
SHA11180a678356a7788f3b532fa0a77876b5b69b2be
SHA2563b12ecfee67f9085a2f3db2f89a8d85f00324f689ac52e92c081f11652bc1261
SHA512327b909cee39a2ed2de272f9e7005b30b3d7518d8a741c79d4917eb0b9131cd681414f823b1e00ebf684ce37fc3cc9fed3320bed7a748e77ce163d1bb4a1d7f8
-
C:\Users\Admin\AppData\Local\Temp\tmp99D4.tmpFilesize
40B
MD513015015dd907d28996153df14881252
SHA1532c595baae0a027d02d1b28d7b83d57350a310e
SHA2564499283166530ce395cbc12677fef2bd52759eacdcc5bdde56c039b1a2e99c0b
SHA512b81fb62ab27e7722bfcb386766ffa1d1eba05b8b03cd5d2160bb2570f87568381d923ac75017d785e1dec1685769023727f4280e27c2a69cde69772ca62e2a92
-
C:\Users\Admin\AppData\Local\Temp\tmp99E4.batFilesize
125B
MD53ad42efc5edf0c597700ba83f7ebc7c7
SHA11cd6f99db5ee25b3076687700e8156f45b4c4a79
SHA256815f0778517a07f0151059a397630f3f9a4a97d8cca937679284f4d8e46e5901
SHA512ad45a6af0565a8274bdb9890695f395f5fe95593a40f88e00e11452ad771c0780d13211c629f07d431f5c057a5bc1b03ca56f45ff0f33738083836bae71e61af
-
C:\Users\Admin\AppData\Local\Temp\tmp9D1B.tmpFilesize
184B
MD579e8cae3f52a85aa218ac4c90274f91d
SHA130ae1a07b705f813099d4ae6dceb5469c1969065
SHA25662c532e6001ab9477f6d4e1ef41dbfae56554fe5fbbd07282968f3cc93a6e154
SHA51242ded5fd1b0829f57a98fbfc13831abe4e075b5b6d39f7e06d125a65ca82a9485314061733b184bfb4099f9808ccd6336817a07f37f319f545cc61d59c44a391
-
C:\Users\Admin\AppData\Local\Temp\tmp9D3B.batFilesize
88B
MD5b58b759eb3ecfc8efad88bd71f7667c8
SHA194f2bb8d956a880715d3e2c23ab6af84b31a300b
SHA2568a4afca506e861f66e94eea5b5634a497adea7f3ad34cd0d992175b3e4a3a353
SHA512f2e84c2225c3d6925985edcc73033424a193b2798729bc54ae48d8a92fd39a3444a819832b4a871c2dd9580ab45ed9a2f4c02f5f053ddccbeb68c38ac5fc27bd
-
C:\Users\Admin\AppData\Local\Temp\tmpBCFC.tmpFilesize
40B
MD513015015dd907d28996153df14881252
SHA1532c595baae0a027d02d1b28d7b83d57350a310e
SHA2564499283166530ce395cbc12677fef2bd52759eacdcc5bdde56c039b1a2e99c0b
SHA512b81fb62ab27e7722bfcb386766ffa1d1eba05b8b03cd5d2160bb2570f87568381d923ac75017d785e1dec1685769023727f4280e27c2a69cde69772ca62e2a92
-
C:\Users\Admin\AppData\Local\Temp\tmpBD0C.batFilesize
131B
MD5a51cfe4b92a8134ab452fbc24e62c03a
SHA1367ed585d552fc8a436b56dc243cf9d4c059940f
SHA2567ffa8c255fb86267a0d597f8b314fdac797feaabd353d8690f324a8a77c93ce2
SHA5126f800d4f98a6b45ec8a7ada83438d520598a5aa73e8ac1b0fc533e6b293b3186b1d94ec7b076e8e557556a655257ba5db676b6656d8b73540b7a6b9140f2c156
-
memory/32-217-0x0000000000000000-mapping.dmp
-
memory/208-156-0x0000000000000000-mapping.dmp
-
memory/220-218-0x0000000000000000-mapping.dmp
-
memory/360-198-0x0000000000000000-mapping.dmp
-
memory/376-185-0x0000000000000000-mapping.dmp
-
memory/384-240-0x0000000000000000-mapping.dmp
-
memory/440-301-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/620-287-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/620-286-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/664-248-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/664-249-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/912-230-0x0000000000000000-mapping.dmp
-
memory/980-207-0x0000000000000000-mapping.dmp
-
memory/1072-243-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1072-242-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1200-222-0x0000000000000000-mapping.dmp
-
memory/1204-190-0x0000000000000000-mapping.dmp
-
memory/1324-200-0x0000000000000000-mapping.dmp
-
memory/1480-225-0x0000000000000000-mapping.dmp
-
memory/1480-227-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1492-164-0x0000000000000000-mapping.dmp
-
memory/1516-166-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1516-171-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1516-162-0x0000000000000000-mapping.dmp
-
memory/1596-257-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1600-144-0x0000000000000000-mapping.dmp
-
memory/1664-296-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1664-297-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1680-161-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1680-153-0x0000000000000000-mapping.dmp
-
memory/1680-155-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1716-158-0x0000000000000000-mapping.dmp
-
memory/1788-199-0x0000000000000000-mapping.dmp
-
memory/1788-274-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1856-237-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1856-238-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1856-235-0x0000000000000000-mapping.dmp
-
memory/2040-267-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2164-228-0x0000000000000000-mapping.dmp
-
memory/2336-255-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2336-283-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2336-284-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2340-262-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2340-261-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2344-150-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2344-147-0x0000000000000000-mapping.dmp
-
memory/2344-165-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2348-151-0x0000000000000000-mapping.dmp
-
memory/2452-186-0x0000000000000000-mapping.dmp
-
memory/2488-213-0x0000000000000000-mapping.dmp
-
memory/2556-299-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2656-184-0x0000000000000000-mapping.dmp
-
memory/2712-239-0x0000000000000000-mapping.dmp
-
memory/3100-269-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3124-136-0x0000000000000000-mapping.dmp
-
memory/3136-143-0x0000000000000000-mapping.dmp
-
memory/3372-178-0x0000000000000000-mapping.dmp
-
memory/3488-196-0x0000000000000000-mapping.dmp
-
memory/3632-201-0x0000000000000000-mapping.dmp
-
memory/3636-246-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3636-245-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3680-145-0x0000000000000000-mapping.dmp
-
memory/3792-137-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3792-135-0x000001D9FF720000-0x000001D9FF742000-memory.dmpFilesize
136KB
-
memory/3792-138-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3792-134-0x0000000000000000-mapping.dmp
-
memory/3852-214-0x0000000000000000-mapping.dmp
-
memory/3852-216-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3904-291-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3912-187-0x0000000000000000-mapping.dmp
-
memory/3912-189-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3956-133-0x0000000000000000-mapping.dmp
-
memory/3956-195-0x0000000000000000-mapping.dmp
-
memory/4056-169-0x0000000000000000-mapping.dmp
-
memory/4060-271-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4060-272-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4104-224-0x0000000000000000-mapping.dmp
-
memory/4124-265-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4124-264-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4232-132-0x0000000000000000-mapping.dmp
-
memory/4264-172-0x0000000000000000-mapping.dmp
-
memory/4284-275-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4284-277-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4284-251-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4288-259-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4296-233-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4296-293-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4296-173-0x0000000000000000-mapping.dmp
-
memory/4296-234-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4296-294-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4296-231-0x0000000000000000-mapping.dmp
-
memory/4344-281-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4344-278-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4348-146-0x0000000000000000-mapping.dmp
-
memory/4376-193-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4376-194-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4376-191-0x0000000000000000-mapping.dmp
-
memory/4380-152-0x0000000000000000-mapping.dmp
-
memory/4492-183-0x0000000000000000-mapping.dmp
-
memory/4548-197-0x0000000000000000-mapping.dmp
-
memory/4584-219-0x0000000000000000-mapping.dmp
-
memory/4584-221-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4596-211-0x0000000000000000-mapping.dmp
-
memory/4628-229-0x0000000000000000-mapping.dmp
-
memory/4720-174-0x0000000000000000-mapping.dmp
-
memory/4720-175-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4720-177-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4744-168-0x0000000000000000-mapping.dmp
-
memory/4744-223-0x0000000000000000-mapping.dmp
-
memory/4748-142-0x0000000000000000-mapping.dmp
-
memory/4760-179-0x0000000000000000-mapping.dmp
-
memory/4760-181-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4760-182-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4780-289-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4784-140-0x0000000000000000-mapping.dmp
-
memory/4852-141-0x0000000000000000-mapping.dmp
-
memory/4888-202-0x0000000000000000-mapping.dmp
-
memory/4976-212-0x0000000000000000-mapping.dmp
-
memory/5012-303-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5016-253-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5016-210-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5016-208-0x0000000000000000-mapping.dmp
-
memory/5016-280-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5016-139-0x0000000000000000-mapping.dmp
-
memory/5020-206-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5020-205-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5020-203-0x0000000000000000-mapping.dmp
-
memory/5108-159-0x0000000000000000-mapping.dmp