Analysis
-
max time kernel
91s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
04-11-2022 19:52
General
-
Target
disable_defender.bat
-
Size
134KB
-
MD5
e430435cb58bf4b32f6c34662bf2399c
-
SHA1
68ef170abe380c4a9827abeaf37e3d9e8392b23b
-
SHA256
ed9d9ca4e442cb52d81a61dbc3d9d613785b929a6536623fa5c0666edbf22f55
-
SHA512
6819be2bac9e1701c62b0409328998db2ab828540334c7567d467879bc2907bb37a3ff8bea115b7d4fca8b1eaed1e63a4d9ab607af3edcb726b5412dbbd80d03
-
SSDEEP
1536:N9qlzR+K/otrK/o5gINROhPCWi/uQ5t6s0Q9x32cqmWr8igtUdwy6HT3OcK/o3+e:N9qlc91N277c66t
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 20 IoCs
-
Modifies Windows Defender notification settings 3 TTPs 4 IoCs
-
Modifies firewall policy service 2 TTPs 8 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies registry class 13 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\disable_defender.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fltMC.exefltmc2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "if(!(Get-Command 'netsh' -ErrorAction Ignore)) {; throw '"""netsh""" does not exist, is system installed correctly?'; }; $message=netsh advfirewall set allprofiles state off 2>&1; if($?) {; Write-Host """Successfully disabled firewall."""; } else {; if($message -like '*Firewall service*') {; Write-Warning 'Cannot use CLI because MpsSvc or MpsDrv is not running. Try to enable them (revert) -> reboot -> re-run this?'; } else {; throw """Cannot disable: $message"""; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f2⤵
- Modifies firewall policy service
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'PUAProtection'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -PUAProtection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\Features""" /v """TamperProtection""" /t REG_DWORD /d """4""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\Features""" /v """TamperProtectionSource""" /t REG_DWORD /d """2""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "EnableFileHashComputation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableAutoExclusions'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableAutoExclusions $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableBlockAtFirstSeen'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableBlockAtFirstSeen $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpBafsExtendedTimeout" /t REG_DWORD /d 50 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpCloudBlockLevel" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureDisableNotification" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'MAPSReporting'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -MAPSReporting $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SubmitSamplesConsent'; $value = '2'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SubmitSamplesConsent $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "RealtimeSignatureDelivery" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection" /v "EnableNetworkProtection" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "DisableSignatureRetirement" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRealtimeMonitoring'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRealtimeMonitoring $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS" /v "ThrottleDetectionEventsRate" /t REG_DWORD /d "10000000" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\NIS" /v "DisableProtocolRecognition" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access" /v "EnableControlledFolderAccess" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableIntrusionPreventionSystem'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableIntrusionPreventionSystem $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableInformationProtectionControl" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableBehaviorMonitoring'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableBehaviorMonitoring $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRawWriteNotification" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableIOAVProtection'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableIOAVProtection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "IOAVMaxSize" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RealTimeScanDirection'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RealTimeScanDirection $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "RealTimeScanDirection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Remediation" /v "Scan_ScheduleDay" /t REG_DWORD /d "8" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RemediationScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RemediationScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'UnknownThreatDefaultAction'; $value = '9'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -UnknownThreatDefaultAction $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "3" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "2" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'QuarantinePurgeItemsAfterDelay'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -QuarantinePurgeItemsAfterDelay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "4" /t "REG_SZ" /d "9" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'CheckForSignaturesBeforeRunningScan'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -CheckForSignaturesBeforeRunningScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "CheckForSignaturesBeforeRunningScan" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRestorePoint'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRestorePoint $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRestorePoint" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanPurgeItemsAfterDelay'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanPurgeItemsAfterDelay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCatchupFullScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCatchupFullScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "MissedScheduledScanCountBeforeCatchup" /t REG_DWORD /d "20" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "PurgeItemsAfterDelay" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupFullScan" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCatchupQuickScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCatchupQuickScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCatchupQuickScan" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableHeuristics" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanOnlyIfIdleEnabled'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanOnlyIfIdleEnabled $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanOnlyIfIdle" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanAvgCPULoadFactor'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanAvgCPULoadFactor $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "AvgCPULoadFactor" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableCpuThrottleOnIdleScans'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableCpuThrottleOnIdleScans $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableCpuThrottleOnIdleScans" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableEmailScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableEmailScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScriptScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScriptScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableEmailScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableReparsePointScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScanningMappedNetworkDrivesForFullScan'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScanningMappedNetworkDrivesForFullScan $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningMappedNetworkDrivesForFullScan" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableScanningNetworkFiles" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableScanningNetworkFiles'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableScanningNetworkFiles $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisablePackedExeScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableRemovableDriveScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableRemovableDriveScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableRemovableDriveScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "DisableArchiveScanning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableArchiveScanning'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableArchiveScanning $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxSize" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScheduleDay" /t REG_DWORD /d "8" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ArchiveMaxDepth" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'RandomizeScheduleTaskTimes'; $value = $False; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -RandomizeScheduleTaskTimes $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'ScanParameters'; $value = '1'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -ScanParameters $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "ScanParameters" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScanOnUpdate" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisableGradualRelease'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisableGradualRelease $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Scan" /v "QuickScanInterval" /t REG_DWORD /d "24" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'EngineUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -EngineUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'PlatformUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -PlatformUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DefinitionUpdatesChannel'; $value = 'Broad'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DefinitionUpdatesChannel $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableScheduledSignatureUpdateOnBattery" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureUpdateCatchupInterval'; $value = '0'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureUpdateCatchupInterval $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateCatchupInterval" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "UpdateOnStartUp" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "AVSignatureDue" /t REG_DWORD /d 4294967295 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "DisableUpdateOnStartupWithoutEngine" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureDisableUpdateOnStartupWithoutEngine'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureDisableUpdateOnStartupWithoutEngine $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ASSignatureDue" /t REG_DWORD /d 4294967295 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureScheduleDay'; $value = '8'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureScheduleDay $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "ScheduleDay" /t REG_DWORD /d "8" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "SignatureUpdateInterval" /t REG_DWORD /d 24 /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'SignatureUpdateInterval'; $value = '24'; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -SignatureUpdateInterval $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /v "Enabled" /t Reg_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericRePorts" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v "Enabled" /t Reg_DWORD /d 0 /f2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\AppHVSI" /v "AuditApplicationGuard" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v "HideSystray" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}\InprocServer32" /va /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers" /v "EPP" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers" /v "EPP" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" /v "InprocServer32" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "WppTracingLevel" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$propertyName = 'DisablePrivacyMode'; $value = $True; if((Get-MpPreference -ErrorAction Ignore).$propertyName -eq $value) {; Write-Host """Skipping. `"""$propertyName`""" is already `"""$value`""" as desired."""; exit 0; }; $command = Get-Command 'Set-MpPreference' -ErrorAction Ignore; if (!$command) {; Write-Warning 'Skipping. Command not found: """Set-MpPreference""".'; exit 0; }; if(!$command.Parameters.Keys.Contains($propertyName)) {; Write-Host """Skipping. `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; }; try {; Invoke-Expression """$($command.Name) -Force -$propertyName `$value -ErrorAction Stop"""; Set-MpPreference -Force -DisablePrivacyMode $value -ErrorAction Stop; Write-Host """Successfully set `"""$propertyName`""" to `"""$value`"""."""; exit 0; } catch {; if ( $_.FullyQualifiedErrorId -like '*0x800106ba*') {; Write-Warning """Cannot $($command.Name): Defender service (WinDefend) is not running. Try to enable it (revert) and re-run this?"""; exit 0; } elseif (($_ | Out-String) -like '*Cannot convert*') {; Write-Host """Skipping. Argument `"""$value`""" for property `"""$propertyName`""" is not supported for `"""$($command.Name)`"""."""; exit 0; } else {; Write-Error """Failed to set using $($command.Name): $_"""; exit 1; }; }"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers" /v "EPP" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateDownloadLocation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "CheckAlternateHttpLocation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration""" /v """DisablePrivacyMode""" /t REG_DWORD /d """1""" /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and health" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network protection" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableClearTpmButton" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideTPMTroubleshooting" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "HideSecureBoot" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "UILockdown" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" /v "DisableTpmFirmwareUpdateWarning" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "SuppressRebootNotification" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender notification settings
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'MpsSvc'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d "1" /f2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protection" /v "HideRansomwareRecovery" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\system32\mpssvc.dll"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WinDefend""" >nul & sc config """WinDefend""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\mpssvc.dll" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdNisSvc""" >nul & sc config """WdNisSvc""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'Sense'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'reg add """HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService""" /v Start /t REG_DWORD /d 4 /f'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceQuery = 'mpsdrv'; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceQuery -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service query `"""$serviceQuery`""" did not yield any results, no need to disable it."""; Exit 0; }; $serviceName = $service.Name; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, trying to stop it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if service info is not found in registry #>; $registryKey = """HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName"""; if(!(Test-Path $registryKey)) {; Write-Host """`"""$registryKey`""" is not found in registry, cannot enable it."""; Exit 0; }; <# -- 4. Skip if already disabled #>; if( $(Get-ItemProperty -Path """$registryKey""").Start -eq 4) {; Write-Host """`"""$serviceName`""" is already disabled from start, no further action is needed."""; Exit 0; }; <# -- 5. Disable service #>; try {; Set-ItemProperty $registryKey -Name Start -Value 4 -Force -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\drivers\mpsdrv.sys"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\drivers\mpsdrv.sys" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'net stop """WdNisDrv""" /yes >nul & sc config """WdNisDrv""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdFilter""" >nul & sc config """WdFilter""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$command = 'sc stop """WdBoot""" >nul & sc config """WdBoot""" start=disabled'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try {; $batchFile = Rename-Item $batchFile """$($batchFile.BaseName).bat""" -PassThru; """@echo off`r`n$command`r`nexit 0""" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn """$taskName""" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument """cmd /c `"""$batchFile`""" > $streamOutFile 2>&1"""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try {; ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host """Running as $trustedInstallerName"""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {; Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) {; Write-Warning """Skipping results, it took so long to execute script."""; break;; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) {; Write-Error """Failed to execute with exit code: $result."""; }; } finally {; schtasks.exe /delete /tn """$taskName""" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally {; Remove-Item $streamOutFile, $batchFile; }"2⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /delete /tn "privacy.sexy invoke" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "ShellSmartScreenLevel" /t REG_SZ /d "Warn" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenPuaEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵
- Modifies registry class
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t REG_DWORD /d "0" /f2⤵
- Modifies registry class
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PreventSmartScreenPromptOverride" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" /v "2301" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t "REG_DWORD" /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t "REG_DWORD" /d "2" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallDay" /t "REG_DWORD" /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "ScheduledInstallTime" /t "REG_DWORD" /d "3" /f2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'UsoSvc'; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service `"""$serviceName`""" could not be not found, no need to disable it."""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, stopping it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query """Select StartMode From Win32_Service Where Name='$serviceName'""" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter """Name='$serviceName'""" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host """$serviceName is already disabled, no further action is needed"""; }; <# -- 4. Disable service #>; try {; Set-Service -Name """$serviceName""" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"2⤵
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp99E4.bat" > C:\Users\Admin\AppData\Local\Temp\tmp99D4.tmp 2>&11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmpBD0C.bat" > C:\Users\Admin\AppData\Local\Temp\tmpBCFC.tmp 2>&11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp6B3E.bat" > C:\Users\Admin\AppData\Local\Temp\tmp6B1E.tmp 2>&11⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp783E.bat" > C:\Users\Admin\AppData\Local\Temp\tmp780E.tmp 2>&11⤵
-
C:\Windows\system32\sc.exesc stop "WinDefend"2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config "WinDefend" start=disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp802D.bat" > C:\Users\Admin\AppData\Local\Temp\tmp7FFD.tmp 2>&11⤵
-
C:\Windows\system32\sc.exesc stop "WdNisSvc"2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config "WdNisSvc" start=disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp8EE3.bat" > C:\Users\Admin\AppData\Local\Temp\tmp8EB3.tmp 2>&11⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f2⤵
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmp9D3B.bat" > C:\Users\Admin\AppData\Local\Temp\tmp9D1B.tmp 2>&11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\net.exenet stop "WdNisDrv" /yes2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WdNisDrv" /yes3⤵
-
C:\Windows\system32\sc.exesc config "WdNisDrv" start=disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmpA857.bat" > C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp 2>&11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Modifies Windows Defender notification settings
-
C:\Windows\system32\sc.exesc stop "WdFilter"2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config "WdFilter" start=disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.execmd.exe cmd /c "C:\Users\Admin\AppData\Local\Temp\tmpB3C0.bat" > C:\Users\Admin\AppData\Local\Temp\tmpB381.tmp 2>&11⤵
-
C:\Windows\system32\sc.exesc stop "WdBoot"2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config "WdBoot" start=disabled2⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58f3040f26e17b8ad601db22eb9da9111
SHA16fe1bda64a2a0c1d0ac14ba6a0bd1ed6632e00bb
SHA25637ed726be97668bad04d9c0a4b7ce8bfd209308740ad6125ef8c0bd3c9494abe
SHA51279e5c6ada2fd8dd9bec71b32c3f63c9261d57d19b2638e0aed0aac5d90e02a7ca62ac201e861b53c96c407496d461ed2e028ec3335ae0e87a58fe368f1630cfc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51d6896c4c7da2a126b582f2a22782498
SHA19ff9b706e69ff4e918a4a67a577eaf9ba0da01a4
SHA25659e8f1a75432dc4a0fdd84c2d6fdcb0c6b380e00a23274f1589f6101402b0ed0
SHA5126213d1e1f377dfda437fe22b117ec9d2a4d1e49c55f350e0818e01625f61a30fbe2d652790e69ab1aadc84c42f6ae7ce69566741827ec048369b4023d1c29823
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5152c62350ba0b7093738773845530b06
SHA1ee1832530b5c2f3db58c5d3cd95afa36a9c56b9b
SHA25604ac6c0e1b3e37ff272ddf0b5e091df4c1db85c30f99bbfe2bc800ff01d944df
SHA512ae28547c76f8d003771a041fc18926e0e4305ee208ab02974d25ddbdac77e92957dbbfb59374c78a62c9d08547c26a893160d044e6394fa337ea41b1114e9808
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f5f268a3d8760169bde3db6e00da5e6c
SHA100dc2443a967bf09147612f53ea5fc6a2cfb0b40
SHA256b0f800d487f826601ef6a21ddd141c41d57182c1601e2adf1c0132b98c8d73b5
SHA512c067de9cfefea861a08a29a1b10bcf93d360ec555bdd9fd24fb8f6ce6be432961a1acc4ccef786e953d86ef836db27fdef5fd5951930edd00e1c4fcfa3a9d67e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e1fb26de120faadab3c093b78644964f
SHA1bb587dd3b1ad8384b6d612bc4bb806f41562982f
SHA256e1ce351162cae7e8671f980192da54b8440d309985687d8eef56fec0b3180a85
SHA5126e4d18e9506e72f90aea0c93d190b9817566bbbfa2409c1ae6ca98c2b81f8a2bd4204270ce951444d49dfc85c9f1b913952afe6b8fceea918dd97006cf322518
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57acd834bec540dce186bea234404e6de
SHA141d9ba20141beb093f5b5e4b1d1a2e68655f76da
SHA25680bc7eeffe4fe50e0a74fc9d5bc6d451161504af995bbe822bfa5b63c30ec601
SHA512f4097f2c8f787663a67f1826c0df6656d0bb5ee01bf5adaf59cebe7e16da0d8246c707ec0c721f2d921310deb6ecd863424ea1ebad662c4dd72d5788d3e4e290
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD575b4b2eecda41cec059c973abb1114c0
SHA111dadf4817ead21b0340ce529ee9bbd7f0422668
SHA2565540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134
SHA51287feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54b25154ab577f1b4ea3d21bf50fd98d7
SHA1c090af4774e83d67c9f77d5049caa72339f20b78
SHA256dc6cdea40271ac60b15363c4354c5c89078e892cb0732be22fbc026deb5f689d
SHA512a8a9b4ccee60a6ca8645189008b608a8102dd5cd1aa95fa519b62484cff791130e34b2361f840066b7dac96db93c2863fc5fdbde614f9518374cb7064cc30953
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502a1a26525c65a359d41483180eaa6f7
SHA1c0e2578b92d20e925c1c87016d1a9fccee1ec56f
SHA256d0ec351493bdbc6cb94990b162bb8be5b0217277cc55ae12aa3c7ea704cdbc6e
SHA512d3271137241553f8316fcfc94dcf88c2887ee7bb0babddb4c1666fb5ae821a28425400299281422a4ebeb1f4c7369443b839d10f182279504bbba5f2f1cd94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD593cb4762051c76ef612cb1d1d3d2239b
SHA1422e15da3533916c8c202f10419ae256d3294b98
SHA2562a71d735c4783ea63445e7a9edbed8d284dd0127a97419e7274aac2c14bfe6c1
SHA512dd125954450fcd5eb4804852478b8d2356c60ad03441996aff0163b293fe5f40d3cf5c3130690896c0cf12d7f48c3d36a0bbed5a996413d4672a706a83852b34
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD561ad12851f296507524bc2d70ed4a928
SHA11c083f0edadf5e7d6f4efec6ffea44bfc57d9656
SHA25671bdb47e552049516c76f9fe8fe67018a4f3a27b82682e73efe8814f6feb1094
SHA5120f50008a39d9416d3efcf2bf2f36997330f532fb690bfcef9660d0a49c2b740806b6744959d8134148e51a240b671af0e39570532278dd207e9d9abeab71fb23
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD536fea3c7bd7bf5f15ee1a748daae1f24
SHA1c5e0122744a61d18b64126bf35374e29ecfe7553
SHA256bec6c6166fb67f7866ad5dad460b9212b3fe6a2f909638ec9abe465c6199ade4
SHA5126ded68570e0234e985f5a58307e25f94e9980de39d306e16ab02d89f67b701c129ac740f48bc7f22a5befe78cbfe56bd76a31a12d17ffc973be1a8a3079de4c1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD566898dbf1d1f32af63256328731f2c9e
SHA121f5828b21fae6d81e57a11e113440c95e1752de
SHA256258ea4ccbc181f6b86d3a819981d9cf526950f1aa7517b12cda14b856aad8c90
SHA51265ab1f1224ba418a733b6fe9aecead3c97cb92bf236ffddd77ab70361d81d3d02c24e45c7db1019724d52a0556e2248ed23f696cb49b970efce0bba1666b5e94
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50917d0135cdf3e553fcc13dc5c8315d6
SHA1da45cc5fa86ab25bfdeb0b54a09b9ea47413b6b3
SHA2561c36c4e7036fbc38a4b5bd412975a03dd0917d285a599c2885d2c61d98927492
SHA512776de122588d678b467876339800ca08884d9568a2acfc11390c488214a2a540f3fa10854311bf21fb2dda2e069220d16f422b097f20b45981f0a0c448b1172c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b591dabf3d165412ca5160b0fc9f7a0
SHA17f4003f64d280a98099a799b7303ab94adfea747
SHA256d90968baa89063686e83e4514b0b0341f703aefec3e00f63020a344763e92f60
SHA51257aaed079e38c08f0fe05aec21c02c84a7ed80780e796a5944227d5f17439a1b4378004931512965445826457f30488ec8f173b199e0e5374d4828c43a7e8af5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59e1c88335b2e7e17ee2088c29be44125
SHA12942039db622f5683c8273b1952fbe9b4071560b
SHA2569727800fe334f3bd85422c0a34237a46ddba4e2c7daa9e71459934346e454bce
SHA5127895b35f842a988d135c504a30b80578f8414da7bec7d091021dc5c01e76fdc5ae783a6f31bee880efd332d02eb6a0ea7df11f7f8dccbe83f6dc1d5490287975
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54736cfe1a1af9bf38a4dac453690b773
SHA1e4f25d47f7d5342259f100bd8daf9f29956846e8
SHA256327c8466f59c70eec25ca39c2f15846c7cb862328e30ced0a3654d3ec113c6f6
SHA512d77676db6c482cc9e4f369dce8922c7764b1c11191d6ea480d458a227b22148578b2863d265da68ab20161e9e765406e32b0ea675f7b372914d94ff153c4144b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5152c62350ba0b7093738773845530b06
SHA1ee1832530b5c2f3db58c5d3cd95afa36a9c56b9b
SHA25604ac6c0e1b3e37ff272ddf0b5e091df4c1db85c30f99bbfe2bc800ff01d944df
SHA512ae28547c76f8d003771a041fc18926e0e4305ee208ab02974d25ddbdac77e92957dbbfb59374c78a62c9d08547c26a893160d044e6394fa337ea41b1114e9808
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c6b29e43ed80d889b3ffa1387797c22b
SHA18623f793db4401197f98b11bf7a5246ee09ddd55
SHA2569516d609d0ebfb6f35bc87171de5712aca2d5ab680c2594f795ce67ac14e2b93
SHA5125be9b41197b552affa5e003358e9fa77ba6b8c3e36c241e8a8cba3036420bbca74c695f1123bcc9d0d59a945f3e0f79a1744cbf54133faa8be27979e827529cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5dfcfbbe4ed41fafc0e9e9f432da33452
SHA12a7355283a4e8838683d6cea4896631d26fac082
SHA256b0d3194cf003906de3e757dcbd5a402682d61c5b2b3806ba54c2564de697039e
SHA51274c0f6f72a539c6bb714161e30ae664a67f40c230fa00a29022720b8c15b6e46e7414924bdc1032634ef8db3e01f801737d0d532f1a1abef49b8131f2aa4de64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c6b29e43ed80d889b3ffa1387797c22b
SHA18623f793db4401197f98b11bf7a5246ee09ddd55
SHA2569516d609d0ebfb6f35bc87171de5712aca2d5ab680c2594f795ce67ac14e2b93
SHA5125be9b41197b552affa5e003358e9fa77ba6b8c3e36c241e8a8cba3036420bbca74c695f1123bcc9d0d59a945f3e0f79a1744cbf54133faa8be27979e827529cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54736cfe1a1af9bf38a4dac453690b773
SHA1e4f25d47f7d5342259f100bd8daf9f29956846e8
SHA256327c8466f59c70eec25ca39c2f15846c7cb862328e30ced0a3654d3ec113c6f6
SHA512d77676db6c482cc9e4f369dce8922c7764b1c11191d6ea480d458a227b22148578b2863d265da68ab20161e9e765406e32b0ea675f7b372914d94ff153c4144b
-
C:\Users\Admin\AppData\Local\Temp\tmp6B1E.tmpFilesize
40B
MD513015015dd907d28996153df14881252
SHA1532c595baae0a027d02d1b28d7b83d57350a310e
SHA2564499283166530ce395cbc12677fef2bd52759eacdcc5bdde56c039b1a2e99c0b
SHA512b81fb62ab27e7722bfcb386766ffa1d1eba05b8b03cd5d2160bb2570f87568381d923ac75017d785e1dec1685769023727f4280e27c2a69cde69772ca62e2a92
-
C:\Users\Admin\AppData\Local\Temp\tmp6B3E.batFilesize
135B
MD53016fa8eb92a85d6abf190b43df0ad62
SHA1335b8bc3d378dc6d8dd534715ccfa9f0bc6d8f61
SHA2565f9631d19b9629ff9e64b654da614bef046c74374f863266099c6cf029c4fd78
SHA512e1d161ee5270097c4ee53c1493b333ba8f203b4b2b011b5d0b8b86666b7e8590860050c6543025de123793de436097d359c6af8de3b282aa07fc6fd6c12835b1
-
C:\Users\Admin\AppData\Local\Temp\tmp780E.tmpFilesize
98B
MD59dabdbfaddfc26a09cfff304ee68172a
SHA12417eef91cccd5c736146063dec26c20497b6c32
SHA256a89681a1f82f2aaa1cc21492ca070dd217415f2adb1f94ab340453b13aeb12f4
SHA51222c3ff32f59eccd926cf774697cb1c0ea44b9a90adc1698090eac9a3d8ab07ff9414a968f3ecb0e820e69eccb0532074fac78e1883e9d5d8153a32019eea6722
-
C:\Users\Admin\AppData\Local\Temp\tmp783E.batFilesize
84B
MD5628a42de069ca48429c331fab11c38a5
SHA142489fc8bd566a52f288ac86f528d611562719cd
SHA2563b14ba2afddccff263078fe78d3eb6d91a5eb6e387155d31d8c7be34547bd50c
SHA5122202a14a5c8d0213833a7089067d1a44e929f9e2db7a78932658f65942128620af962eef8d4e8094baf38350b745168add0aad85c39f805eab0647827e2685d2
-
C:\Users\Admin\AppData\Local\Temp\tmp7FFD.tmpFilesize
98B
MD59dabdbfaddfc26a09cfff304ee68172a
SHA12417eef91cccd5c736146063dec26c20497b6c32
SHA256a89681a1f82f2aaa1cc21492ca070dd217415f2adb1f94ab340453b13aeb12f4
SHA51222c3ff32f59eccd926cf774697cb1c0ea44b9a90adc1698090eac9a3d8ab07ff9414a968f3ecb0e820e69eccb0532074fac78e1883e9d5d8153a32019eea6722
-
C:\Users\Admin\AppData\Local\Temp\tmp802D.batFilesize
82B
MD58ef10a8c2c36fdff38efb2075055703e
SHA1a76657695a67ab13bfb85620c20f210701891e4a
SHA2563116ba6301896284fbcef4718db4565f9b41e09d4db242dfcdc34011a827d4c3
SHA5125db71cca84a2e5c35e8627fcd0b90524e80c5f7509814f48e0514d0f2bf35b4804b1ee1b9adebf686ff78c56138a6649cd1c5709455e79585ce74cbdb63e54e0
-
C:\Users\Admin\AppData\Local\Temp\tmp8EB3.tmpFilesize
40B
MD513015015dd907d28996153df14881252
SHA1532c595baae0a027d02d1b28d7b83d57350a310e
SHA2564499283166530ce395cbc12677fef2bd52759eacdcc5bdde56c039b1a2e99c0b
SHA512b81fb62ab27e7722bfcb386766ffa1d1eba05b8b03cd5d2160bb2570f87568381d923ac75017d785e1dec1685769023727f4280e27c2a69cde69772ca62e2a92
-
C:\Users\Admin\AppData\Local\Temp\tmp8EE3.batFilesize
121B
MD56fc47a93471fd46bb041c1c9026c4f38
SHA11180a678356a7788f3b532fa0a77876b5b69b2be
SHA2563b12ecfee67f9085a2f3db2f89a8d85f00324f689ac52e92c081f11652bc1261
SHA512327b909cee39a2ed2de272f9e7005b30b3d7518d8a741c79d4917eb0b9131cd681414f823b1e00ebf684ce37fc3cc9fed3320bed7a748e77ce163d1bb4a1d7f8
-
C:\Users\Admin\AppData\Local\Temp\tmp99D4.tmpFilesize
40B
MD513015015dd907d28996153df14881252
SHA1532c595baae0a027d02d1b28d7b83d57350a310e
SHA2564499283166530ce395cbc12677fef2bd52759eacdcc5bdde56c039b1a2e99c0b
SHA512b81fb62ab27e7722bfcb386766ffa1d1eba05b8b03cd5d2160bb2570f87568381d923ac75017d785e1dec1685769023727f4280e27c2a69cde69772ca62e2a92
-
C:\Users\Admin\AppData\Local\Temp\tmp99E4.batFilesize
125B
MD53ad42efc5edf0c597700ba83f7ebc7c7
SHA11cd6f99db5ee25b3076687700e8156f45b4c4a79
SHA256815f0778517a07f0151059a397630f3f9a4a97d8cca937679284f4d8e46e5901
SHA512ad45a6af0565a8274bdb9890695f395f5fe95593a40f88e00e11452ad771c0780d13211c629f07d431f5c057a5bc1b03ca56f45ff0f33738083836bae71e61af
-
C:\Users\Admin\AppData\Local\Temp\tmp9D1B.tmpFilesize
184B
MD579e8cae3f52a85aa218ac4c90274f91d
SHA130ae1a07b705f813099d4ae6dceb5469c1969065
SHA25662c532e6001ab9477f6d4e1ef41dbfae56554fe5fbbd07282968f3cc93a6e154
SHA51242ded5fd1b0829f57a98fbfc13831abe4e075b5b6d39f7e06d125a65ca82a9485314061733b184bfb4099f9808ccd6336817a07f37f319f545cc61d59c44a391
-
C:\Users\Admin\AppData\Local\Temp\tmp9D3B.batFilesize
88B
MD5b58b759eb3ecfc8efad88bd71f7667c8
SHA194f2bb8d956a880715d3e2c23ab6af84b31a300b
SHA2568a4afca506e861f66e94eea5b5634a497adea7f3ad34cd0d992175b3e4a3a353
SHA512f2e84c2225c3d6925985edcc73033424a193b2798729bc54ae48d8a92fd39a3444a819832b4a871c2dd9580ab45ed9a2f4c02f5f053ddccbeb68c38ac5fc27bd
-
C:\Users\Admin\AppData\Local\Temp\tmpBCFC.tmpFilesize
40B
MD513015015dd907d28996153df14881252
SHA1532c595baae0a027d02d1b28d7b83d57350a310e
SHA2564499283166530ce395cbc12677fef2bd52759eacdcc5bdde56c039b1a2e99c0b
SHA512b81fb62ab27e7722bfcb386766ffa1d1eba05b8b03cd5d2160bb2570f87568381d923ac75017d785e1dec1685769023727f4280e27c2a69cde69772ca62e2a92
-
C:\Users\Admin\AppData\Local\Temp\tmpBD0C.batFilesize
131B
MD5a51cfe4b92a8134ab452fbc24e62c03a
SHA1367ed585d552fc8a436b56dc243cf9d4c059940f
SHA2567ffa8c255fb86267a0d597f8b314fdac797feaabd353d8690f324a8a77c93ce2
SHA5126f800d4f98a6b45ec8a7ada83438d520598a5aa73e8ac1b0fc533e6b293b3186b1d94ec7b076e8e557556a655257ba5db676b6656d8b73540b7a6b9140f2c156
-
memory/32-217-0x0000000000000000-mapping.dmp
-
memory/208-156-0x0000000000000000-mapping.dmp
-
memory/220-218-0x0000000000000000-mapping.dmp
-
memory/360-198-0x0000000000000000-mapping.dmp
-
memory/376-185-0x0000000000000000-mapping.dmp
-
memory/384-240-0x0000000000000000-mapping.dmp
-
memory/440-301-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/620-287-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/620-286-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/664-248-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/664-249-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/912-230-0x0000000000000000-mapping.dmp
-
memory/980-207-0x0000000000000000-mapping.dmp
-
memory/1072-243-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1072-242-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1200-222-0x0000000000000000-mapping.dmp
-
memory/1204-190-0x0000000000000000-mapping.dmp
-
memory/1324-200-0x0000000000000000-mapping.dmp
-
memory/1480-225-0x0000000000000000-mapping.dmp
-
memory/1480-227-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1492-164-0x0000000000000000-mapping.dmp
-
memory/1516-166-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1516-171-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1516-162-0x0000000000000000-mapping.dmp
-
memory/1596-257-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1600-144-0x0000000000000000-mapping.dmp
-
memory/1664-296-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1664-297-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1680-161-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1680-153-0x0000000000000000-mapping.dmp
-
memory/1680-155-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1716-158-0x0000000000000000-mapping.dmp
-
memory/1788-199-0x0000000000000000-mapping.dmp
-
memory/1788-274-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1856-237-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1856-238-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/1856-235-0x0000000000000000-mapping.dmp
-
memory/2040-267-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2164-228-0x0000000000000000-mapping.dmp
-
memory/2336-255-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2336-283-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2336-284-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2340-262-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2340-261-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2344-150-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2344-147-0x0000000000000000-mapping.dmp
-
memory/2344-165-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2348-151-0x0000000000000000-mapping.dmp
-
memory/2452-186-0x0000000000000000-mapping.dmp
-
memory/2488-213-0x0000000000000000-mapping.dmp
-
memory/2556-299-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/2656-184-0x0000000000000000-mapping.dmp
-
memory/2712-239-0x0000000000000000-mapping.dmp
-
memory/3100-269-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3124-136-0x0000000000000000-mapping.dmp
-
memory/3136-143-0x0000000000000000-mapping.dmp
-
memory/3372-178-0x0000000000000000-mapping.dmp
-
memory/3488-196-0x0000000000000000-mapping.dmp
-
memory/3632-201-0x0000000000000000-mapping.dmp
-
memory/3636-246-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3636-245-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3680-145-0x0000000000000000-mapping.dmp
-
memory/3792-137-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3792-135-0x000001D9FF720000-0x000001D9FF742000-memory.dmpFilesize
136KB
-
memory/3792-138-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3792-134-0x0000000000000000-mapping.dmp
-
memory/3852-214-0x0000000000000000-mapping.dmp
-
memory/3852-216-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3904-291-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3912-187-0x0000000000000000-mapping.dmp
-
memory/3912-189-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/3956-133-0x0000000000000000-mapping.dmp
-
memory/3956-195-0x0000000000000000-mapping.dmp
-
memory/4056-169-0x0000000000000000-mapping.dmp
-
memory/4060-271-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4060-272-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4104-224-0x0000000000000000-mapping.dmp
-
memory/4124-265-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4124-264-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4232-132-0x0000000000000000-mapping.dmp
-
memory/4264-172-0x0000000000000000-mapping.dmp
-
memory/4284-275-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4284-277-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4284-251-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4288-259-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4296-233-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4296-293-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4296-173-0x0000000000000000-mapping.dmp
-
memory/4296-234-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4296-294-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4296-231-0x0000000000000000-mapping.dmp
-
memory/4344-281-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4344-278-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4348-146-0x0000000000000000-mapping.dmp
-
memory/4376-193-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4376-194-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4376-191-0x0000000000000000-mapping.dmp
-
memory/4380-152-0x0000000000000000-mapping.dmp
-
memory/4492-183-0x0000000000000000-mapping.dmp
-
memory/4548-197-0x0000000000000000-mapping.dmp
-
memory/4584-219-0x0000000000000000-mapping.dmp
-
memory/4584-221-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4596-211-0x0000000000000000-mapping.dmp
-
memory/4628-229-0x0000000000000000-mapping.dmp
-
memory/4720-174-0x0000000000000000-mapping.dmp
-
memory/4720-175-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4720-177-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4744-168-0x0000000000000000-mapping.dmp
-
memory/4744-223-0x0000000000000000-mapping.dmp
-
memory/4748-142-0x0000000000000000-mapping.dmp
-
memory/4760-179-0x0000000000000000-mapping.dmp
-
memory/4760-181-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4760-182-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4780-289-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/4784-140-0x0000000000000000-mapping.dmp
-
memory/4852-141-0x0000000000000000-mapping.dmp
-
memory/4888-202-0x0000000000000000-mapping.dmp
-
memory/4976-212-0x0000000000000000-mapping.dmp
-
memory/5012-303-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5016-253-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5016-210-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5016-208-0x0000000000000000-mapping.dmp
-
memory/5016-280-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5016-139-0x0000000000000000-mapping.dmp
-
memory/5020-206-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5020-205-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmpFilesize
10.8MB
-
memory/5020-203-0x0000000000000000-mapping.dmp
-
memory/5108-159-0x0000000000000000-mapping.dmp