av.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6401 | Dec. 18, 2024, 4:13 p.m. | Dec. 18, 2024, 4:15 p.m. |
-
-
-
chcp.com chcp 866
2692 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\test22\AppData\Local\Temp\RarSFX0\" "
2768 -
findstr.exe findstr /c:"(" /c:")"
2804 -
reg.exe reg query "HKU\S-1-5-19"
2860 -
cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoLogonSID" 2>nul
2916-
reg.exe reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoLogonSID"
2964
-
-
NSudoLC.exe NSudoLC -U:T -P:E -UseCurrentConsole "C:\Users\test22\AppData\Local\Temp\RarSFX0\DefenderKiller.bat"
3008 -
cmd.exe C:\Windows\system32\cmd.exe /c 2>nul reg query "HKLM\System\CurrentControlSet\Services" /f "webthreatdefusersvc*" /k|findstr H
812-
reg.exe reg query "HKLM\System\CurrentControlSet\Services" /f "webthreatdefusersvc*" /k
1384 -
findstr.exe findstr H
2108
-
-
mode.com Mode 80,45
148 -
nircmd.exe nircmd win center process cmd.exe
2232 -
nircmd.exe nircmd win settext foreground "DK"
2272 -
reg.exe reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
2460 -
find.exe find /i "0x0"
2484 -
sc.exe sc query WinDefend
2604 -
sc.exe sc query WdNisSvc
2724 -
sc.exe sc query Sense
2840 -
sc.exe sc query wscsvc
2912 -
sc.exe sc query SgrmBroker
2980 -
sc.exe sc query SecurityHealthService
2920 -
sc.exe sc query webthreatdefsvc
1964 -
sc.exe sc query webthreatdefusersvc
1356 -
sc.exe sc query WdNisDrv
2220 -
sc.exe sc query WdBoot
2352 -
sc.exe sc query WdFilter
2480 -
sc.exe sc query SgrmAgent
2652 -
sc.exe sc query wtd
2824 -
sc.exe sc query MsSecWfp
2944 -
sc.exe sc query MsSecFlt
2856 -
sc.exe sc query MsSecCore
2956 -
cecho.exe cecho.exe {03}Состояние процессов защитника:{\n #}
2056 -
cecho.exe cecho.exe {0a}SmartScreen{\n #}
2268 -
cecho.exe cecho.exe {0a}MsMpEng{#} {08} [Antimalware Service Executable]{\n #}
2584 -
cecho.exe cecho.exe {0a}SgrmBroker{#} {08}[Брокер среды выполнения System Guard]{\n #}
2788 -
cecho.exe cecho.exe {0a}uhssvc{#} {08} [Microsoft Update Health Service]{\n #}
2756 -
cecho.exe cecho.exe {0a}NisSrv{#} {08} [Network Realtime Inspection]{\n #}
3012 -
cecho.exe cecho.exe {0a}MpCmdRun{#} {08} [Microsoft malware protection]{\n #}
2248 -
cecho.exe cecho.exe {0a}MPSigStub{#}{08} [Malware Protection Signature Update Stub]{\n #}
2576 -
cecho.exe cecho.exe {0a}SHealthUI{#}{08} [Безопасность Windows]{\n #}
2836 -
cecho.exe cecho.exe {0a}HealthTray{#}{08} [SecurityHealthSystray иконка в трее]{\n #}
908 -
cecho.exe cecho.exe {0a}HealthServ{#}{08} [SecurityHealthService]{\n #}
2440 -
cecho.exe cecho.exe {0a}HealthHost{#}{08} [SecurityHealthHost]{\n #}{\n #}
2852 -
cecho.exe cecho.exe {03}Состояние служб и драйверов защитника:{\n #}
192 -
cecho.exe cecho.exe {0a}webthreat{#} {08}[Служба защиты от Веб-угроз - webthreatdefsvc]{\n #}
2640 -
cecho.exe cecho.exe {0a}webthreatu{#} {08}[Служба защиты пользоват. от Веб-угроз - webthreatdefusersvc]{\n #}
1336 -
cecho.exe cecho.exe {0c}WinDefend{#} {08} [Служба Антивирусная программа Защитника Windows]{\n #}
2504 -
cecho.exe cecho.exe {0a}WdNisSvc{#} {08} [Служба проверки сети Windows Defender Antivirus]{\n #}
2632 -
cecho.exe cecho.exe {0a}Sense{#} {08} [Служба Advanced Threat Protection]{\n #}
3100 -
cecho.exe cecho.exe {0c}wscsvc{#} {08}[Служба Центр обеспечения безопасности]{\n #}
3144 -
cecho.exe cecho.exe {0a}SgrmBroker{#} {08}[Служба Брокер мониторинга среды выполнения System Guard]{\n #}
3188 -
cecho.exe cecho.exe {0a}SHealthSer{#} {08}[Служба Центр безопасности Защитника Windows]{\n #}
3232 -
cecho.exe cecho.exe {0a}WdNisDrv{#} {08}[Драйвер WD Network Inspection Driver]{\n #}
3276 -
cecho.exe cecho.exe {0a}WdBoot{#} {08}[Драйвер WD Antivirus Boot Driver]{\n #}
3320 -
cecho.exe cecho.exe {0a}WdFilter{#}{08} [Драйвер WD Antivirus Mini-Filter Driver]{\n #}
3364 -
cecho.exe cecho.exe {0a}SgrmAgent{#}{08} [Драйвер System Guard Runtime Monitor Agent Driver]{\n #}
3408 -
cecho.exe cecho.exe {0a}wtd{#}{08} [Драйвер WTD Driver]{\n #}
3452 -
cecho.exe cecho.exe {0a}MsSecWfp{#}{08} [Драйвер Microsoft Security WFP Callout Driver]{\n #}
3496 -
cecho.exe cecho.exe {0a}MsSecFlt{#}{08} [Драйвер Security Events Component Minifilter]{\n #}
3540 -
cecho.exe cecho.exe {0a}MsSecCore{#}{08} [Драйвер Microsoft Security Core Boot Driver]{\n #}
3584 -
cecho.exe cecho.exe {03}Состояние заданий в планировщике:{\n #}
3628 -
cecho.exe cecho.exe {0a}Windows Defender Cache Maintenance{\n #}
3672 -
cecho.exe cecho.exe {0a}Windows Defender Scheduled Scan{\n #}
3716 -
cecho.exe cecho.exe {0a}Windows Defender Verification{\n #}
3760 -
cecho.exe cecho.exe {0a}Windows Defender Cleanup{\n #}
3804 -
cecho.exe cecho.exe {0a}SmartScreenSpecific{\n #}
3848 -
reg.exe reg delete "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /f
3892 -
-
cscript.exe cscript //nologo temp.vbs
3980
-
-
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ver "
3076 -
findstr.exe findstr /c:"6.3" /c:"6.2" /c:"6.1"
3132 -
nircmd.exe nircmd win activate process cmd.exe
3204 -
nhmb.exe nhmb "Создать резервную копию Защитника?\nМожно будет восстановить защитник после удаления с помощью копии.\n\n\nВыбирайте нет, только в том случае, если Вам НЕ нужны обновления Windows, либо у Вас уже есть резервная копия защитника с этой версии Windows." "BackupDefender" "Warning|YesNo|DefButton2"
3260 -
cecho.exe cecho.exe {03} Добавляем в исключения Защитника{\n #}{\n #}
3448 -
NSudoLC.exe NSudoLC -U:C -ShowWindowMode:Hide -Wait PowerShell "Get-PSDrive -PSProvider 'FileSystem' | ForEach-Object { Add-MpPreference -ExclusionPath $_.Root }"
3512-
PowerShell.exe PowerShell "Get-PSDrive -PSProvider 'FileSystem' | ForEach-Object { Add-MpPreference -ExclusionPath $_.Root }"
3568
-
-
timeout.exe timeout /t 2 /nobreak
4036 -
7z.exe 7z e -aoa -bso0 -bsp1 "ToolsForDK.zip" -p"UnlockerPass" "DefenderStopx64.exe" "Unlocker.exe"
3112 -
cecho.exe cecho.exe {03} Используем DefenderStop x64 3 раза для отключения служб защитника{\n #}{\n #}
1864 -
-
DefenderStopx64.exe DefenderStopx64
3368
-
-
-
DefenderStopx64.exe DefenderStopx64
740
-
-
-
DefenderStopx64.exe DefenderStopx64
776
-
-
cecho.exe cecho.exe {03} Используем Unlocker для разблокировки папок защитника{\n #}{\n #}
3612 -
Unlocker.exe Unlocker /unlock "C:\ProgramData\Microsoft\Windows Defender" "C:\Program Files\Windows Defender" "C:\Program Files (x86)\Windows Defender"
3688 -
cecho.exe cecho.exe {02} Создаём резервную копию папок из C:\ProgramData{\n #}
3348 -
xcopy.exe xcopy /s /e /h /y /i "C:\ProgramData\Microsoft\Windows Defender" "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Defender"
3396 -
xcopy.exe xcopy /s /e /h /y /i "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Defender Advanced Threat Protection"
1668 -
xcopy.exe xcopy /s /e /h /y /i "C:\ProgramData\Microsoft\Windows Security Health" "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Security Health"
416 -
xcopy.exe xcopy /s /e /h /y /i "C:\ProgramData\Microsoft\Storage Health" "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Storage Health"
3692 -
timeout.exe timeout /t 2 /nobreak
3676 -
cmd.exe C:\Windows\system32\cmd.exe /c ver
3940 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Defender" "
3264 -
findstr.exe findstr /r "^"
3684 -
cecho.exe cecho.exe {02} Создаём резервную копию папок из C:\Program Files (x86) и C:\Program Files (x86){\n #}
1380 -
reg.exe reg add "HKLM\Software\DefenderKiller" /f
1560 -
xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\Windows Defender" "C:\WDefenderBackup\Folder\Program Files\Windows Defender"
3624 -
xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\Windows Defender Sleep" "C:\WDefenderBackup\Folder\Program Files\Windows Defender Sleep"
1996 -
xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\Windows Defender Advanced Threat Protection" "C:\WDefenderBackup\Folder\Program Files\Windows Defender Advanced Threat Protection"
1244 -
xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\Windows Security" "C:\WDefenderBackup\Folder\Program Files\Windows Security"
3712 -
xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\PCHealthCheck" "C:\WDefenderBackup\Folder\Program Files\PCHealthCheck"
3876 -
xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\Microsoft Update Health Tools" "C:\WDefenderBackup\Folder\Program Files\Microsoft Update Health Tools"
1848 -
xcopy.exe xcopy /s /e /h /y /i "C:\Program Files (x86)\Windows Defender" "C:\WDefenderBackup\Folder\Program Files (x86)\Windows Defender"
1656 -
xcopy.exe xcopy /s /e /h /y /i "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" "C:\WDefenderBackup\Folder\Program Files (x86)\Windows Defender Advanced Threat Protection"
1800 -
cecho.exe cecho.exe {02} Создаём резервную копию папок из System32 и SysWOW64{\n #}
376 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\security\database" "C:\WDefenderBackup\Folder\Windows\security\database"
1608 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\HealthAttestationClient" "C:\WDefenderBackup\Folder\System32\HealthAttestationClient"
3580 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\SecurityHealth" "C:\WDefenderBackup\Folder\System32\SecurityHealth"
1788 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\WebThreatDefSvc" "C:\WDefenderBackup\Folder\System32\WebThreatDefSvc"
2344 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\Sgrm" "C:\WDefenderBackup\Folder\System32\Sgrm"
3728 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" "C:\WDefenderBackup\Folder\System32\WindowsPowerShell\v1.0\Modules\Defender"
3756 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" "C:\WDefenderBackup\Folder\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
3120 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" "C:\WDefenderBackup\Folder\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender"
2296 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\drivers\wd" "C:\WDefenderBackup\Folder\System32\drivers\wd"
772 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" "C:\WDefenderBackup\Folder\System32\Tasks\Microsoft\Windows\Windows Defender"
3280 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" "C:\WDefenderBackup\Folder\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender"
1888 -
xcopy.exe xcopy /s /e /h /y /i "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" "C:\WDefenderBackup\Folder\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
4124 -
cecho.exe cecho.exe {02} Создаём резервную копию файлов из System32 и SysWOW64{\n #}
4168 -
cecho.exe cecho.exe {02} Создаём резервную копию папок из WinSxS{\n #}
4236 -
xcopy.exe xcopy "C:\Windows\WinSxS\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea" "C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea" /I /E /H /Y
4280 -
xcopy.exe xcopy "C:\Windows\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306" "C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306" /I /E /H /Y
4332 -
xcopy.exe xcopy "C:\Windows\WinSxS\wow64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_be064cc3a640e167" "C:\WDefenderBackup\Folder\WinSxS\wow64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_be064cc3a640e167" /I /E /H /Y
4376 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\EventLog\System\WinDefend" "C:\WDefenderBackup\ServicesDrivers\WinDefendEvent.reg"
4420 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\SecurityHealthService" "C:\WDefenderBackup\ServicesDrivers\SecurityHealthService.reg"
4464 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\Sense" "C:\WDefenderBackup\ServicesDrivers\Sense.reg"
4508 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\WdNisSvc" "C:\WDefenderBackup\ServicesDrivers\WdNisSvc.reg"
4552 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\WinDefend" "C:\WDefenderBackup\ServicesDrivers\WinDefend.reg"
4600 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\wscsvc" "C:\WDefenderBackup\ServicesDrivers\wscsvc.reg"
4644 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\SgrmBroker" "C:\WDefenderBackup\ServicesDrivers\SgrmBroker.reg"
4688 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\webthreatdefsvc" "C:\WDefenderBackup\ServicesDrivers\webthreatdefsvc.reg"
4732 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc" "C:\WDefenderBackup\ServicesDrivers\webthreatdefusersvc.reg"
4776 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\WdNisDrv" "C:\WDefenderBackup\ServicesDrivers\WdNisDrv.reg"
4820 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\WdBoot" "C:\WDefenderBackup\ServicesDrivers\WdBoot.reg"
4864 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\WdFilter" "C:\WDefenderBackup\ServicesDrivers\WdFilter.reg"
4908 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\SgrmAgent" "C:\WDefenderBackup\ServicesDrivers\SgrmAgent.reg"
4952 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\wtd" "C:\WDefenderBackup\ServicesDrivers\wtd.reg"
4996 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\MsSecWfp" "C:\WDefenderBackup\ServicesDrivers\MsSecWfp.reg"
5040 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\MsSecFlt" "C:\WDefenderBackup\ServicesDrivers\MsSecFlt.reg"
5084 -
reg.exe reg export "HKLM\System\CurrentControlSet\Services\MsSecCore" "C:\WDefenderBackup\ServicesDrivers\MsSecCore.reg"
1644 -
reg.exe reg export "HKCR\*\shellex\ContextMenuHandlers\EPP" "C:\WDefenderBackup\RegEdit\1.reg"
4128 -
reg.exe reg export "HKCR\Directory\shellex\ContextMenuHandlers\EPP" "C:\WDefenderBackup\RegEdit\2.reg"
4172 -
reg.exe reg export "HKCR\Drive\shellex\ContextMenuHandlers\EPP" "C:\WDefenderBackup\RegEdit\3.reg"
4292 -
reg.exe reg export "HKLM\Software\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" "C:\WDefenderBackup\RegEdit\4.reg"
4336 -
reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" "C:\WDefenderBackup\RegEdit\5.reg"
4452 -
reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" "C:\WDefenderBackup\RegEdit\6.reg"
4524 -
reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" "C:\WDefenderBackup\RegEdit\7.reg"
4580 -
reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Defender" "C:\WDefenderBackup\RegEdit\8.reg"
4664 -
reg.exe reg export "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderApiLogger" "C:\WDefenderBackup\RegEdit\9.reg"
4728 -
reg.exe reg export "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderAuditLogger" "C:\WDefenderBackup\RegEdit\10.reg"
4788 -
reg.exe reg export "HKLM\Software\Microsoft\Windows Defender" "C:\WDefenderBackup\RegEdit\11.reg"
4824 -
reg.exe reg export "HKLM\Software\Microsoft\Windows Defender Security Center" "C:\WDefenderBackup\RegEdit\12.reg"
4940 -
reg.exe reg export "HKLM\Software\Microsoft\Windows Advanced Threat Protection" "C:\WDefenderBackup\RegEdit\13.reg"
5016 -
reg.exe reg export "HKLM\Software\Microsoft\Windows Security Health" "C:\WDefenderBackup\RegEdit\14.reg"
5068 -
reg.exe reg export "HKLM\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender" "C:\WDefenderBackup\RegEdit\15.reg"
4120 -
reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" "C:\WDefenderBackup\RegEdit\16.reg"
4232 -
reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" "C:\WDefenderBackup\RegEdit\17.reg"
4028 -
reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\NIS-Driver-WFP/Diagnostic" "C:\WDefenderBackup\RegEdit\18.reg"
4396 -
reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" "C:\WDefenderBackup\RegEdit\19.reg"
4504 -
reg.exe reg export "HKCR\CLSID\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" "C:\WDefenderBackup\RegEdit\20.reg"
4616 -
cecho.exe cecho.exe {08} Резервная копия создана в {09}C:\WDefenderBackup{\n #}{\n #}
4656 -
reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d 5 /f
4848 -
nircmd.exe nircmd killprocess SecHealthUI.exe
4968 -
cecho.exe cecho.exe {03} Отключаем защитник [групповые политики] >
5088 -
taskkill.exe taskkill /f /im mmc.exe
4248 -
cecho.exe cecho.exe {04} Применение ГП{\n #}{\n #}
1832 -
LGPO.exe LGPO.exe /t "LGPO-temp.txt" /q
4660 -
nircmd.exe nircmd win activate process cmd.exe
4892 -
reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
4200 -
NSudoLC.exe NSudoLC -U:C -ShowWindowMode:Hide cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
4352 -
reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
4348 -
NSudoLC.exe NSudoLC -U:C -ShowWindowMode:Hide cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
5036-
cmd.exe cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
4868-
reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
5156
-
-
-
reg.exe reg add "HKLM\Software\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
4572 -
reg.exe reg add "HKLM\Software\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
4648 -
cecho.exe cecho.exe {08} Пропуск добавления в исключения Защитника [уже добавлено]{\n #}{\n #}
5208 -
nircmd.exe nircmd killprocess MpCmdRun.exe
5252 -
nircmd.exe nircmd killprocess MsMpEng.exe
5296 -
nircmd.exe nircmd killprocess SecurityHealthSystray.exe
5340 -
nircmd.exe nircmd killprocess SecurityHealthService.exe
5384 -
nircmd.exe nircmd killprocess SecurityHealthHost.exe
5428 -
nircmd.exe nircmd killprocess smartscreen.exe
5472 -
nircmd.exe nircmd killprocess SgrmBroker.exe
5560 -
nircmd.exe nircmd killprocess SecHealthUI.exe
5628 -
nircmd.exe nircmd killprocess uhssvc.exe
5672 -
nircmd.exe nircmd killprocess NisSrv.exe
5716 -
nircmd.exe nircmd killprocess MPSigStub.exe
5760 -
nircmd.exe nircmd killprocess MSASCuiL.exe
5804 -
nircmd.exe nircmd killprocess MRT.exe
5848 -
7z.exe 7z x -aoa -bso0 -bsp1 "ToolsForDK.zip" -p"UnlockerPass"
5892 -
cecho.exe cecho.exe {03} Используем DefenderStop x64 для отключения служб защитника{\n #}{\n #}
5940 -
-
DefenderStopx64.exe DefenderStopx64.exe
6028
-
-
-
DefenderStopx64.exe DefenderStopx64.exe
6132
-
-
cecho.exe cecho.exe {0c} Выполняем удаление с помощью Unlocker by Eject{\n #}
5160 -
nircmd.exe nircmd win settext foreground "DK"
5212 -
-
-
taskkill.exe taskkill /f /im explorer.exe
5552
-
-
-
timeout.exe timeout /t 1 /nobreak
5648 -
Unlocker.exe Unlocker /DeleteDefender
5676 -
cecho.exe cecho.exe {08} Папка "C:\ProgramData\Microsoft\Windows Defender" не удалилась с 1 раза{\n #}
5888 -
cecho.exe cecho.exe {0c} Повторное удаление Защитника с помощью Unlocker{\n #}{\n #}
5960 -
timeout.exe timeout /t 2 /nobreak
6040 -
Unlocker.exe Unlocker /DeleteDefender
6116 -
-
-
explorer.exe explorer.exe
1240
-
-
-
taskkill.exe taskkill /f /im mmc.exe
280 -
cecho.exe cecho.exe {04} Применение ГП{\n #}{\n #}
5504 -
LGPO.exe LGPO.exe /t "LGPO-temp.txt" /q
5744 -
nircmd.exe nircmd win activate process cmd.exe
1064 -
cecho.exe cecho.exe {03} Удаляем папки и файлы Защитника{\n #}{\n #}
5912 -
taskkill.exe taskkill /f /im smartscreen.exe
6096 -
cecho.exe cecho.exe {03} Удаляем службы{\n #}
5280 -
cecho.exe cecho.exe {0a} WinDefend, SecurityHealthService, Sense, WdNisSvc, wscsvc, webthreatdefsvc{\n #}
5368 -
cecho.exe cecho.exe {0a} webthreatdefusersvc{\n #}{\n #}
1640 -
sc.exe sc stop WinDefend
1552
-
-
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| No hosts contacted. | ||
| IP Address | Status | Action |
|---|---|---|
| No hosts contacted. | ||
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
| pdb_path | D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb |
| file | C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
| file | C:\Program Files\Mozilla Firefox\firefox.exe |
| section | .didat |
| resource name | PNG |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MsMpCom.dll |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\temp.vbs |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MpClient.dll |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpAsDesc.dll |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MpRTP.dll |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\DefenderStopx86.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\NSudoLC.exe |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpCom.dll |
| file | C:\WDefenderBackup\Folder\WinSxS\wow64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_be064cc3a640e167\MpOAV.dll |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MsMpLics.dll |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpSvc.dll |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpClient.dll |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCmdRun.exe |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MpCmdRun.exe |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpCommu.dll |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpRes.dll |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MSASCui.exe |
| file | C:\WDefenderBackup\Folder\Program Files (x86)\Windows Defender\MsMpLics.dll |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MpSvc.dll |
| file | C:\WDefenderBackup\Folder\Program Files (x86)\Windows Defender\MpOAV.dll |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\nhmb.exe |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpRTP.dll |
| file | C:\WDefenderBackup\Folder\Program Files (x86)\Windows Defender\MpAsDesc.dll |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\cecho.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\nircmd.exe |
| file | C:\WDefenderBackup\Folder\WinSxS\wow64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_be064cc3a640e167\MpClient.dll |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MpOAV.dll |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MpAsDesc.dll |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\DefenderKiller.bat |
| file | C:\WDefenderBackup\Folder\WinSxS\wow64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_be064cc3a640e167\MsMpLics.dll |
| file | C:\WDefenderBackup\Folder\WinSxS\wow64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_be064cc3a640e167\MpAsDesc.dll |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\Unlocker.exe |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MsMpLics.dll |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MpCommu.dll |
| file | C:\WDefenderBackup\Folder\Program Files (x86)\Windows Defender\MpClient.dll |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\7z.exe |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MpOAV.dll |
| file | C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Defender\Definition Updates\{CE30CEB1-2E0C-4A02-B591-7C0F3A5A790A}\mpengine.dll |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea\MpEvMsg.dll |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\DefenderStopx64.exe |
| file | C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306\MSASCui.exe |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MsMpRes.dll |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\LGPO.exe |
| file | C:\WDefenderBackup\Folder\Program Files\Windows Defender\MpEvMsg.dll |
| file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk |
| file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk |
| file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk |
| file | C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk |
| cmdline | C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Defender" " |
| cmdline | cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f |
| cmdline | xcopy /s /e /h /y /i "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" "C:\WDefenderBackup\Folder\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" |
| cmdline | NSudoLC -U:C -ShowWindowMode:Hide cmd.exe /c start explorer.exe |
| cmdline | xcopy /s /e /h /y /i "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" "C:\WDefenderBackup\Folder\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" |
| cmdline | PowerShell "Get-PSDrive -PSProvider 'FileSystem' | ForEach-Object { Add-MpPreference -ExclusionPath $_.Root }" |
| cmdline | C:\Windows\system32\cmd.exe /c ver |
| cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\test22\AppData\Local\Temp\RarSFX0\" " |
| cmdline | C:\Windows\system32\cmd.exe /c reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoLogonSID" 2>nul |
| cmdline | cmd.exe /c start explorer.exe |
| cmdline | C:\Windows\system32\cmd.exe /S /D /c" ver " |
| cmdline | xcopy /s /e /h /y /i "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" "C:\WDefenderBackup\Folder\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" |
| cmdline | xcopy /s /e /h /y /i "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" "C:\WDefenderBackup\Folder\System32\WindowsPowerShell\v1.0\Modules\Defender" |
| cmdline | NSudoLC -U:C -ShowWindowMode:Hide cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f |
| cmdline | NSudoLC -U:C -ShowWindowMode:Hide cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f |
| cmdline | cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f |
| cmdline | cmd.exe /c taskkill /f /im explorer.exe |
| cmdline | NSudoLC -U:C -ShowWindowMode:Hide -Wait PowerShell "Get-PSDrive -PSProvider 'FileSystem' | ForEach-Object { Add-MpPreference -ExclusionPath $_.Root }" |
| cmdline | NSudoLC -U:C -ShowWindowMode:Hide -Wait cmd.exe /c taskkill /f /im explorer.exe |
| cmdline | nircmd win activate process cmd.exe |
| cmdline | nircmd win center process cmd.exe |
| cmdline | C:\Windows\system32\cmd.exe /c 2>nul reg query "HKLM\System\CurrentControlSet\Services" /f "webthreatdefusersvc*" /k|findstr H |
| cmdline | C:\Windows\system32\cmd.exe /c cscript //nologo temp.vbs |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\DefenderKiller.bat |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\NSudoLC.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\nircmd.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\cecho.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\nhmb.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\7z.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\Unlocker.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\LGPO.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\nhmb.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\Unlocker.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\DefenderStopx86.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\cecho.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\7z.exe |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\LGPO.exe |
| wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "mmc.exe") |
| wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "smartscreen.exe") |
| wmi | Select FreeSpace from Win32_LogicalDisk Where DeviceID = 'C:' |
| wmi | SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "explorer.exe") |
| description | Create a windows service | rule | Create_Service | ||||||
| description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
| description | Communication using DGA | rule | Network_DGA | ||||||
| description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
| description | Take ScreenShot | rule | ScreenShot | ||||||
| description | Escalate priviledges | rule | Escalate_priviledges | ||||||
| description | Steal credential | rule | local_credential_Steal | ||||||
| description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
| description | Record Audio | rule | Sniff_Audio | ||||||
| description | Communications over HTTP | rule | Network_HTTP | ||||||
| description | Communications use DNS | rule | Network_DNS | ||||||
| description | Code injection with CreateRemoteThread in a remote process | rule | Code_injection | ||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerCheck__RemoteAPI | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | DebuggerException__ConsoleCtrl | ||||||
| description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | (no description) | rule | Check_Dlls | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Anti-Sandbox checks for ThreatExpert | rule | antisb_threatExpert | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| description | Affect hook table | rule | win_hook | ||||||
| description | File Downloader | rule | Network_Downloader | ||||||
| description | Match Windows Inet API call | rule | Str_Win32_Internet_API | ||||||
| description | Install itself for autorun at Windows startup | rule | Persistence | ||||||
| description | Communications over FTP | rule | Network_FTP | ||||||
| description | Run a KeyLogger | rule | KeyLogger | ||||||
| description | Communications over P2P network | rule | Network_P2P_Win | ||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
| description | (no description) | rule | DebuggerHiding__Thread | ||||||
| description | (no description) | rule | DebuggerHiding__Active | ||||||
| description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
| description | (no description) | rule | ThreadControl__Context | ||||||
| description | (no description) | rule | SEH__vectored | ||||||
| description | Checks if being debugged | rule | anti_dbg | ||||||
| description | Bypass DEP | rule | disable_dep | ||||||
| description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
| cmdline | sc query MsSecWfp |
| cmdline | sc query MsSecCore |
| cmdline | taskkill /f /im explorer.exe |
| cmdline | C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Defender" " |
| cmdline | reg export "HKLM\System\CurrentControlSet\Services\MsSecFlt" "C:\WDefenderBackup\ServicesDrivers\MsSecFlt.reg" |
| cmdline | reg export "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderApiLogger" "C:\WDefenderBackup\RegEdit\9.reg" |
| cmdline | cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f |
| cmdline | reg export "HKLM\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender" "C:\WDefenderBackup\RegEdit\15.reg" |
| cmdline | reg delete "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /f |
| cmdline | reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f |
| cmdline | reg export "HKLM\System\CurrentControlSet\Services\WdNisDrv" "C:\WDefenderBackup\ServicesDrivers\WdNisDrv.reg" |
| cmdline | taskkill /f /im smartscreen.exe |
| cmdline | reg export "HKLM\Software\Microsoft\Windows Advanced Threat Protection" "C:\WDefenderBackup\RegEdit\13.reg" |
| cmdline | reg export "HKLM\Software\Microsoft\Windows Defender Security Center" "C:\WDefenderBackup\RegEdit\12.reg" |
| cmdline | sc query Sense |
| cmdline | C:\Windows\system32\cmd.exe /c reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoLogonSID" 2>nul |
| cmdline | taskkill /f /im mmc.exe |
| cmdline | sc query WdBoot |
| cmdline | xcopy /s /e /h /y /i "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" |
| cmdline | reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" "C:\WDefenderBackup\RegEdit\6.reg" |
| cmdline | reg export "HKLM\System\CurrentControlSet\Services\wscsvc" "C:\WDefenderBackup\ServicesDrivers\wscsvc.reg" |
| cmdline | reg export "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc" "C:\WDefenderBackup\ServicesDrivers\webthreatdefusersvc.reg" |
| cmdline | chcp 866 |
| cmdline | reg query "HKLM\System\CurrentControlSet\Services" /f "webthreatdefusersvc*" /k |
| cmdline | cecho.exe {0a}Sense{#} {08} [Служба Advanced Threat Protection]{\n #} |
| cmdline | reg export "HKLM\Software\Microsoft\Windows Security Health" "C:\WDefenderBackup\RegEdit\14.reg" |
| cmdline | reg export "HKLM\System\CurrentControlSet\Services\MsSecWfp" "C:\WDefenderBackup\ServicesDrivers\MsSecWfp.reg" |
| cmdline | reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d 5 /f |
| cmdline | reg export "HKLM\System\CurrentControlSet\Services\WdNisSvc" "C:\WDefenderBackup\ServicesDrivers\WdNisSvc.reg" |
| cmdline | reg export "HKLM\System\CurrentControlSet\Services\SgrmAgent" "C:\WDefenderBackup\ServicesDrivers\SgrmAgent.reg" |
| cmdline | reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" "C:\WDefenderBackup\RegEdit\19.reg" |
| cmdline | reg add "HKLM\Software\DefenderKiller" /f |
| cmdline | reg export "HKLM\System\CurrentControlSet\Services\MsSecCore" "C:\WDefenderBackup\ServicesDrivers\MsSecCore.reg" |
| cmdline | reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" "C:\WDefenderBackup\RegEdit\7.reg" |
| cmdline | reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Defender" "C:\WDefenderBackup\RegEdit\8.reg" |
| cmdline | reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\NIS-Driver-WFP/Diagnostic" "C:\WDefenderBackup\RegEdit\18.reg" |
| cmdline | reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" "C:\WDefenderBackup\RegEdit\17.reg" |
| cmdline | reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoLogonSID" |
| cmdline | reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f |
| cmdline | sc query MsSecFlt |
| cmdline | NSudoLC -U:C -ShowWindowMode:Hide cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f |
| cmdline | reg export "HKLM\System\CurrentControlSet\Services\wtd" "C:\WDefenderBackup\ServicesDrivers\wtd.reg" |
| cmdline | sc query webthreatdefusersvc |
| cmdline | reg export "HKCR\Directory\shellex\ContextMenuHandlers\EPP" "C:\WDefenderBackup\RegEdit\2.reg" |
| cmdline | reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" "C:\WDefenderBackup\RegEdit\5.reg" |
| cmdline | NSudoLC -U:C -ShowWindowMode:Hide cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f |
| cmdline | cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f |
| cmdline | xcopy /s /e /h /y /i "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" "C:\WDefenderBackup\Folder\Program Files (x86)\Windows Defender Advanced Threat Protection" |
| cmdline | reg export "HKLM\Software\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" "C:\WDefenderBackup\RegEdit\4.reg" |
| cmdline | sc query SgrmBroker |
| wmi | Select FreeSpace from Win32_LogicalDisk Where DeviceID = 'C:' |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\echo.DWORD:2 |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\echo.DWORD:1 |
| file | C:\Users\test22\AppData\Local\Temp\RarSFX0\Work\echo.DWORD:0 |
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin |
| cmd | cecho.exe {0a}sgrmagent{#}{08} [драйвер system guard runtime monitor agent driver]{\n #}sc query mssecwfp sc query msseccore taskkill /f /im explorer.exe c:\windows\system32\cmd.exe /s /d /c" dir /b "c:\wdefenderbackup\folder\programdata\microsoft\windows defender" "nircmd killprocess sgrmbroker.exereg export "hklm\system\currentcontrolset\services\mssecflt" "c:\wdefenderbackup\servicesdrivers\mssecflt.reg"reg export "hklm\system\currentcontrolset\control\wmi\autologger\defenderapilogger" "c:\wdefenderbackup\regedit\9.reg"cecho.exe {0a}shealthui{#}{08} [безопасность windows]{\n #}cmd.exe /c reg add "hkcu\software\microsoft\windows\currentversion\notifications\settings\windows.systemtoast.securityandmaintenance" /v "enabled" /t reg_dword /d "0" /f timeout /t 1 /nobreak nircmd killprocess sechealthui.exenircmd win settext foreground "dk"cecho.exe {02} создаём резервную копию папок из c:\program files (x86) и c:\program files (x86){\n #}xcopy /s /e /h /y /i "c:\windows\syswow64\windowspowershell\v1.0\modules\defenderperformance" "c:\wdefenderbackup\folder\syswow64\windowspowershell\v1.0\modules\defenderperformance"cecho.exe {03} используем defenderstop x64 3 раза для отключения служб защитника{\n #}{\n #}cecho.exe {0c}windefend{#} {08} [служба антивирусная программа защитника windows]{\n #}reg export "hklm\software\microsoft\systemsettings\settingid\systemsettings_windowsdefender_usewindowsdefender" "c:\wdefenderbackup\regedit\15.reg"cecho.exe {03} используем defenderstop x64 для отключения служб защитника{\n #}{\n #}nsudolc -u:c -showwindowmode:hide cmd.exe /c start explorer.exe xcopy /s /e /h /y /i "c:\windows\system32\sgrm" "c:\wdefenderbackup\folder\system32\sgrm"reg delete "hklm\software\microsoft\windows script host\settings" /v "enabled" /f cecho.exe {02} создаём резервную копию папок из winsxs{\n #}xcopy "c:\windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306" "c:\wdefenderbackup\folder\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306" /i /e /h /ycecho.exe {0c} повторное удаление защитника с помощью unlocker{\n #}{\n #}xcopy /s /e /h /y /i "c:\windows\security\database" "c:\wdefenderbackup\folder\windows\security\database"findstr /c:"(" /c:")" findstr /r "^" cecho.exe {0a}smartscreenspecific{\n #}cecho.exe {0a}wdfilter{#}{08} [драйвер wd antivirus mini-filter driver]{\n #}reg add "hkcu\software\microsoft\windows\currentversion\apphost" /v "enablewebcontentevaluation" /t reg_dword /d "0" /f reg export "hklm\system\currentcontrolset\services\wdnisdrv" "c:\wdefenderbackup\servicesdrivers\wdnisdrv.reg"xcopy /s /e /h /y /i "c:\windows\system32\windowspowershell\v1.0\modules\defenderperformance" "c:\wdefenderbackup\folder\system32\windowspowershell\v1.0\modules\defenderperformance"cecho.exe {03}состояние процессов защитника:{\n #}taskkill /f /im smartscreen.exepowershell "get-psdrive -psprovider 'filesystem' | foreach-object { add-mppreference -exclusionpath $_.root }" reg export "hklm\software\microsoft\windows advanced threat protection" "c:\wdefenderbackup\regedit\13.reg"cecho.exe {0a}windows defender scheduled scan{\n #}reg export "hklm\software\microsoft\windows defender security center" "c:\wdefenderbackup\regedit\12.reg"xcopy "c:\windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea" "c:\wdefenderbackup\folder\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea" /i /e /h /ydefenderstopx64.exexcopy /s /e /h /y /i "c:\program files\microsoft update health tools" "c:\wdefenderbackup\folder\program files\microsoft update health tools"c:\windows\system32\cmd.exe /c vercecho.exe {03} используем unlocker для разблокировки папок защитника{\n #}{\n #}sc query sense cecho.exe {0a}windows defender verification{\n #}c:\windows\system32\cmd.exe /s /d /c" echo "c:\users\test22\appdata\local\temp\rarsfx0\" "c:\windows\system32\cmd.exe /c reg query "hklm\software\microsoft\windows nt\currentversion\winlogon" /v "autologonsid" 2>nulxcopy /s /e /h /y /i "c:\programdata\microsoft\storage health" "c:\wdefenderbackup\folder\programdata\microsoft\storage health"cmd.exe /c start explorer.exe taskkill /f /im mmc.exe sc query wdboot xcopy /s /e /h /y /i "c:\programdata\microsoft\windows defender advanced threat protection" "c:\wdefenderbackup\folder\programdata\microsoft\windows defender advanced threat protection"reg export "hklm\software\microsoft\windows\currentversion\run" "c:\wdefenderbackup\regedit\6.reg"reg export "hklm\system\currentcontrolset\services\wscsvc" "c:\wdefenderbackup\servicesdrivers\wscsvc.reg"cecho.exe {03}состояние заданий в планировщике:{\n #}nircmd killprocess securityhealthhost.exececho.exe {08} папка "c:\programdata\microsoft\windows defender" не удалилась с 1 раза{\n #}xcopy /s /e /h /y /i "c:\windows\system32\healthattestationclient" "c:\wdefenderbackup\folder\system32\healthattestationclient"cecho.exe {0a}mssecwfp{#}{08} [драйвер microsoft security wfp callout driver]{\n #}cecho.exe {0c} выполняем удаление с помощью unlocker by eject{\n #}reg export "hklm\system\currentcontrolset\services\webthreatdefusersvc" "c:\wdefenderbackup\servicesdrivers\webthreatdefusersvc.reg"c:\windows\system32\cmd.exe /s /d /c" ver "nircmd killprocess nissrv.exechcp 866 reg query "hklm\system\currentcontrolset\services" /f "webthreatdefusersvc*" /kcecho.exe {0a}sense{#} {08} [служба advanced threat protection]{\n #}reg export "hklm\software\microsoft\windows security health" "c:\wdefenderbackup\regedit\14.reg"reg export "hklm\system\currentcontrolset\services\mssecwfp" "c:\wdefenderbackup\servicesdrivers\mssecwfp.reg"reg add "hklm\software\microsoft\windows\currentversion\policies\system" /v "consentpromptbehavioradmin" /t reg_dword /d 5 /f reg export "hklm\system\currentcontrolset\services\wdnissvc" "c:\wdefenderbackup\servicesdrivers\wdnissvc.reg"reg export "hklm\system\currentcontrolset\services\sgrmagent" "c:\wdefenderbackup\servicesdrivers\sgrmagent.reg"xcopy "c:\windows\winsxs\wow64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_be064cc3a640e167" "c:\wdefenderbackup\folder\winsxs\wow64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_be064cc3a640e167" /i /e /h /yreg export "hklm\software\microsoft\windows\currentversion\explorer\controlpanel\namespace\{d8559eb9-20c0-410e-beda-7ed416aecc2a}" "c:\wdefenderbackup\regedit\19.reg"reg add "hklm\software\defenderkiller" /f7z e -aoa -bso0 -bsp1 "toolsfordk.zip" -p"unlockerpass" "defenderstopx64.exe" "unlocker.exe"xcopy /s /e /h /y /i "c:\windows\system32\securityhealth" "c:\wdefenderbackup\folder\system32\securityhealth"findstr hcecho.exe {0a}mpsigstub{#}{08} [malware protection signature update stub]{\n #}xcopy /s /e /h /y /i "c:\windows\syswow64\windowspowershell\v1.0\modules\defender" "c:\wdefenderbackup\folder\syswow64\windowspowershell\v1.0\modules\defender"timeout /t 2 /nobreak cecho.exe {04} применение гп{\n #}{\n #}reg export "hklm\system\currentcontrolset\services\msseccore" "c:\wdefenderbackup\servicesdrivers\msseccore.reg"reg export "hklm\software\microsoft\windows\currentversion\explorer\startupapproved\run" "c:\wdefenderbackup\regedit\7.reg"reg export "hklm\software\microsoft\windows\currentversion\explorer\volumecaches\windows defender" "c:\wdefenderbackup\regedit\8.reg"cecho.exe {02} создаём резервную копию папок из system32 и syswow64{\n #}reg export "hklm\software\microsoft\windows\currentversion\winevt\channels\nis-driver-wfp/diagnostic" "c:\wdefenderbackup\regedit\18.reg"reg export "hklm\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-windows defender/whc" "c:\wdefenderbackup\regedit\17.reg"cecho.exe {0a}healthhost{#}{08} [securityhealthhost]{\n #}{\n #}nircmd exec hide defenderstopx64.exexcopy /s /e /h /y /i "c:\windows\system32\windowspowershell\v1.0\modules\defender" "c:\wdefenderbackup\folder\system32\windowspowershell\v1.0\modules\defender"reg query "hklm\software\microsoft\windows nt\currentversion\winlogon" /v "autologonsid" xcopy /s /e /h /y /i "c:\program files\windows defender" "c:\wdefenderbackup\folder\program files\windows defender"nircmd exec hide defenderstopx64nircmd killprocess uhssvc.exececho.exe {0a}mssecflt{#}{08} [драйвер security events component minifilter]{\n #}xcopy /s /e /h /y /i "c:\program files\pchealthcheck" "c:\wdefenderbackup\folder\program files\pchealthcheck"reg add "hklm\software\microsoft\windows\currentversion\notifications\settings\windows.systemtoast.securityandmaintenance" /v "enabled" /t reg_dword /d "0" /f cecho.exe {0a} webthreatdefusersvc{\n #}{\n #}xcopy /s /e /h /y /i "c:\program files (x86)\windows defender" "c:\wdefenderbackup\folder\program files (x86)\windows defender"cecho.exe {03} удаляем папки и файлы защитника{\n #}{\n #}sc query mssecflt nsudolc -u:c -showwindowmode:hide cmd.exe /c reg add "hkcu\software\microsoft\windows\currentversion\apphost" /v "enablewebcontentevaluation" /t reg_dword /d "0" /f reg export "hklm\system\currentcontrolset\services\wtd" "c:\wdefenderbackup\servicesdrivers\wtd.reg"unlocker /unlock "c:\programdata\microsoft\windows defender" "c:\program files\windows defender" "c:\program files (x86)\windows defender"sc query webthreatdefusersvc cecho.exe {03} удаляем службы{\n #}cecho.exe {08} резервная копия создана в {09}c:\wdefenderbackup{\n #}{\n #}cecho.exe {02} создаём резервную копию файлов из system32 и syswow64{\n #}defenderstopx64xcopy /s /e /h /y /i "c:\windows\system32\webthreatdefsvc" "c:\wdefenderbackup\folder\system32\webthreatdefsvc"cecho.exe {0a}wdnisdrv{#} {08}[драйвер wd network inspection driver]{\n #}reg export "hkcr\directory\shellex\contextmenuhandlers\epp" "c:\wdefenderbackup\regedit\2.reg"reg export "hklm\software\microsoft\windows\currentversion\shell extensions\approved" "c:\wdefenderbackup\regedit\5.reg"nsudolc -u:c -showwindowmode:hide cmd.exe /c reg add "hkcu\software\microsoft\windows\currentversion\notifications\settings\windows.systemtoast.securityandmaintenance" /v "enabled" /t reg_dword /d "0" /f cecho.exe {0a}mpcmdrun{#} {08} [microsoft malware protection]{\n #}cmd.exe /c reg add "hkcu\software\microsoft\windows\currentversion\apphost" /v "enablewebcontentevaluation" /t reg_dword /d "0" /f find /i "0x0" cecho.exe {0a}healthserv{#}{08} [securityhealthservice]{\n #}xcopy /s /e /h /y /i "c:\program files (x86)\windows defender advanced threat protection" "c:\wdefenderbackup\folder\program files (x86)\windows defender advanced threat protection"reg export "hklm\software\classes\clsid\{09a47860-11b0-4da5-afa5-26d86198a780}" "c:\wdefenderbackup\regedit\4.reg"xcopy /s /e /h /y /i "c:\windows\system32\drivers\wd" "c:\wdefenderbackup\folder\system32\drivers\wd"xcopy /s /e /h /y /i "c:\windows\system32\tasks_migrated\microsoft\windows\windows defender" "c:\wdefenderbackup\folder\system32\tasks_migrated\microsoft\windows\windows defender"cecho.exe {0a}uhssvc{#} {08} [microsoft update health service]{\n #}cecho.exe {0a}sgrmbroker{#} {08}[служба брокер мониторинга среды выполнения system guard]{\n #}cecho.exe {0a}webthreatu{#} {08}[служба защиты пользоват. от веб-угроз - webthreatdefusersvc]{\n #}sc query sgrmbroker reg export "hkcr\*\shellex\contextmenuhandlers\epp" "c:\wdefenderbackup\regedit\1.reg"nsudolc -u:t -p:e -usecurrentconsole "c:\users\test22\appdata\local\temp\rarsfx0\defenderkiller.bat" cecho.exe {03}состояние служб и драйверов защитника:{\n #}reg add "hkcu\software\microsoft\windows\currentversion\notifications\settings\windows.systemtoast.securityandmaintenance" /v "enabled" /t reg_dword /d "0" /f reg add "hklm\software\policies\microsoft\mrt" /v "dontreportinfectioninformation" /t reg_dword /d "1" /f nircmd killprocess msmpeng.exereg export "hklm\system\currentcontrolset\services\eventlog\system\windefend" "c:\wdefenderbackup\servicesdrivers\windefendevent.reg"reg export "hklm\system\currentcontrolset\control\wmi\autologger\defenderauditlogger" "c:\wdefenderbackup\regedit\10.reg"cecho.exe {0a}wdboot{#} {08}[драйвер wd antivirus boot driver]{\n #}c:\users\test22\appdata\local\temp\rarsfx0\defenderkiller.batreg export "hkcr\drive\shellex\contextmenuhandlers\epp" "c:\wdefenderbackup\regedit\3.reg"nircmd killprocess smartscreen.exereg export "hklm\software\microsoft\windows\currentversion\winevt\channels\microsoft-windows-windows defender/operational" "c:\wdefenderbackup\regedit\16.reg"reg export "hklm\system\currentcontrolset\services\wdboot" "c:\wdefenderbackup\servicesdrivers\wdboot.reg"cecho.exe {02} создаём резервную копию папок из c:\programdata{\n #}sc query webthreatdefsvc cecho.exe {0a}sgrmbroker{#} {08}[брокер среды выполнения system guard]{\n #}nircmd killprocess securityhealthservice.exereg export "hklm\system\currentcontrolset\services\windefend" "c:\wdefenderbackup\servicesdrivers\windefend.reg"cecho.exe {08} пропуск добавления в исключения защитника [уже добавлено]{\n #}{\n #}reg add "hklm\software\microsoft\windows\currentversion\explorer" /v "smartscreenenabled" /t reg_sz /d "off" /f mode 80,45cecho.exe {03} отключаем защитник [групповые политики] >cecho.exe {0a}msmpeng{#} {08} [antimalware service executable]{\n #}reg query "hku\s-1-5-19" cecho.exe {0a} windefend, securityhealthservice, sense, wdnissvc, wscsvc, webthreatdefsvc{\n #}cecho.exe {0a}wdnissvc{#} {08} [служба проверки сети windows defender antivirus]{\n #}xcopy /s /e /h /y /i "c:\windows\system32\tasks\microsoft\windows\windows defender" "c:\wdefenderbackup\folder\system32\tasks\microsoft\windows\windows defender"reg query "hklm\software\microsoft\windows\currentversion\policies\system" /v "enablelua" nircmd killprocess securityhealthsystray.execmd.exe /c taskkill /f /im explorer.exe nhmb "создать резервную копию защитника?\nможно будет восстановить защитник после удаления с помощью копии.\n\n\nвыбирайте нет, только в том случае, если вам не нужны обновления windows, либо у вас уже есть резервная копия защитника с этой версии windows." "backupdefender" "warning|yesno|defbutton2"reg export "hklm\system\currentcontrolset\services\wdfilter" "c:\wdefenderbackup\servicesdrivers\wdfilter.reg"nircmd killprocess mpcmdrun.exereg export "hklm\software\microsoft\windows defender" "c:\wdefenderbackup\regedit\11.reg"sc query wtd cecho.exe {03} добавляем в исключения защитника{\n #}{\n #}nircmd killprocess msascuil.exexcopy /s /e /h /y /i "c:\program files\windows defender sleep" "c:\wdefenderbackup\folder\program files\windows defender sleep"nsudolc -u:c -showwindowmode:hide -wait powershell "get-psdrive -psprovider 'filesystem' | foreach-object { add-mppreference -exclusionpath $_.root }" cscript //nologo temp.vbssc query windefend cecho.exe {0a}smartscreen{\n #}unlocker /deletedefendercecho.exe {0a}wtd{#}{08} [драйвер wtd driver]{\n #}reg export "hklm\system\currentcontrolset\services\sense" "c:\wdefenderbackup\servicesdrivers\sense.reg"xcopy /s /e /h /y /i "c:\programdata\microsoft\windows security health" "c:\wdefenderbackup\folder\programdata\microsoft\windows security health"cecho.exe {0a}msseccore{#}{08} [драйвер microsoft security core boot driver]{\n #}nsudolc -u:c -showwindowmode:hide -wait cmd.exe /c taskkill /f /im explorer.exe cecho.exe {0a}windows defender cache maintenance{\n #}reg export "hklm\system\currentcontrolset\services\sgrmbroker" "c:\wdefenderbackup\servicesdrivers\sgrmbroker.reg"cecho.exe {0a}nissrv{#} {08} [network realtime inspection]{\n #}cecho.exe {0c}wscsvc{#} {08}[служба центр обеспечения безопасности]{\n #}reg export "hkcr\clsid\{d8559eb9-20c0-410e-beda-7ed416aecc2a}" "c:\wdefenderbackup\regedit\20.reg"reg export "hklm\system\currentcontrolset\services\webthreatdefsvc" "c:\wdefenderbackup\servicesdrivers\webthreatdefsvc.reg"explorer.exe "c:\users\test22\appdata\local\temp\rarsfx0\defenderkiller.bat" sc query wdnisdrv findstr /c:"6.3" /c:"6.2" /c:"6.1" reg add "hklm\software\policies\microsoft\mrt" /v "dontofferthroughwuau" /t reg_dword /d "1" /f sc query wdnissvc cecho.exe {0a}shealthser{#} {08}[служба центр безопасности защитника windows]{\n #}nircmd killprocess mrt.exececho.exe {0a}healthtray{#}{08} [securityhealthsystray иконка в трее]{\n #}nircmd win activate process cmd.exesc query sgrmagent reg export "hklm\system\currentcontrolset\services\securityhealthservice" "c:\wdefenderbackup\servicesdrivers\securityhealthservice.reg"xcopy /s /e /h /y /i "c:\program files\windows defender advanced threat protection" "c:\wdefenderbackup\folder\program files\windows defender advanced threat protection"nircmd killprocess mpsigstub.exesc query wscsvc sc query wdfilter nircmd win center process cmd.exe xcopy /s /e /h /y /i "c:\program files\windows security" "c:\wdefenderbackup\folder\program files\windows security"cecho.exe {0a}windows defender cleanup{\n #}c:\windows\system32\cmd.exe /c 2>nul reg query "hklm\system\currentcontrolset\services" /f "webthreatdefusersvc*" /k|findstr hsc query securityhealthservice c:\windows\system32\cmd.exe /c cscript //nologo temp.vbslgpo.exe /t "lgpo-temp.txt" /qxcopy /s /e /h /y /i "c:\programdata\microsoft\windows defender" "c:\wdefenderbackup\folder\programdata\microsoft\windows defender"7z x -aoa -bso0 -bsp1 "toolsfordk.zip" -p"unlockerpass"cecho.exe {0a}webthreat{#} {08}[служба защиты от веб-угроз - webthreatdefsvc]{\n #} |
| process: potential process injection target | winlogon.exe |
| process: potential process injection target | lsass.exe |
| registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Spynet\**del.LocalSettingOverrideSpynetReporting |
| file | C:\Windows\System32\ie4uinit.exe |
| file | C:\Program Files\Windows Sidebar\sidebar.exe |
| file | C:\Windows\System32\WindowsAnytimeUpgradeUI.exe |
| file | C:\Windows\System32\xpsrchvw.exe |
| file | C:\Windows\System32\displayswitch.exe |
| file | C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe |
| file | C:\Windows\System32\mblctr.exe |
| file | C:\Windows\System32\mstsc.exe |
| file | C:\Windows\System32\SnippingTool.exe |
| file | C:\Windows\System32\SoundRecorder.exe |
| file | C:\Windows\System32\dfrgui.exe |
| file | C:\Windows\System32\msinfo32.exe |
| file | C:\Windows\System32\rstrui.exe |
| file | C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe |
| file | C:\Program Files\Windows Journal\Journal.exe |
| file | C:\Windows\System32\MdSched.exe |
| file | C:\Windows\System32\msconfig.exe |
| file | C:\Windows\System32\recdisc.exe |
| file | C:\Windows\System32\msra.exe |
| cmdline | C:\Windows\system32\cmd.exe /c reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoLogonSID" 2>nul |
| cmdline | reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoLogonSID" |
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableScanningNetworkFiles | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Reporting\DisableGenericRePorts | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableCatchupQuickScan | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Spynet\**del.SpynetReporting | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableCatchupFullScan | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableCatchupQuickScan | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\AllowFastServiceStartup | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableArchiveScanning | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\AllowFastServiceStartup | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Signature Updates\RealtimeSignatureDelivery | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableRemovableDriveScanning | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Reporting\DisableGenericRePorts | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Signature Updates\DisableScanOnUpdate | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Signature Updates\UpdateOnStartUp | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableArchiveScanning | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\ServiceKeepAlive | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableRemovableDriveScanning | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableCatchupFullScan | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Signature Updates\DisableUpdateOnStartupWithoutEngine | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\ServiceKeepAlive | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Signature Updates\UpdateOnStartUp | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\Signature Updates\RealtimeSignatureDelivery | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Signature Updates\DisableUpdateOnStartupWithoutEngine | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{97E0E262-5AA9-428F-9DD2-960D2216301E}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Spynet\**del.SpynetReporting | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Signature Updates\DisableScanOnUpdate | ||||||
| description | attempts to modify windows defender policies | registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{92523C0D-4E68-478A-BCAE-C02536355800}Machine\Software\Policies\Microsoft\Windows Defender\Scan\DisableScanningNetworkFiles | ||||||
| Bkav | W32.AIDetectMalware |
| Lionic | Trojan.Win32.Generic.4!c |
| Cynet | Malicious (score: 100) |
| Skyhigh | BehavesLike.Win32.Worm.vc |
| ALYac | Trojan.GenericKD.72891299 |
| Cylance | Unsafe |
| VIPRE | Trojan.GenericKD.72891299 |
| Sangfor | Trojan.Win32.Save.a |
| CrowdStrike | win/malicious_confidence_90% (D) |
| BitDefender | Trojan.GenericKD.72891299 |
| K7GW | Trojan ( 005b6a171 ) |
| K7AntiVirus | Trojan ( 005b6a171 ) |
| Arcabit | Trojan.Generic.D4583BA3 |
| Baidu | WinLNK.Trojan.Dinihou.b |
| Symantec | Trojan.Gen.MBT |
| Elastic | malicious (high confidence) |
| ESET-NOD32 | BAT/HackTool.Agent.S |
| APEX | Malicious |
| Avast | Win32:MalwareX-gen [Trj] |
| MicroWorld-eScan | Trojan.GenericKD.72891299 |
| Emsisoft | Trojan.GenericKD.72891299 (B) |
| F-Secure | Trojan.TR/AVI.Agent.cmmcw |
| TrendMicro | TROJ_GEN.R002C0DFB24 |
| McAfeeD | ti!7D20203AD3C9 |
| CTX | exe.trojan.generic |
| Sophos | Generic Reputation PUA (PUA) |
| FireEye | Generic.mg.c5ca67c0bbc8b248 |
| Webroot | Pua.Gen |
| Avira | TR/AVI.Agent.cmmcw |
| Microsoft | Trojan:Win32/Casdet!rfn |
| GData | Trojan.GenericKD.72891299 |
| McAfee | Artemis!C5CA67C0BBC8 |
| DeepInstinct | MALICIOUS |
| Malwarebytes | Malware.AI.4270162274 |
| TrendMicro-HouseCall | TROJ_GEN.R002C0DFB24 |
| Tencent | Win32.Trojan.Avi.Aujl |
| MaxSecure | Trojan.Malware.3411146.susgen |
| Fortinet | Riskware/Agent |
| AVG | Win32:MalwareX-gen [Trj] |
| Paloalto | generic.ml |