| ZeroBOX

av.exe "C:\Users\test22\AppData\Local\Temp\av.exe"
2544
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\RarSFX0\DefenderKiller.bat" "
  2620
  - chcp.com chcp 866
    2692
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\test22\AppData\Local\Temp\RarSFX0\" "
    2768
  - findstr.exe findstr /c:"(" /c:")"
    2804
  - reg.exe reg query "HKU\S-1-5-19"
    2860
  - cmd.exe C:\Windows\system32\cmd.exe /c reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoLogonSID" 2>nul
    2916
    - reg.exe reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoLogonSID"
      2964
  - NSudoLC.exe NSudoLC -U:T -P:E -UseCurrentConsole "C:\Users\test22\AppData\Local\Temp\RarSFX0\DefenderKiller.bat"
    3008
  - cmd.exe C:\Windows\system32\cmd.exe /c 2>nul reg query "HKLM\System\CurrentControlSet\Services" /f "webthreatdefusersvc*" /k|findstr H
    812
    - reg.exe reg query "HKLM\System\CurrentControlSet\Services" /f "webthreatdefusersvc*" /k
      1384
    - findstr.exe findstr H
      2108
  - mode.com Mode 80,45
    148
  - nircmd.exe nircmd win center process cmd.exe
    2232
  - nircmd.exe nircmd win settext foreground "DK"
    2272
  - reg.exe reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
    2460
  - find.exe find /i "0x0"
    2484
  - sc.exe sc query WinDefend
    2604
  - sc.exe sc query WdNisSvc
    2724
  - sc.exe sc query Sense
    2840
  - sc.exe sc query wscsvc
    2912
  - sc.exe sc query SgrmBroker
    2980
  - sc.exe sc query SecurityHealthService
    2920
  - sc.exe sc query webthreatdefsvc
    1964
  - sc.exe sc query webthreatdefusersvc
    1356
  - sc.exe sc query WdNisDrv
    2220
  - sc.exe sc query WdBoot
    2352
  - sc.exe sc query WdFilter
    2480
  - sc.exe sc query SgrmAgent
    2652
  - sc.exe sc query wtd
    2824
  - sc.exe sc query MsSecWfp
    2944
  - sc.exe sc query MsSecFlt
    2856
  - sc.exe sc query MsSecCore
    2956
  - cecho.exe cecho.exe {03}Состояние процессов защитника:{\n #}
    2056
  - cecho.exe cecho.exe {0a}SmartScreen{\n #}
    2268
  - cecho.exe cecho.exe {0a}MsMpEng{#} {08} [Antimalware Service Executable]{\n #}
    2584
  - cecho.exe cecho.exe {0a}SgrmBroker{#} {08}[Брокер среды выполнения System Guard]{\n #}
    2788
  - cecho.exe cecho.exe {0a}uhssvc{#} {08} [Microsoft Update Health Service]{\n #}
    2756
  - cecho.exe cecho.exe {0a}NisSrv{#} {08} [Network Realtime Inspection]{\n #}
    3012
  - cecho.exe cecho.exe {0a}MpCmdRun{#} {08} [Microsoft malware protection]{\n #}
    2248
  - cecho.exe cecho.exe {0a}MPSigStub{#}{08} [Malware Protection Signature Update Stub]{\n #}
    2576
  - cecho.exe cecho.exe {0a}SHealthUI{#}{08} [Безопасность Windows]{\n #}
    2836
  - cecho.exe cecho.exe {0a}HealthTray{#}{08} [SecurityHealthSystray иконка в трее]{\n #}
    908
  - cecho.exe cecho.exe {0a}HealthServ{#}{08} [SecurityHealthService]{\n #}
    2440
  - cecho.exe cecho.exe {0a}HealthHost{#}{08} [SecurityHealthHost]{\n #}{\n #}
    2852
  - cecho.exe cecho.exe {03}Состояние служб и драйверов защитника:{\n #}
    192
  - cecho.exe cecho.exe {0a}webthreat{#} {08}[Служба защиты от Веб-угроз - webthreatdefsvc]{\n #}
    2640
  - cecho.exe cecho.exe {0a}webthreatu{#} {08}[Служба защиты пользоват. от Веб-угроз - webthreatdefusersvc]{\n #}
    1336
  - cecho.exe cecho.exe {0c}WinDefend{#} {08} [Служба Антивирусная программа Защитника Windows]{\n #}
    2504
  - cecho.exe cecho.exe {0a}WdNisSvc{#} {08} [Служба проверки сети Windows Defender Antivirus]{\n #}
    2632
  - cecho.exe cecho.exe {0a}Sense{#} {08} [Служба Advanced Threat Protection]{\n #}
    3100
  - cecho.exe cecho.exe {0c}wscsvc{#} {08}[Служба Центр обеспечения безопасности]{\n #}
    3144
  - cecho.exe cecho.exe {0a}SgrmBroker{#} {08}[Служба Брокер мониторинга среды выполнения System Guard]{\n #}
    3188
  - cecho.exe cecho.exe {0a}SHealthSer{#} {08}[Служба Центр безопасности Защитника Windows]{\n #}
    3232
  - cecho.exe cecho.exe {0a}WdNisDrv{#} {08}[Драйвер WD Network Inspection Driver]{\n #}
    3276
  - cecho.exe cecho.exe {0a}WdBoot{#} {08}[Драйвер WD Antivirus Boot Driver]{\n #}
    3320
  - cecho.exe cecho.exe {0a}WdFilter{#}{08} [Драйвер WD Antivirus Mini-Filter Driver]{\n #}
    3364
  - cecho.exe cecho.exe {0a}SgrmAgent{#}{08} [Драйвер System Guard Runtime Monitor Agent Driver]{\n #}
    3408
  - cecho.exe cecho.exe {0a}wtd{#}{08} [Драйвер WTD Driver]{\n #}
    3452
  - cecho.exe cecho.exe {0a}MsSecWfp{#}{08} [Драйвер Microsoft Security WFP Callout Driver]{\n #}
    3496
  - cecho.exe cecho.exe {0a}MsSecFlt{#}{08} [Драйвер Security Events Component Minifilter]{\n #}
    3540
  - cecho.exe cecho.exe {0a}MsSecCore{#}{08} [Драйвер Microsoft Security Core Boot Driver]{\n #}
    3584
  - cecho.exe cecho.exe {03}Состояние заданий в планировщике:{\n #}
    3628
  - cecho.exe cecho.exe {0a}Windows Defender Cache Maintenance{\n #}
    3672
  - cecho.exe cecho.exe {0a}Windows Defender Scheduled Scan{\n #}
    3716
  - cecho.exe cecho.exe {0a}Windows Defender Verification{\n #}
    3760
  - cecho.exe cecho.exe {0a}Windows Defender Cleanup{\n #}
    3804
  - cecho.exe cecho.exe {0a}SmartScreenSpecific{\n #}
    3848
  - reg.exe reg delete "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /f
    3892
  - cmd.exe C:\Windows\system32\cmd.exe /c cscript //nologo temp.vbs
    3936
    - cscript.exe cscript //nologo temp.vbs
      3980
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ver "
    3076
  - findstr.exe findstr /c:"6.3" /c:"6.2" /c:"6.1"
    3132
  - nircmd.exe nircmd win activate process cmd.exe
    3204
  - nhmb.exe nhmb "Создать резервную копию Защитника?\nМожно будет восстановить защитник после удаления с помощью копии.\n\n\nВыбирайте нет, только в том случае, если Вам НЕ нужны обновления Windows, либо у Вас уже есть резервная копия защитника с этой версии Windows." "BackupDefender" "Warning|YesNo|DefButton2"
    3260
  - cecho.exe cecho.exe {03} Добавляем в исключения Защитника{\n #}{\n #}
    3448
  - NSudoLC.exe NSudoLC -U:C -ShowWindowMode:Hide -Wait PowerShell "Get-PSDrive -PSProvider 'FileSystem' | ForEach-Object { Add-MpPreference -ExclusionPath $_.Root }"
    3512
    - PowerShell.exe PowerShell "Get-PSDrive -PSProvider 'FileSystem' | ForEach-Object { Add-MpPreference -ExclusionPath $_.Root }"
      3568
  - timeout.exe timeout /t 2 /nobreak
    4036
  - 7z.exe 7z e -aoa -bso0 -bsp1 "ToolsForDK.zip" -p"UnlockerPass" "DefenderStopx64.exe" "Unlocker.exe"
    3112
  - cecho.exe cecho.exe {03} Используем DefenderStop x64 3 раза для отключения служб защитника{\n #}{\n #}
    1864
  - nircmd.exe nircmd exec hide DefenderStopx64
    3200
    - DefenderStopx64.exe DefenderStopx64
      3368
  - nircmd.exe nircmd exec hide DefenderStopx64
    3392
    - DefenderStopx64.exe DefenderStopx64
      740
  - nircmd.exe nircmd exec hide DefenderStopx64
    936
    - DefenderStopx64.exe DefenderStopx64
      776
  - cecho.exe cecho.exe {03} Используем Unlocker для разблокировки папок защитника{\n #}{\n #}
    3612
  - Unlocker.exe Unlocker /unlock "C:\ProgramData\Microsoft\Windows Defender" "C:\Program Files\Windows Defender" "C:\Program Files (x86)\Windows Defender"
    3688
  - cecho.exe cecho.exe {02} Создаём резервную копию папок из C:\ProgramData{\n #}
    3348
  - xcopy.exe xcopy /s /e /h /y /i "C:\ProgramData\Microsoft\Windows Defender" "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Defender"
    3396
  - xcopy.exe xcopy /s /e /h /y /i "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Defender Advanced Threat Protection"
    1668
  - xcopy.exe xcopy /s /e /h /y /i "C:\ProgramData\Microsoft\Windows Security Health" "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Security Health"
    416
  - xcopy.exe xcopy /s /e /h /y /i "C:\ProgramData\Microsoft\Storage Health" "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Storage Health"
    3692
  - timeout.exe timeout /t 2 /nobreak
    3676
  - cmd.exe C:\Windows\system32\cmd.exe /c ver
    3940
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" dir /b "C:\WDefenderBackup\Folder\ProgramData\Microsoft\Windows Defender" "
    3264
  - findstr.exe findstr /r "^"
    3684
  - cecho.exe cecho.exe {02} Создаём резервную копию папок из C:\Program Files (x86) и C:\Program Files (x86){\n #}
    1380
  - reg.exe reg add "HKLM\Software\DefenderKiller" /f
    1560
  - xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\Windows Defender" "C:\WDefenderBackup\Folder\Program Files\Windows Defender"
    3624
  - xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\Windows Defender Sleep" "C:\WDefenderBackup\Folder\Program Files\Windows Defender Sleep"
    1996
  - xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\Windows Defender Advanced Threat Protection" "C:\WDefenderBackup\Folder\Program Files\Windows Defender Advanced Threat Protection"
    1244
  - xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\Windows Security" "C:\WDefenderBackup\Folder\Program Files\Windows Security"
    3712
  - xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\PCHealthCheck" "C:\WDefenderBackup\Folder\Program Files\PCHealthCheck"
    3876
  - xcopy.exe xcopy /s /e /h /y /i "C:\Program Files\Microsoft Update Health Tools" "C:\WDefenderBackup\Folder\Program Files\Microsoft Update Health Tools"
    1848
  - xcopy.exe xcopy /s /e /h /y /i "C:\Program Files (x86)\Windows Defender" "C:\WDefenderBackup\Folder\Program Files (x86)\Windows Defender"
    1656
  - xcopy.exe xcopy /s /e /h /y /i "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" "C:\WDefenderBackup\Folder\Program Files (x86)\Windows Defender Advanced Threat Protection"
    1800
  - cecho.exe cecho.exe {02} Создаём резервную копию папок из System32 и SysWOW64{\n #}
    376
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\security\database" "C:\WDefenderBackup\Folder\Windows\security\database"
    1608
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\HealthAttestationClient" "C:\WDefenderBackup\Folder\System32\HealthAttestationClient"
    3580
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\SecurityHealth" "C:\WDefenderBackup\Folder\System32\SecurityHealth"
    1788
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\WebThreatDefSvc" "C:\WDefenderBackup\Folder\System32\WebThreatDefSvc"
    2344
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\Sgrm" "C:\WDefenderBackup\Folder\System32\Sgrm"
    3728
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" "C:\WDefenderBackup\Folder\System32\WindowsPowerShell\v1.0\Modules\Defender"
    3756
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" "C:\WDefenderBackup\Folder\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
    3120
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" "C:\WDefenderBackup\Folder\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender"
    2296
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\drivers\wd" "C:\WDefenderBackup\Folder\System32\drivers\wd"
    772
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" "C:\WDefenderBackup\Folder\System32\Tasks\Microsoft\Windows\Windows Defender"
    3280
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" "C:\WDefenderBackup\Folder\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender"
    1888
  - xcopy.exe xcopy /s /e /h /y /i "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" "C:\WDefenderBackup\Folder\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance"
    4124
  - cecho.exe cecho.exe {02} Создаём резервную копию файлов из System32 и SysWOW64{\n #}
    4168
  - cecho.exe cecho.exe {02} Создаём резервную копию папок из WinSxS{\n #}
    4236
  - xcopy.exe xcopy "C:\Windows\WinSxS\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea" "C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea" /I /E /H /Y
    4280
  - xcopy.exe xcopy "C:\Windows\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306" "C:\WDefenderBackup\Folder\WinSxS\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306" /I /E /H /Y
    4332
  - xcopy.exe xcopy "C:\Windows\WinSxS\wow64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_be064cc3a640e167" "C:\WDefenderBackup\Folder\WinSxS\wow64_security-malware-windows-defender_31bf3856ad364e35_6.1.7600.16385_none_be064cc3a640e167" /I /E /H /Y
    4376
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\EventLog\System\WinDefend" "C:\WDefenderBackup\ServicesDrivers\WinDefendEvent.reg"
    4420
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\SecurityHealthService" "C:\WDefenderBackup\ServicesDrivers\SecurityHealthService.reg"
    4464
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\Sense" "C:\WDefenderBackup\ServicesDrivers\Sense.reg"
    4508
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\WdNisSvc" "C:\WDefenderBackup\ServicesDrivers\WdNisSvc.reg"
    4552
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\WinDefend" "C:\WDefenderBackup\ServicesDrivers\WinDefend.reg"
    4600
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\wscsvc" "C:\WDefenderBackup\ServicesDrivers\wscsvc.reg"
    4644
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\SgrmBroker" "C:\WDefenderBackup\ServicesDrivers\SgrmBroker.reg"
    4688
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\webthreatdefsvc" "C:\WDefenderBackup\ServicesDrivers\webthreatdefsvc.reg"
    4732
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc" "C:\WDefenderBackup\ServicesDrivers\webthreatdefusersvc.reg"
    4776
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\WdNisDrv" "C:\WDefenderBackup\ServicesDrivers\WdNisDrv.reg"
    4820
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\WdBoot" "C:\WDefenderBackup\ServicesDrivers\WdBoot.reg"
    4864
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\WdFilter" "C:\WDefenderBackup\ServicesDrivers\WdFilter.reg"
    4908
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\SgrmAgent" "C:\WDefenderBackup\ServicesDrivers\SgrmAgent.reg"
    4952
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\wtd" "C:\WDefenderBackup\ServicesDrivers\wtd.reg"
    4996
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\MsSecWfp" "C:\WDefenderBackup\ServicesDrivers\MsSecWfp.reg"
    5040
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\MsSecFlt" "C:\WDefenderBackup\ServicesDrivers\MsSecFlt.reg"
    5084
  - reg.exe reg export "HKLM\System\CurrentControlSet\Services\MsSecCore" "C:\WDefenderBackup\ServicesDrivers\MsSecCore.reg"
    1644
  - reg.exe reg export "HKCR\*\shellex\ContextMenuHandlers\EPP" "C:\WDefenderBackup\RegEdit\1.reg"
    4128
  - reg.exe reg export "HKCR\Directory\shellex\ContextMenuHandlers\EPP" "C:\WDefenderBackup\RegEdit\2.reg"
    4172
  - reg.exe reg export "HKCR\Drive\shellex\ContextMenuHandlers\EPP" "C:\WDefenderBackup\RegEdit\3.reg"
    4292
  - reg.exe reg export "HKLM\Software\Classes\CLSID\{09A47860-11B0-4DA5-AFA5-26D86198A780}" "C:\WDefenderBackup\RegEdit\4.reg"
    4336
  - reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" "C:\WDefenderBackup\RegEdit\5.reg"
    4452
  - reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" "C:\WDefenderBackup\RegEdit\6.reg"
    4524
  - reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" "C:\WDefenderBackup\RegEdit\7.reg"
    4580
  - reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Defender" "C:\WDefenderBackup\RegEdit\8.reg"
    4664
  - reg.exe reg export "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderApiLogger" "C:\WDefenderBackup\RegEdit\9.reg"
    4728
  - reg.exe reg export "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderAuditLogger" "C:\WDefenderBackup\RegEdit\10.reg"
    4788
  - reg.exe reg export "HKLM\Software\Microsoft\Windows Defender" "C:\WDefenderBackup\RegEdit\11.reg"
    4824
  - reg.exe reg export "HKLM\Software\Microsoft\Windows Defender Security Center" "C:\WDefenderBackup\RegEdit\12.reg"
    4940
  - reg.exe reg export "HKLM\Software\Microsoft\Windows Advanced Threat Protection" "C:\WDefenderBackup\RegEdit\13.reg"
    5016
  - reg.exe reg export "HKLM\Software\Microsoft\Windows Security Health" "C:\WDefenderBackup\RegEdit\14.reg"
    5068
  - reg.exe reg export "HKLM\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender" "C:\WDefenderBackup\RegEdit\15.reg"
    4120
  - reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" "C:\WDefenderBackup\RegEdit\16.reg"
    4232
  - reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" "C:\WDefenderBackup\RegEdit\17.reg"
    4028
  - reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\NIS-Driver-WFP/Diagnostic" "C:\WDefenderBackup\RegEdit\18.reg"
    4396
  - reg.exe reg export "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" "C:\WDefenderBackup\RegEdit\19.reg"
    4504
  - reg.exe reg export "HKCR\CLSID\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" "C:\WDefenderBackup\RegEdit\20.reg"
    4616
  - cecho.exe cecho.exe {08} Резервная копия создана в {09}C:\WDefenderBackup{\n #}{\n #}
    4656
  - reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d 5 /f
    4848
  - nircmd.exe nircmd killprocess SecHealthUI.exe
    4968
  - cecho.exe cecho.exe {03} Отключаем защитник [групповые политики] >
    5088
  - taskkill.exe taskkill /f /im mmc.exe
    4248
  - cecho.exe cecho.exe {04} Применение ГП{\n #}{\n #}
    1832
  - LGPO.exe LGPO.exe /t "LGPO-temp.txt" /q
    4660
  - nircmd.exe nircmd win activate process cmd.exe
    4892
  - reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    4200
  - NSudoLC.exe NSudoLC -U:C -ShowWindowMode:Hide cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
    4352
    - cmd.exe cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
      4640
      - reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
        4808
  - reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
    4348
  - NSudoLC.exe NSudoLC -U:C -ShowWindowMode:Hide cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
    5036
    - cmd.exe cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
      4868
      - reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
        5156
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
    4572
  - reg.exe reg add "HKLM\Software\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
    4648
  - cecho.exe cecho.exe {08} Пропуск добавления в исключения Защитника [уже добавлено]{\n #}{\n #}
    5208
  - nircmd.exe nircmd killprocess MpCmdRun.exe
    5252
  - nircmd.exe nircmd killprocess MsMpEng.exe
    5296
  - nircmd.exe nircmd killprocess SecurityHealthSystray.exe
    5340
  - nircmd.exe nircmd killprocess SecurityHealthService.exe
    5384
  - nircmd.exe nircmd killprocess SecurityHealthHost.exe
    5428
  - nircmd.exe nircmd killprocess smartscreen.exe
    5472
  - nircmd.exe nircmd killprocess SgrmBroker.exe
    5560
  - nircmd.exe nircmd killprocess SecHealthUI.exe
    5628
  - nircmd.exe nircmd killprocess uhssvc.exe
    5672
  - nircmd.exe nircmd killprocess NisSrv.exe
    5716
  - nircmd.exe nircmd killprocess MPSigStub.exe
    5760
  - nircmd.exe nircmd killprocess MSASCuiL.exe
    5804
  - nircmd.exe nircmd killprocess MRT.exe
    5848
  - 7z.exe 7z x -aoa -bso0 -bsp1 "ToolsForDK.zip" -p"UnlockerPass"
    5892
  - cecho.exe cecho.exe {03} Используем DefenderStop x64 для отключения служб защитника{\n #}{\n #}
    5940
  - nircmd.exe nircmd exec hide DefenderStopx64.exe
    5984
    - DefenderStopx64.exe DefenderStopx64.exe
      6028
  - nircmd.exe nircmd exec hide DefenderStopx64.exe
    6084
    - DefenderStopx64.exe DefenderStopx64.exe
      6132
  - cecho.exe cecho.exe {0c} Выполняем удаление с помощью Unlocker by Eject{\n #}
    5160
  - nircmd.exe nircmd win settext foreground "DK"
    5212
  - NSudoLC.exe NSudoLC -U:C -ShowWindowMode:Hide -Wait cmd.exe /c taskkill /f /im explorer.exe
    5324
    - cmd.exe cmd.exe /c taskkill /f /im explorer.exe
      5404
      - taskkill.exe taskkill /f /im explorer.exe
        5552
  - timeout.exe timeout /t 1 /nobreak
    5648
  - Unlocker.exe Unlocker /DeleteDefender
    5676
  - cecho.exe cecho.exe {08} Папка "C:\ProgramData\Microsoft\Windows Defender" не удалилась с 1 раза{\n #}
    5888
  - cecho.exe cecho.exe {0c} Повторное удаление Защитника с помощью Unlocker{\n #}{\n #}
    5960
  - timeout.exe timeout /t 2 /nobreak
    6040
  - Unlocker.exe Unlocker /DeleteDefender
    6116
  - NSudoLC.exe NSudoLC -U:C -ShowWindowMode:Hide cmd.exe /c start explorer.exe
    6136
    - cmd.exe cmd.exe /c start explorer.exe
      5444
      - explorer.exe explorer.exe
        1240
  - taskkill.exe taskkill /f /im mmc.exe
    280
  - cecho.exe cecho.exe {04} Применение ГП{\n #}{\n #}
    5504
  - LGPO.exe LGPO.exe /t "LGPO-temp.txt" /q
    5744
  - nircmd.exe nircmd win activate process cmd.exe
    1064
  - cecho.exe cecho.exe {03} Удаляем папки и файлы Защитника{\n #}{\n #}
    5912
  - taskkill.exe taskkill /f /im smartscreen.exe
    6096
  - cecho.exe cecho.exe {03} Удаляем службы{\n #}
    5280
  - cecho.exe cecho.exe {0a} WinDefend, SecurityHealthService, Sense, WdNisSvc, wscsvc, webthreatdefsvc{\n #}
    5368
  - cecho.exe cecho.exe {0a} webthreatdefusersvc{\n #}{\n #}
    1640
  - sc.exe sc stop WinDefend
    1552

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents