shadowbq/.README.md

## .README.md

      
    Raw
  

              .README.md
            
          
    Microsoft Defender PowerShell and LUA delivery

Microsoft Defender for Endpoint ensures the integrity of the scripts it pushes and executes.
First, they ensure that the script to execute matches the expected file hash. Example:
powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command "& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileAccess]::Read);$calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq 'd871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803')) { exit 323;}; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' }"

Cleaned up PowerShell:
..see validation.ps1
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection is also only accessible by SYSTEM.
Also, each script is signed with a Microsoft Windows Defender Advanced Threat Protection certificate.
> Get-AuthenticodeSignature 046a3caf-d9ec-4da6-a32a-fb148992596a.ps1 | Select-Object -ExpandProperty SignerCertificate | Format-List *


EnhancedKeyUsageList : {Code Signing (1.3.6.1.5.5.7.3.3), 1.3.6.1.4.1.311.76.47.1}
DnsNameList          : {Microsoft Windows Defender Advanced Threat Protection}
SendAsTrustedIssuer  : False
Archived             : False
Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                       System.Security.Cryptography.Oid...}
FriendlyName         :
IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter             : 1/27/2022 3:50:22 PM
NotBefore            : 1/28/2021 3:50:22 PM
HasPrivateKey        : False
PrivateKey           :
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
RawData              : {48, 130, 6, 21...}
SerialNumber         : 3300000205FC5081544065EFB0000000000205
SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Thumbprint           : 1FF064E13C25D7B5C83549F1562DD64181C4443A
Version              : 3
Handle               : 3221047460208
Issuer               : CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject              : CN=Microsoft Windows Defender Advanced Threat Protection, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Here is a link to 046a3caf-d9ec-4da6-a32a-fb148992596a.ps1 in VT: https://www.virustotal.com/gui/file/d871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803/details
And because the scripts are signed, tools such as Windows Defender Application Control (WDAC) policies can be applied.
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide
(example sipolicy.xml below)
Additional Information on Defender LUA Internals

https://tttang.com/archive/1798/ - Interesting Blog

https://github.com/hfiref0x/WDExtract (Extract Windows Defender database from vdm files and unpack it)
https://github.com/crisprss/Extracted_WD_VDM ( attempt to group extracted data from Defender for research purposes.)

in addition to a complete set of JS engine, Defender also has a Lua engine, which is responsible for the analysis and processing of ASR.
Looking at https://github.com/crisprss/Extracted_WD_VDM/blob/de1bf04c49223398f7aea641360dbe59e600b10a/asr/9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2.lua#L42 you can see path exclusions for exclusions_on_MDE.lua and more_exclusions_onmde.lua

  
## 046a3caf-d9ec-4da6-a32a-fb148992596a.ps1
function Get-MacFromIp
{
    param(
    [Parameter(Mandatory=$true)]
    [string]$RemoteIP
    )

    $arpTable = Get-NetNeighbor -IPAddress $RemoteIP -State Stale,Reachable -ErrorAction SilentlyContinue | Select-Object -First 1
    if($arpTable -ne $null)
    {
        $Mac = $arpTable.LinkLayerAddress
    }

    return $Mac
}

function Get-DefaultGatewayIpAddress
{
    param(
        [Parameter(Mandatory=$true)]
        [string]$LocalIp
    )

    $DefaultGatewayIp = $null
    try
    {
        $DefaultGatewayIps = (Get-wmiObject Win32_networkAdapterConfiguration -ErrorAction Stop | ?{$_.IPAddress -contains $LocalIp}  | Select-Object -ExpandProperty DefaultIPGateway)
        if($DefaultGatewayIps.count -gt 0)
        {
           return $DefaultGatewayIps
        }
    }
    catch
    { }

    try
    {
        $Index = Get-NetIPAddress -IPAddress $LocalIp -AddressFamily IPv4 | Select-Object -ExpandProperty InterfaceIndex
        $DefaultGatewayIps = Get-NetRoute -InterfaceIndex $Index | where {$_.DestinationPrefix -eq '0.0.0.0/0' -or $_.DestinationPrefix -eq "::/0"} | Select-Object -ExpandProperty NextHop
        return $DefaultGatewayIps
    }
    catch
    { }

    return $null
}


function Get-StaticRoutes
{
    param(
    [Parameter(Mandatory=$true)]
    [string]$Index
    )

    try
    {
        $StaticRoutes = Get-NetRoute -InterfaceIndex $Index | Where-Object -FilterScript { $_.DestinationPrefix -Ne "0.0.0.0/0" } | Where-Object -FilterScript { $_.NextHop -Ne "::" } | Where-Object -FilterScript { $_.NextHop -Ne "0.0.0.0" } | Where-Object -FilterScript { ($_.NextHop.SubString(0,6) -Ne "fe80::") } | Select-Object -ExpandProperty NextHop | Get-Unique
        return $StaticRoutes
    }
    catch
    { }

    return $null
}

function WriteEtw
{
    param(
        [Parameter(Mandatory=$true)]
        [AllowEmptyString()]
        [string]$Ip,
        [Parameter(Mandatory=$true)]
        [AllowEmptyString()]
        [string]$NetworkName,
        [Parameter(Mandatory=$true)]
        [byte]$IsStaticRoute,
        [Parameter(Mandatory=$true)]
        [AllowEmptyString()]
        [string]$NetworkAdapterId
        )

    try
    {
        if([string]::IsNullOrEmpty($Ip))
        {
            Write-Host "Cannot get Ip address"
            return $null
        }

        if([string]::IsNullOrEmpty($NetworkName))
        {
            Write-Host "Cannot get NetworkName"
            return $null
        }

        $Mac = Get-MacFromIp $Ip
        if([string]::IsNullOrEmpty($Mac))
        {
            Write-Host "Cannot get Mac address from Ip"
            return $null
        }

        $etw = New-Object "NdrCollectorDefaultGatewayDiscoveryEvent" -Property @{
            Ip = $Ip
            Mac = $Mac
            NetworkName = $NetworkName
            IsStaticRoute = $IsStaticRoute
            NetworkAdapterId = $NetworkAdapterId
            AdapterDefaultGatewaysMac = $Mac
        }

        $global:EtwProvider.Write("NdrCollectorDefaultGatewayDiscoveryEvent", $etw)
    }

    catch
    {
        Write-Host $_.Exception.ToString()
    }
}

[System.Diagnostics.Tracing.EventSource(Name = "Microsoft.Windows.NdrCollector", Guid = "ac39453b-eb9e-463f-b8ff-9c1a08b5931b")]
class NdrEventSource : System.Diagnostics.Tracing.EventSource
{
     NdrEventSource() : base([System.Diagnostics.Tracing.EventSourceSettings]::EtwSelfDescribingEventFormat -bOr [System.Diagnostics.Tracing.EventSourceSettings]::ThrowOnEventWriteErrors) { }
}

[System.Diagnostics.Tracing.EventData()]
class NdrCollectorDefaultGatewayDiscoveryEvent
{
    [string]$Ip
    [string]$Mac
    [string]$NetworkName
    [byte]$IsStaticRoute
    [string]$NetworkAdapterId
    [string]$AdapterDefaultGatewaysMac
}

$global:EtwProvider =  [NdrEventSource]::new()

try
{
    $Interfaces = Get-NetConnectionProfile

    foreach($Interface in $Interfaces)
    {
        $NetworkName = $Interface.Name
        $InterfaceIndex =  $Interface.InterfaceIndex
        $NetworkAdapterId = Get-NetAdapter -InterfaceIndex $InterfaceIndex | Select-Object -ExpandProperty InterfaceGuid
        # Default gateway
        $IpAddress = Get-NetIPAddress -InterfaceIndex $InterfaceIndex -AddressFamily IPv4 -ErrorAction Stop | Select-Object -First 1 -ExpandProperty IPAddress
        $DefaultGatewayIps = Get-DefaultGatewayIpAddress -LocalIp $IpAddress
        foreach($DefaultGatewayIp in $DefaultGatewayIps)
        {
            WriteEtw -Ip $DefaultGatewayIp -NetworkName $NetworkName -IsStaticRoute 0 -NetworkAdapterId $NetworkAdapterId
        }

        # Static Routes
        $StaticRoutes = Get-StaticRoutes -Index $InterfaceIndex
        foreach($StaticRoute in $StaticRoutes)
        {
            if ($DefaultGatewayIps  -NotContains $StaticRoute)
            {
                WriteEtw -Ip $StaticRoute -NetworkName $NetworkName -IsStaticRoute 1 -NetworkAdapterId $NetworkAdapterId
            }
        }
    }

}
catch
{
    Write-Host $_.Exception.ToString()
}
# SIG # Begin signature block
# MIIjnAYJKoZIhvcNAQcCoIIjjTCCI4kCAQExDzANBglghkgBZQMEAgEFADB5Bgor
# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAREpDm6HkxIr57
# 8Y/WT6uWm7fjVstZT6wLrKIUDp7WpqCCDZcwggYVMIID/aADAgECAhMzAAACBfxQ
# gVRAZe+wAAAAAAIFMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
# bmcgUENBIDIwMTEwHhcNMjEwMTI4MjA1MDIyWhcNMjIwMTI3MjA1MDIyWjCBlDEL
# MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
# bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE+MDwGA1UEAxM1TWlj
# cm9zb2Z0IFdpbmRvd3MgRGVmZW5kZXIgQWR2YW5jZWQgVGhyZWF0IFByb3RlY3Rp
# b24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnzN6cC9F7QPxy8wqh
# 5eFQnTNSt0TPHwPadl8S7eM/wydErhpJ5gZK78kbVQukIdryEqksULsPe7AyFCLV
# kQRo3mOJ3+YLDZeVrfnv4Mkt2wjTVMtrNupsA094qxu41YBxhm55pgu5++Ui3dzY
# OvRGHHTWPC8tOJxHUlE3seRL3qqvbIstmn8ZDYuj1tiSomcryC1zcnpU0q2MK/a2
# IpysugtxjurLV8FJ/qRPulJU9UrqbW1bIUlJcS/MYA08FeMcIkNmVAyjtrJw7vTS
# akU/MUTM6x3iFQ3lmRXTpj+Jgn4NY3qGVbgc5+4JzuM9tyFxwwFXJ5+PFZF4wvof
# HRl7AgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBggrBgEFBQcDAwYKKwYBBAGCN0wv
# ATAdBgNVHQ4EFgQUrcJFuzsm8YPzfqpbNi6hXOUVGsYwRQYDVR0RBD4wPKQ6MDgx
# HjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBRMNNDUxODk0
# KzQ2NDEyMTAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8E
# TTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9N
# aWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBR
# BggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0
# cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAw
# DQYJKoZIhvcNAQELBQADggIBAFVuBClXQ4gA7LUrGgI9kwiXd3HPndMVVJqLjodr
# 8tr36KzA9fi3eVBD7W9ebooPfcrwFxcuf3+JB36GGd8FK3M102Z8OY0Ybb8Ox2G1
# Wtz5Cg/L4HOShHztzbOnSvmt/jLtS/LPS+6fFHkod0ylfxwuujdmSbu0QC7jqFbg
# +qZ5tNgZcMcFV7WWSwGxv6DQewrZ/P0BwggDHJ/7QrZETuDVKrVQvqvW67VIdr9j
# d17GByBDyOnQb6WOigUOqUXFtGCqD0MxL3PnPg2nMzRWMm3UcnPPwfZPKsH3D+wG
# 08r23pUR0gd7lSm3PtQhz0bNtsxqne4y5SibgdESt9+fA1ZHI4GZFSl7k9G1EDrv
# 5cBCJbiRKg7CBRKBBKtmsCjtiAaSeNtajJCtGhMbvLaGWIJa26OTDqEtCcY9bXnJ
# SZ6S0m7CJneg0/x5d++cCugRSyaKYNKc9NL9NIGiF4z5ZAOEMgHYlEhlg0DNJXcP
# eWG/z5xz0qydUEhkmX/rHRvvqxB62cGS/d+I1FmssN8kiOO3Mff+2+XNbKJj5vH9
# EgRUJ7mGQfw+7FsU4qc/OBQfNUtiTTK32vpQcdpk5SgqKvNnFUYvEfHNCpSQPqCb
# c9mNWsRhE34xjMpGAgcWLDto+xVDzton8PeIDxfRYPyzn1F77kcAGNFk/LBfB5lH
# 8v+vMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDEL
# MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
# bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWlj
# cm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4
# MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
# IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBD
# QSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3Y
# bqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUB
# FDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnbo
# MlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT
# +OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuy
# e4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEh
# NSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2
# z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3
# s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78Ic
# V9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E
# 11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5P
# M4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcV
# AQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3
# FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAf
# BgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBL
# hklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNS
# b29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggr
# BgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNS
# b29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsG
# AQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
# L3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwA
# ZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0G
# CSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDB
# ZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc
# 8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYq
# wooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu
# 5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWI
# UUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXh
# j38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yH
# PgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtI
# EJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4Guzq
# N5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgR
# MiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQ
# zTGCFVswghVXAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n
# dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y
# YXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEC
# EzMAAAIF/FCBVEBl77AAAAAAAgUwDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcN
# AQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUw
# LwYJKoZIhvcNAQkEMSIEIA0XJ9IOULb5ZRl6fjdzFyBKz4Lov573284oKzjqV/J3
# MEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRw
# Oi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEBBQAEggEAgprNLO3A6BNU
# CeOtBBvWr6QoG1lzIh4RUu5zF+PUICX3c1BiAFA9/fI0HSz5pQO34jZqL812gFdg
# 7K9gahdkzTM5YEY+Kw/cj3INF0V+Hmk3izA0XEauMdOHF8W2Fub63Zm1+V3O0RnY
# TURnn/QNYa5CpeY28P516jz7qnA5jVSC3/snHb2kqUSXPv5AC9rS6ZkLxo3hGpg/
# frytjVQyJK6IocGOZODI9pD392JxUaxX0F2M8xXS8hLFnUhIC99OEGTzHfthUIhG
# sjYQ58WqAIXjOXq+AEg2G8sZr/3SNPIrygPWAxs/++6HsYrRxMB7PuV1LAPbipZs
# rDY+qwDXeqGCEuUwghLhBgorBgEEAYI3AwMBMYIS0TCCEs0GCSqGSIb3DQEHAqCC
# Er4wghK6AgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAE
# ggE8MIIBOAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCAVbyIwLoFd
# 90CXAzchtum4L8NiSSDcynuS7MQyNFUXxQIGYUOpnlfVGBMyMDIxMTAxMTA1NDIy
# Ny44MThaMASAAgH0oIHQpIHNMIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
# aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
# cnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25z
# MSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjozQkJELUUzMzgtRTlBMTElMCMGA1UE
# AxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaCCDjwwggTxMIID2aADAgEC
# AhMzAAABT2QudfZ6A1qDAAAAAAFPMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYT
# AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD
# VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBU
# aW1lLVN0YW1wIFBDQSAyMDEwMB4XDTIwMTExMjE4MjYwMloXDTIyMDIxMTE4MjYw
# MlowgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
# EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNV
# BAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxl
# cyBUU1MgRVNOOjNCQkQtRTMzOC1FOUExMSUwIwYDVQQDExxNaWNyb3NvZnQgVGlt
# ZS1TdGFtcCBTZXJ2aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
# oxR3tWT2aCjsG+T9xO/7SB0mr4rYXzH/LCaHciW1CyB5a1J2sUngsTchSgd6S3Fj
# nckA8iQk0W6kapgtG0ng9Q309TyL+vwOhw7GdzYO890JQ4PwxJV5X0Gkr6d9nX0/
# VO+NjtH7yQu7AExHpwWs+34U10IpcI7h1X1OVqm0sR503IhVqZgGyXPQT7j/u6WF
# zFKUt2sBiWZPXARX1XPQtawOXKk+AriBDEsOB1ELCJuBBWw0zAUj0f4aS0lYKCN7
# qdU0zqe+qPYBrS/p0HFX1UzRNn37M6R8RAgPxbO168HGxBXtNNkR72tFgT24pGWm
# Xh0BBw4thGfTJbI8rT9q/QIDAQABo4IBGzCCARcwHQYDVR0OBBYEFI6N7tcWBhB+
# VZO/NcJk8TFf8qCgMB8GA1UdIwQYMBaAFNVjOlyKMZDzQ3t8RhvFM2hahW1VMFYG
# A1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3Js
# L3Byb2R1Y3RzL01pY1RpbVN0YVBDQV8yMDEwLTA3LTAxLmNybDBaBggrBgEFBQcB
# AQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kv
# Y2VydHMvTWljVGltU3RhUENBXzIwMTAtMDctMDEuY3J0MAwGA1UdEwEB/wQCMAAw
# EwYDVR0lBAwwCgYIKwYBBQUHAwgwDQYJKoZIhvcNAQELBQADggEBADwx5KscXOQy
# DnrK0Xs8m6KBX5eEMRpjQmukbtvr4C9uwusGQdEefJAZ4lpeQJoy6LyZSryXiST2
# nmIVO8FR3l8McH/pEZEGLhhRdp0ZCD/HZdqG+gHeMm9MHg/aOl+YUm+kmkAsg/2I
# 6EpQ+QIAOCgp7JtgLr2u8wZuRCIen4nuSzqjN655vzgJdlDpzW33xebIOr2hcuPD
# wdRTCVGeIK909svJBF5rBPe/tmY4yVG3BNa/r7Pm9b+sWcHn9XXLQU1FpFtb/2v+
# 1qjF7TSI6zh4wsLLB4cAH7pRe5rOBTtb/z2DzrrBxuKmyrzEYcQODJ6GA+4dYckn
# Cncb1Kzd5bkwggZxMIIEWaADAgECAgphCYEqAAAAAAACMA0GCSqGSIb3DQEBCwUA
# MIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
# UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQD
# EylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxMDAeFw0x
# MDA3MDEyMTM2NTVaFw0yNTA3MDEyMTQ2NTVaMHwxCzAJBgNVBAYTAlVTMRMwEQYD
# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
# b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w
# IFBDQSAyMDEwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqR0NvHcR
# ijog7PwTl/X6f2mUa3RUENWlCgCChfvtfGhLLF/Fw+Vhwna3PmYrW/AVUycEMR9B
# GxqVHc4JE458YTBZsTBED/FgiIRUQwzXTbg4CLNC3ZOs1nMwVyaCo0UN0Or1R4HN
# vyRgMlhgRvJYR4YyhB50YWeRX4FUsc+TTJLBxKZd0WETbijGGvmGgLvfYfxGwScd
# JGcSchohiq9LZIlQYrFd/XcfPfBXday9ikJNQFHRD5wGPmd/9WbAA5ZEfu/QS/1u
# 5ZrKsajyeioKMfDaTgaRtogINeh4HLDpmc085y9Euqf03GS9pAHBIAmTeM38vMDJ
# RF1eFpwBBU8iTQIDAQABo4IB5jCCAeIwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0O
# BBYEFNVjOlyKMZDzQ3t8RhvFM2hahW1VMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIA
# QwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2
# VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwu
# bWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEw
# LTA2LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93
# d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYt
# MjMuY3J0MIGgBgNVHSABAf8EgZUwgZIwgY8GCSsGAQQBgjcuAzCBgTA9BggrBgEF
# BQcCARYxaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL1BLSS9kb2NzL0NQUy9kZWZh
# dWx0Lmh0bTBABggrBgEFBQcCAjA0HjIgHQBMAGUAZwBhAGwAXwBQAG8AbABpAGMA
# eQBfAFMAdABhAHQAZQBtAGUAbgB0AC4gHTANBgkqhkiG9w0BAQsFAAOCAgEAB+aI
# UQ3ixuCYP4FxAz2do6Ehb7Prpsz1Mb7PBeKp/vpXbRkws8LFZslq3/Xn8Hi9x6ie
# JeP5vO1rVFcIK1GCRBL7uVOMzPRgEop2zEBAQZvcXBf/XPleFzWYJFZLdO9CEMiv
# v3/Gf/I3fVo/HPKZeUqRUgCvOA8X9S95gWXZqbVr5MfO9sp6AG9LMEQkIjzP7QOl
# lo9ZKby2/QThcJ8ySif9Va8v/rbljjO7Yl+a21dA6fHOmWaQjP9qYn/dxUoLkSbi
# OewZSnFjnXshbcOco6I8+n99lmqQeKZt0uGc+R38ONiU9MalCpaGpL2eGq4EQoO4
# tYCbIjggtSXlZOz39L9+Y1klD3ouOVd2onGqBooPiRa6YacRy5rYDkeagMXQzafQ
# 732D8OE7cQnfXXSYIghh2rBQHm+98eEA3+cxB6STOvdlR3jo+KhIq/fecn5ha293
# qYHLpwmsObvsxsvYgrRyzR30uIUBHoD7G4kqVDmyW9rIDVWZeodzOwjmmC3qjeAz
# LhIp9cAvVCch98isTtoouLGp25ayp0Kiyc8ZQU3ghvkqmqMRZjDTu3QyS99je/WZ
# ii8bxyGvWbWu3EQ8l1Bx16HSxVXjad5XwdHeMMD9zOZN+w2/XU/pnR4ZOC+8z1gF
# Lu8NoFA12u8JJxzVs341Hgi62jbb01+P3nSISRKhggLOMIICNwIBATCB+KGB0KSB
# zTCByjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
# B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UE
# CxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVz
# IFRTUyBFU046M0JCRC1FMzM4LUU5QTExJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1l
# LVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAOgiDOKq0gc6nIzXh1J3Xil4
# KqvooIGDMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
# EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
# bjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZI
# hvcNAQEFBQACBQDlDcuDMCIYDzIwMjExMDExMDQyODUxWhgPMjAyMTEwMTIwNDI4
# NTFaMHcwPQYKKwYBBAGEWQoEATEvMC0wCgIFAOUNy4MCAQAwCgIBAAICF3ICAf8w
# BwIBAAICEXwwCgIFAOUPHQMCAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGE
# WQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUFAAOBgQCh
# oFimxUzGu64GmL5RD5AHiQpdAL94cNJqEb7ARLHE2xZaO20LNg4USdXuydHrcjd8
# UEv9neh2VtfaLImKaF1CJFVl3nUJcX+KtRFsCEOEJ9tzvYshtwxvDarf3jk2u5L/
# hzzf+FUcI0dI9iK3HjWeD9ZWetK3+mVEK8pS4frJJjGCAw0wggMJAgEBMIGTMHwx
# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
# b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1p
# Y3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABT2QudfZ6A1qDAAAAAAFP
# MA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQw
# LwYJKoZIhvcNAQkEMSIEIAsVoVDOCjCxT95Z/4ANUgMC6zfmoJumj1n9GIH28uL8
# MIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgAGcmEPaCWKTAxnIhbRhyekPP
# qvh5bTCNEMXGwQC1NwIwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
# IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0Eg
# MjAxMAITMwAAAU9kLnX2egNagwAAAAABTzAiBCC3XiqulD2Xl1Gm/Ec4ztWeOqay
# NcLBwGx8mpg+0NFk9TANBgkqhkiG9w0BAQsFAASCAQCTD9summ2IYCg8jVWg4/2L
# uVPTklPk6PvSXGzrrsUaAv1qM1pHAH36H+0t6bmaMtOrOaGsbtlOtBUGUrv+zAE2
# 1Ptl9zMuCbFmA8q4aiY77JEGuVcPwFZkvu21UmY9NYUxAfly1edQ5nmYY1t2ywJx
# WG9L0ATREh4HzLyKBfjlDhfe2j0Cy+9by9+rsbbLCFSZYgPg4st0gB0D/Zi+gXQm
# YHazoY/cdPEb5ETzePw1jbJo35mIewLayJywRVkseQjoGT+uQ6cwKLVBNSfL0xiW
# ma/1PTpf0gzNmyPOLtHUa0zR4zQZym9V5vZ+u7PVYiOXtlOz0MST7E2NWx3BPlU4
# SIG # End signature block

## exclusions_on_MDE.lua
-- https://tttang.com/archive/1798/
-- Decompiled using usadec 2.2

GetPathExclusions = function()
  -- function num : 0_2
  local l_3_0 = {}
  l_3_0["%commonprogramfiles%\\adobe"] = 2
  l_3_0["%commonprogramfiles%\\microsoft shared"] = 2
  l_3_0["%commonprogramfiles(x86)%\\adobe"] = 2
  l_3_0["%commonprogramfiles(x86)%\\microsoft shared"] = 2
  l_3_0["%programdata%\\app-v"] = 2
  l_3_0["%programfiles%\\acrobat"] = 2
  l_3_0["%programfiles%\\adobe"] = 2
  l_3_0["%programfiles%\\firefox developer edition"] = 2
  l_3_0["%programfiles%\\foxit software"] = 2
  l_3_0["%programfiles%\\google"] = 2
  l_3_0["%programfiles%\\internet explorer"] = 2
  l_3_0["%programfiles%\\microsoft application virtualization\\client\\subsystems\\appvdllsurrogate32.exe"] = 2
  l_3_0["%programfiles%\\microsoft application virtualization\\client\\subsystems\\appvdllsurrogate64.exe"] = 2
  l_3_0["%programfiles%\\microsoft office 15"] = 2
  l_3_0["%programfiles%\\microsoft office 2003"] = 2
  l_3_0["%programfiles%\\microsoft office 2010"] = 2
  l_3_0["%programfiles%\\microsoft office 2016"] = 2
  l_3_0["%programfiles%\\microsoft office"] = 2
  l_3_0["%programfiles%\\microsoft office2003"] = 2
  l_3_0["%programfiles%\\microsoft office2007"] = 2
  l_3_0["%programfiles%\\microsoft office\\2010"] = 2
  l_3_0["%programfiles%\\microsoft office\\live meeting 8"] = 2
  l_3_0["%programfiles%\\microsoft office\\office"] = 2
  l_3_0["%programfiles%\\microsoft office\\office10"] = 2
  l_3_0["%programfiles%\\microsoft office\\office11"] = 2
  l_3_0["%programfiles%\\microsoft office\\office12"] = 2
  l_3_0["%programfiles%\\microsoft office\\office13"] = 2
  l_3_0["%programfiles%\\microsoft office\\office14"] = 2
  l_3_0["%programfiles%\\microsoft office\\office15"] = 2
  l_3_0["%programfiles%\\microsoft office\\office16"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\2010"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\client\\appvdllsurrogate32.exe"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\client\\appvdllsurrogate64.exe"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\live meeting 8"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\office"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\office10"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\office11"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\office12"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\office13"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\office14"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\office15"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\office16"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\updates"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\vfs"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\visio"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\visio10"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\visio11"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\visio12"] = 2
  l_3_0["%programfiles%\\microsoft office\\root\\visio13"] = 2
  l_3_0["%programfiles%\\microsoft office\\updates"] = 2
  l_3_0["%programfiles%\\microsoft office\\vfs"] = 2
  l_3_0["%programfiles%\\microsoft office\\visio"] = 2
  l_3_0["%programfiles%\\microsoft office\\visio10"] = 2
  l_3_0["%programfiles%\\microsoft office\\visio11"] = 2
  l_3_0["%programfiles%\\microsoft office\\visio12"] = 2
  l_3_0["%programfiles%\\microsoft office\\visio13"] = 2
  l_3_0["%programfiles%\\microsoft security client"] = 2
  l_3_0["%programfiles%\\mozilla firefox"] = 2
  l_3_0["%programfiles%\\opera"] = 2
  l_3_0["%programfiles%\\reader"] = 2
  l_3_0["%programfiles%\\sogouinput"] = 2
  l_3_0["%programfiles%\\tencent"] = 2
  l_3_0["%programfiles%\\ucbrowser"] = 2
  l_3_0["%programfiles%\\winrar"] = 2
  l_3_0["%programfiles%\\winzip"] = 2
  l_3_0["%programfiles%\\Microsoft\\Edge\\Application"] = 2
  l_3_0["%programfiles%\\Microsoft\\Edge\\Application\\msedge.exe"] = 2
  l_3_0["%programfiles%\\Microsoft\\Edge Dev\\Application\\msedge.exe"] = 2
  l_3_0["%programfiles%\\Microsoft\\Edge Beta\\Application\\msedge.exe"] = 2
  l_3_0["%programfiles%\\Microsoft\\Edge\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programfiles%\\Microsoft\\Edge Dev\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programfiles%\\Microsoft\\Edge Beta\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programfiles%\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programfiles(x86)%\\acrobat"] = 2
  l_3_0["%programfiles(x86)%\\acrobat dc"] = 2
  l_3_0["%programfiles(x86)%\\adobe"] = 2
  l_3_0["%programfiles(x86)%\\firefox developer edition"] = 2
  l_3_0["%programfiles(x86)%\\foxit software"] = 2
  l_3_0["%programfiles(x86)%\\google"] = 2
  l_3_0["%programfiles(x86)%\\internet explorer"] = 2
  l_3_0["%programfiles(x86)%\\microsoft application virtualization\\client\\subsystems\\appvdllsurrogate32.exe"] = 2
  l_3_0["%programfiles(x86)%\\microsoft application virtualization\\client\\subsystems\\appvdllsurrogate64.exe"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office 15"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office 2003"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office 2010"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office 2016"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office2003"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office2007"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\2010"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\live meeting 8"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\office"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\office10"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\office11"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\office12"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\office13"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\office14"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\office15"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\office16"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\2010"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\client\\appvdllsurrogate32.exe"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\client\\appvdllsurrogate64.exe"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\live meeting 8"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\office"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\office10"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\office11"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\office12"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\office13"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\office14"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\office15"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\office16"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\updates"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\vfs"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\visio"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\visio10"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\visio11"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\visio12"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\root\\visio13"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\updates"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\vfs"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\visio"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\visio10"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\visio11"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\visio12"] = 2
  l_3_0["%programfiles(x86)%\\microsoft office\\visio13"] = 2
  l_3_0["%programfiles(x86)%\\microsoft security client"] = 2
  l_3_0["%programfiles(x86)%\\mozilla firefox"] = 2
  l_3_0["%programfiles(x86)%\\opera"] = 2
  l_3_0["%programfiles(x86)%\\reader"] = 2
  l_3_0["%programfiles(x86)%\\sogouinput"] = 2
  l_3_0["%programfiles(x86)%\\tencent"] = 2
  l_3_0["%programfiles(x86)%\\ucbrowser"] = 2
  l_3_0["%programfiles(x86)%\\winrar"] = 2
  l_3_0["%programfiles(x86)%\\winzip"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft\\Edge\\Application"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft\\Edge Dev\\Application\\msedge.exe"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft\\Edge Beta\\Application\\msedge.exe"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft\\Edge\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft\\Edge Dev\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft\\Edge Beta\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programW6432%\\Microsoft\\Edge\\Application\\msedge.exe"] = 2
  l_3_0["%programW6432%\\Microsoft\\Edge Dev\\Application\\msedge.exe"] = 2
  l_3_0["%programW6432%\\Microsoft\\Edge Beta\\Application\\msedge.exe"] = 2
  l_3_0["%programW6432%\\Microsoft\\Edge\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programW6432%\\Microsoft\\Edge Dev\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programW6432%\\Microsoft\\Edge Beta\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programW6432%\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe"] = 2
  l_3_0["%programfiles(x86)%\\BraveSoftware\\Brave-Browser\\Application\\brave.exe"] = 2
  l_3_0["%localappdata%\\microsoft\\edge\\application\\msedge.exe"] = 1
  l_3_0["%localappdata%\\microsoft\\edge sxs\\application\\msedge.exe"] = 1
  l_3_0["%localappdata%\\microsoft\\edge dev\\application\\msedge.exe"] = 1
  l_3_0["%localappdata%\\microsoft\\edge beta\\application\\msedge.exe"] = 1
  l_3_0["%localappdata%\\microsoft\\edgewebview\\application\\*\\msedgewebview2.exe"] = 1
  l_3_0["%localappdata%\\microsoft\\edge sxs\\application\\*\\msedgewebview2.exe"] = 1
  l_3_0["%localappdata%\\microsoft\\edge dev\\application\\*\\msedgewebview2.exe"] = 1
  l_3_0["%localappdata%\\microsoft\\edge beta\\application\\*\\msedgewebview2.exe"] = 1
  l_3_0["%localappdata%\\mozilla firefox\\*\\firefoxportable\\app\\firefox64\\firefox.exe"] = 1
  l_3_0["%localappdata%\\mozilla firefox\\firefox.exe"] = 1
  l_3_0["%localappdata%\\centbrowser\\application\\chrome.exe"] = 1
  l_3_0["%localappdata%\\chromium\\application\\chrome.exe"] = 1
  l_3_0["%localappdata%\\epic privacy browser\\application\\epic.exe"] = 1
  l_3_0["%localappdata%\\firefox developer edition\\firefox.exe"] = 1
  l_3_0["%localappdata%\\google chrome\\*\\googlechromeportable\\app\\chrome-bin\\chrome.exe"] = 1
  l_3_0["%localappdata%\\google\\chrome beta\\application\\chrome.exe"] = 1
  l_3_0["%localappdata%\\google\\chrome dev\\application\\chrome.exe"] = 1
  l_3_0["%localappdata%\\google\\chrome sxs\\application\\chrome.exe"] = 1
  l_3_0["%localappdata%\\google\\chrome\\application\\chrome.exe"] = 1
  l_3_0["%windir%\\explorer.exe"] = 2
  l_3_0["%windir%\\microsoft.net\\framework\\*\\dw20.exe"] = 2
  l_3_0["%windir%\\notepad.exe"] = 2
  l_3_0["%windir%\\splwow64.exe"] = 2
  l_3_0["%windir%\\ssdal.exe"] = 2
  l_3_0["%windir%\\system32\\atbroker.exe"] = 2
  l_3_0["%windir%\\system32\\bdeunlock.exe"] = 2
  l_3_0["%windir%\\system32\\buaappnt.exe"] = 2
  l_3_0["%windir%\\system32\\conhost.exe"] = 2
  l_3_0["%windir%\\system32\\ctfmon.exe"] = 2
  l_3_0["%windir%\\system32\\dwwin.exe"] = 2
  l_3_0["%windir%\\system32\\ie4uinit.exe"] = 2
  l_3_0["%windir%\\system32\\igfxem.exe"] = 2
  l_3_0["%windir%\\system32\\igfxhk.exe"] = 2
  l_3_0["%windir%\\system32\\igfxtray.exe"] = 2
  l_3_0["%windir%\\system32\\macromed\\flash\\flashplayerupdateservice.exe"] = 2
  l_3_0["%windir%\\system32\\microsoft.uev.synccontroller.exe"] = 2
  l_3_0["%windir%\\system32\\notepad.exe"] = 2
  l_3_0["%windir%\\system32\\ntprint.exe"] = 2
  l_3_0["%windir%\\system32\\pcaui.exe"] = 2
  l_3_0["%windir%\\system32\\searchprotocolhost.exe"] = 2
  l_3_0["%windir%\\system32\\slui.exe"] = 2
  l_3_0["%windir%\\system32\\spool\\drivers"] = 2
  l_3_0["%windir%\\system32\\verclsid.exe"] = 2
  l_3_0["%windir%\\system32\\werfault.exe"] = 2
  l_3_0["%windir%\\system32\\werfaultsecure.exe"] = 2
  l_3_0["%windir%\\system32\\wermgr.exe"] = 2
  l_3_0["%windir%\\system32\\wevtutil.exe"] = 2
  l_3_0["%windir%\\system32\\wfs.exe"] = 2
  l_3_0["%windir%\\system32\\xpsrchvw.exe"] = 2
  l_3_0["%windir%\\system32\\msiexec.exe"] = 2
  l_3_0["%windir%\\syswow64\\config\\systemprofile\\sogouinput\\*\\sgtool.exe"] = 2
  l_3_0["%windir%\\syswow64\\ctfmon.exe"] = 2
  l_3_0["%windir%\\syswow64\\dwwin.exe"] = 2
  l_3_0["%windir%\\syswow64\\ieunatt.exe"] = 2
  l_3_0["%windir%\\syswow64\\ime\\imejp\\imjpdct.exe"] = 2
  l_3_0["%windir%\\syswow64\\ime\\shared\\imecfmui.exe"] = 2
  l_3_0["%windir%\\syswow64\\ime\\shared\\imepadsv.exe"] = 2
  l_3_0["%windir%\\syswow64\\macromed\\flash\\flashplayerupdateservice.exe"] = 2
  l_3_0["%windir%\\syswow64\\mspaint.exe"] = 2
  l_3_0["%windir%\\syswow64\\notepad.exe"] = 2
  l_3_0["%windir%\\syswow64\\openwith.exe"] = 2
  l_3_0["%windir%\\syswow64\\prevhost.exe"] = 2
  l_3_0["%windir%\\syswow64\\verclsid.exe"] = 2
  l_3_0["%windir%\\syswow64\\werfault.exe"] = 2
  l_3_0["%windir%\\syswow64\\wermgr.exe"] = 2
  l_3_0["%windir%\\syswow64\\xpsrchvw.exe"] = 2
  l_3_0["%windir%\\syswow64\\msiexec.exe"] = 2
  l_3_0["%windir%\\syswow64\\launchwinapp.exe"] = 2
  l_3_0["%windir%\\systemapps\\*\\microsoftedgecp.exe"] = 2
  l_3_0["%windir%\\winsxs\\*\\iexplore.exe"] = 2
  l_3_0["%windir%\\winsxs\\*\\splwow64.exe"] = 2
  l_3_0["%windir%\\winsxs\\*\\werfault.exe"] = 2
  l_3_0["%windir%\\system32\fsiso.exe"] = 2
  l_3_0["%userprofile%\\appdata\\local\\google\\chrome"] = 1
  l_3_0["%userprofile%\\appdata\\local\\microsoft\\onedrive"] = 1
  l_3_0["%userprofile%\\appdata\\locallow\\copitrak"] = 1
  l_3_0["%userprofile%\\appdata\\local\\centbrowser\\application\\chrome.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge\\application\\msedge.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge sxs\\application\\msedge.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge dev\\application\\msedge.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge beta\\application\\msedge.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\microsoft\\edgewebview\\application\\*\\msedgewebview2.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge sxs\\application\\*\\msedgewebview2.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge dev\\application\\*\\msedgewebview2.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge beta\\application\\*\\msedgewebview2.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\mozilla firefox\\*\\firefoxportable\\app\\firefox64\\firefox.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\mozilla firefox\\firefox.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\packages\\*\\localcache\\local\\google\\chrome\\application\\chrome.exe"] = 1
  l_3_0["%userprofile%\\appdata\\local\\packages\\*\\localcache\\local\\mozilla firefox\\firefox.exe"] = 1
  return l_3_0
end

## more_exclusions_onmde.lua
-- https://tttang.com/archive/1798/
-- Decompiled using usadec 2.2

GetPathExclusions = function()
  -- function num : 0_2
  local l_3_0 = {}
  l_3_0["%windir%\\system32\\WerFaultSecure.exe"] = 2
  l_3_0["%windir%\\system32\\mrt.exe"] = 2
  l_3_0["%windir%\\system32\\svchost.exe"] = 2
  l_3_0["%windir%\\system32\\wbem\\WmiPrvSE.exe"] = 2
  l_3_0["%windir%\\SysWOW64\\wbem\\WmiPrvSE.exe"] = 2
  l_3_0["%windir%\\system32\\DriverStore\\FileRepository\\*\\NVWMI\\nvWmi64.exe"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft Intune Management Extension\\ClientHealthEval.exe"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft Intune Management Extension\\SensorLogonTask.exe"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft Intune Management Extension\\Microsoft.Management.Services.IntuneWindowsAgent.exe"] = 2
  l_3_0["%programdata%\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\*\\OpenHandleCollector.exe"] = 2
  l_3_0["%programfiles%\\WindowsApps\\Microsoft.GamingServices_*\\gamingservices.exe"] = 2
  l_3_0["%programfiles(x86)%\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe"] = 2
  l_3_0["%programfiles(x86)%\\Zoom\\bin\\CptHost.exe"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft\\EdgeUpdate\\MicrosoftEdgeUpdate.exe"] = 2
  l_3_0["%programfiles(x86)%\\Microsoft\\Edge\\Application\\*\\Installer\\setup.exe"] = 2
  l_3_0["%programfiles(x86)%\\Google\\Update\\GoogleUpdate.exe"] = 2
  l_3_0["%programfiles(x86)%\\Splunk\\bin\\splunkd.exe"] = 2
  l_3_0["%programfiles(x86)%\\Zscaler\\ZSAUpm\\ZSAUpm.exe"] = 2
  l_3_0["%programfiles(x86)%\\Fortinet\\FortiClient\\FortiESNAC.exe"] = 2
  l_3_0["%programfiles(x86)%\\FireEye\\xagt\\xagt.exe"] = 2
  l_3_0["%programfiles(x86)%\\Autodesk\\Autodesk Desktop App\\AdAppMgrSvc.exe"] = 2
  l_3_0["%programfiles(x86)%\\Dropbox\\Update\\DropboxUpdate.exe"] = 2
  l_3_0["%programfiles(x86)%\\HP\\HP Touchpoint Analytics Client\\Provider Data Sources\\ProcInfo\\ProcInfo.exe"] = 2
  l_3_0["%programfiles(x86)%\\Common Files\\Adobe\\AdobeGCClient\\AGMService.exe"] = 2
  l_3_0["%programfiles(x86)%\\Tanium\\Tanium Client\\Tools\\Detect3\\TaniumDetectEngine.exe"] = 2
  l_3_0["%programfiles(x86)%\\Airwatch\\AgentUI\\AWProcessCommands.exe"] = 2
  l_3_0["%programfiles(x86)%\\Bit9\\Parity Agent\\Parity.exe"] = 2
  l_3_0["%programfiles(x86)%\\Arctic Wolf Networks\\Agent\\ossec-agent.exe"] = 2
  l_3_0["%programfiles(x86)%\\Cordaware\\Infoband\\Infoclient.exe"] = 2
  l_3_0["%programfiles(x86)%\\Splunk\\bin\\splunk-regmon.exe"] = 2
  l_3_0["%programfiles(x86)%\\Lenovo\\VantageService\\*\\LenovoVantage-(LenovoBoostSystemAddin).exe"] = 2
  l_3_0["%programfiles(x86)%\\Micro Focus\\Discovery Agent\\bin32\\discagnt.exe"] = 2
  l_3_0["%programfiles(x86)%\\Hewlett-Packard\\Discovery Agent\\bin32\\discagnt.exe"] = 2
  l_3_0["%programfiles(x86)%\\Micro Focus\\Discovery Agent\\Plugins\\usage\\discusge.exe"] = 2
  l_3_0["%programfiles(x86)%\\Hewlett-Packard\\Discovery Agent\\Plugins\\usage\\discusge.exe"] = 2
  l_3_0["%programfiles%\\Avecto\\Privilege Guard Client\\DefendpointService.exe"] = 2
  l_3_0["%programfiles%\\Intel\\SUR\\QUEENCREEK\\x64\\esrv_svc.exe"] = 2
  l_3_0["%programfiles%\\Microsoft Monitoring Agent\\Agent\\HealthService.exe"] = 2
  l_3_0["%programfiles%\\Microsoft Monitoring Agent\\Agent\\MOMPerfSnapshotHelper.exe"] = 2
  l_3_0["%programfiles%\\Nexthink\\Collector\\Collector\\nxtsvc.exe"] = 2
  l_3_0["%programfiles%\\Splunk\\bin\\splunkd.exe"] = 2
  l_3_0["%programfiles%\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.Updater.exe"] = 2
  l_3_0["%programfiles%\\common files\\microsoft shared\\ClickToRun\\Updates\\*\\OfficeClickToRun.exe"] = 2
  l_3_0["%programfiles%\\Zscaler\\ZSAUpm\\ZSAUpm.exe"] = 2
  l_3_0["%programfiles%\\Fortinet\\FortiClient\\FortiESNAC.exe"] = 2
  l_3_0["%programfiles%\\FireEye\\xagt\\xagt.exe"] = 2
  l_3_0["%programfiles%\\Autodesk\\Autodesk Desktop App\\AdAppMgrSvc.exe"] = 2
  l_3_0["%programfiles%\\Qualys\\QualysAgent\\QualysAgent.exe"] = 2
  l_3_0["%programfiles%\\Altiris\\Altiris Agent\\AeXNSAgent.exe"] = 2
  l_3_0["%programfiles%\\VMware\\VMware Tools\\vmtoolsd.exe"] = 2
  l_3_0["%programfiles%\\Dell\\DTP\\InstrumentationSubAgent\\Dell.TechHub.Instrumentation.SubAgent.exe"] = 2
  l_3_0["%programfiles%\\Rapid7\\Insight Agent\\components\\insight_agent\\*\\ir_agent.exe"] = 2
  l_3_0["%programfiles%\\Microsoft RDInfra\\RDMonitoringAgent_*\\Agent\\MonAgentCore.exe"] = 2
  l_3_0["%programfiles%\\BMCSoftware\\Client Management\\Client\\bin\\mtxagent.exe"] = 2
  l_3_0["%programfiles%\\DisplayLink Core Software\\DisplayLinkHotDeskService.exe"] = 2
  l_3_0["%programfiles%\\ManageSoft\\Tracker\\ndtrack.exe"] = 2
  l_3_0["C:\\Packages\\Plugins\\Microsoft.Azure.Diagnostics.IaaSDiagnostics\\*\\Monitor\\x64\\MonAgentCore.exe"] = 2
  l_3_0["%windir%\\CCM\\CcmExec.exe"] = 2
  l_3_0["%windir%\\CCM\\SensorLogonTask.exe"] = 2
  l_3_0["%windir%\\System32\\DriverStore\\FileRepository\\hpanalyticscomp.*\\x64\\Provider Data Sources\\ProcInfo\\ProcInfo.exe"] = 2
  l_3_0["%windir%\\system32\\RtkAudUService64.exe"] = 2
  l_3_0["%windir%\\Temp\\Ctx-*\\Extract\\TrolleyExpress.exe"] = 2
  l_3_0["%programdata%\\Citrix\\Citrix Receiver*\\TrolleyExpress.exe"] = 2
  l_3_0["%programdata%\\Citrix\\Citrix Workspace *\\TrolleyExpress.exe"] = 2
  l_3_0["%programfiles(x86)%\\Citrix\\Citrix Workspace *\\TrolleyExpress.exe"] = 2
  l_3_0["%temp%\\Ctx-*\\Extract\\TrolleyExpress.exe"] = 2
  l_3_0["%programfiles%\\Quest\\ChangeAuditor\\Agent\\NPSrvHost.exe"] = 2
  l_3_0["%programfiles%\\Quest\\ChangeAuditor\\Service\\ChangeAuditor.Service.exe"] = 2
  l_3_0["%windir%\\system32\\DriverStore\\FileRepository\\hpqkbsoftwarecompnent.inf_amd64_*\\HotKeyServiceUWP.exe"] = 2
  l_3_0["%windir%\\system32\\CompatTelRunner.exe"] = 2
  l_3_0["%programfiles(x86)%\\Printer Properties Pro\\Printer Installer Client\\PrinterInstallerClient.exe"] = 2
  l_3_0["%programfiles%\\Printer Properties Pro\\Printer Installer Client\\PrinterInstallerClient.exe"] = 2
  l_3_0["%programfiles(x86)%\\Zscaler\\ZSATunnel\\ZSATunnel.exe"] = 2
  l_3_0["%programfiles%\\Zscaler\\ZSATunnel\\ZSATunnel.exe"] = 2
  l_3_0["%programfiles(x86)%\\ManageSoft\\Security Agent\\mgssecsvc.exe"] = 2
  l_3_0["%programfiles%\\ManageSoft\\Security Agent\\mgssecsvc.exe"] = 2
  l_3_0["%programfiles(x86)%\\Snow Software\\Inventory\\Agent\\snowagent.exe"] = 2
  l_3_0["%programfiles%\\Snow Software\\Inventory\\Agent\\snowagent.exe"] = 2
  l_3_0["c:\\windows\\system32\\WerFaultSecure.exe"] = 2
  l_3_0["c:\\windows\\system32\\wbem\\WmiPrvSE.exe"] = 2
  l_3_0["c:\\windows\\SysWOW64\\wbem\\WmiPrvSE.exe"] = 2
  l_3_0["\\Device\\HarddiskVolume?\\Windows\\System32\\svchost.exe"] = 2
  l_3_0["\\Device\\HarddiskVolume?\\Windows\\System32\\wbem\\wmiprvse.exe"] = 2
  l_3_0["%windir%\\system32\fsiso.exe"] = 2
  return l_3_0
end

## sipolicy.xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.0.0</VersionEx>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <Rules />
  <!--EKUS-->
  <EKUs />
  <!--File Rules-->
  <FileRules />
  <!--Signers-->
  <Signers>
    <Signer ID="ID_SIGNER_DEFENDER_FOR_ENDPOINT" Name="Microsoft Code Signing PCA 2011">
      <CertRoot Type="TBS" Value="F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E" />
      <CertPublisher Value="Microsoft Windows Defender Advanced Threat Protection" />
    </Signer>
  </Signers>
  <!--Driver Signing Scenarios-->
  <SigningScenarios>
    <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 10-27-2021">
      <ProductSigners />
    </SigningScenario>
    <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 10-27-2021">
      <ProductSigners>
        <AllowedSigners>
          <AllowedSigner SignerId="ID_SIGNER_DEFENDER_FOR_ENDPOINT" />
        </AllowedSigners>
      </ProductSigners>
    </SigningScenario>
  </SigningScenarios>
  <UpdatePolicySigners />
  <CiSigners>
    <CiSigner SignerId="ID_SIGNER_DEFENDER_FOR_ENDPOINT" />
  </CiSigners>
  <HvciOptions>0</HvciOptions>
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
</SiPolicy>

## validation.ps1
& {
    $OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8

    $scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileAccess]::Read)

    $calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' -Algorithm SHA256

    if (!($calculatedHash.Hash -eq 'd871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803')) {
        exit 323; # ERROR_DATA_CHECKSUM_ERROR
    }

    . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1'
}
	function Get-MacFromIp
	{
	param(
	[Parameter(Mandatory=$true)]
	[string]$RemoteIP
	)

	$arpTable = Get-NetNeighbor -IPAddress $RemoteIP -State Stale,Reachable -ErrorAction SilentlyContinue \| Select-Object -First 1
	if($arpTable -ne $null)
	{
	$Mac = $arpTable.LinkLayerAddress
	}

	return $Mac
	}

	function Get-DefaultGatewayIpAddress
	{
	param(
	[Parameter(Mandatory=$true)]
	[string]$LocalIp
	)

	$DefaultGatewayIp = $null
	try
	{
	$DefaultGatewayIps = (Get-wmiObject Win32_networkAdapterConfiguration -ErrorAction Stop \| ?{$_.IPAddress -contains $LocalIp} \| Select-Object -ExpandProperty DefaultIPGateway)
	if($DefaultGatewayIps.count -gt 0)
	{
	return $DefaultGatewayIps
	}
	}
	catch
	{ }

	try
	{
	$Index = Get-NetIPAddress -IPAddress $LocalIp -AddressFamily IPv4 \| Select-Object -ExpandProperty InterfaceIndex
	$DefaultGatewayIps = Get-NetRoute -InterfaceIndex $Index \| where {$_.DestinationPrefix -eq '0.0.0.0/0' -or $_.DestinationPrefix -eq "::/0"} \| Select-Object -ExpandProperty NextHop
	return $DefaultGatewayIps
	}
	catch
	{ }

	return $null
	}


	function Get-StaticRoutes
	{
	param(
	[Parameter(Mandatory=$true)]
	[string]$Index
	)

	try
	{
	$StaticRoutes = Get-NetRoute -InterfaceIndex $Index \| Where-Object -FilterScript { $_.DestinationPrefix -Ne "0.0.0.0/0" } \| Where-Object -FilterScript { $_.NextHop -Ne "::" } \| Where-Object -FilterScript { $_.NextHop -Ne "0.0.0.0" } \| Where-Object -FilterScript { ($_.NextHop.SubString(0,6) -Ne "fe80::") } \| Select-Object -ExpandProperty NextHop \| Get-Unique
	return $StaticRoutes
	}
	catch
	{ }

	return $null
	}

	function WriteEtw
	{
	param(
	[Parameter(Mandatory=$true)]
	[AllowEmptyString()]
	[string]$Ip,
	[Parameter(Mandatory=$true)]
	[AllowEmptyString()]
	[string]$NetworkName,
	[Parameter(Mandatory=$true)]
	[byte]$IsStaticRoute,
	[Parameter(Mandatory=$true)]
	[AllowEmptyString()]
	[string]$NetworkAdapterId
	)

	try
	{
	if([string]::IsNullOrEmpty($Ip))
	{
	Write-Host "Cannot get Ip address"
	return $null
	}

	if([string]::IsNullOrEmpty($NetworkName))
	{
	Write-Host "Cannot get NetworkName"
	return $null
	}

	$Mac = Get-MacFromIp $Ip
	if([string]::IsNullOrEmpty($Mac))
	{
	Write-Host "Cannot get Mac address from Ip"
	return $null
	}

	$etw = New-Object "NdrCollectorDefaultGatewayDiscoveryEvent" -Property @{
	Ip = $Ip
	Mac = $Mac
	NetworkName = $NetworkName
	IsStaticRoute = $IsStaticRoute
	NetworkAdapterId = $NetworkAdapterId
	AdapterDefaultGatewaysMac = $Mac
	}

	$global:EtwProvider.Write("NdrCollectorDefaultGatewayDiscoveryEvent", $etw)
	}

	catch
	{
	Write-Host $_.Exception.ToString()
	}
	}

	[System.Diagnostics.Tracing.EventSource(Name = "Microsoft.Windows.NdrCollector", Guid = "ac39453b-eb9e-463f-b8ff-9c1a08b5931b")]
	class NdrEventSource : System.Diagnostics.Tracing.EventSource
	{
	NdrEventSource() : base([System.Diagnostics.Tracing.EventSourceSettings]::EtwSelfDescribingEventFormat -bOr [System.Diagnostics.Tracing.EventSourceSettings]::ThrowOnEventWriteErrors) { }
	}

	[System.Diagnostics.Tracing.EventData()]
	class NdrCollectorDefaultGatewayDiscoveryEvent
	{
	[string]$Ip
	[string]$Mac
	[string]$NetworkName
	[byte]$IsStaticRoute
	[string]$NetworkAdapterId
	[string]$AdapterDefaultGatewaysMac
	}

	$global:EtwProvider = [NdrEventSource]::new()

	try
	{
	$Interfaces = Get-NetConnectionProfile

	foreach($Interface in $Interfaces)
	{
	$NetworkName = $Interface.Name
	$InterfaceIndex = $Interface.InterfaceIndex
	$NetworkAdapterId = Get-NetAdapter -InterfaceIndex $InterfaceIndex \| Select-Object -ExpandProperty InterfaceGuid
	# Default gateway
	$IpAddress = Get-NetIPAddress -InterfaceIndex $InterfaceIndex -AddressFamily IPv4 -ErrorAction Stop \| Select-Object -First 1 -ExpandProperty IPAddress
	$DefaultGatewayIps = Get-DefaultGatewayIpAddress -LocalIp $IpAddress
	foreach($DefaultGatewayIp in $DefaultGatewayIps)
	{
	WriteEtw -Ip $DefaultGatewayIp -NetworkName $NetworkName -IsStaticRoute 0 -NetworkAdapterId $NetworkAdapterId
	}

	# Static Routes
	$StaticRoutes = Get-StaticRoutes -Index $InterfaceIndex
	foreach($StaticRoute in $StaticRoutes)
	{
	if ($DefaultGatewayIps -NotContains $StaticRoute)
	{
	WriteEtw -Ip $StaticRoute -NetworkName $NetworkName -IsStaticRoute 1 -NetworkAdapterId $NetworkAdapterId
	}
	}
	}

	}
	catch
	{
	Write-Host $_.Exception.ToString()
	}
	# SIG # Begin signature block
	# MIIjnAYJKoZIhvcNAQcCoIIjjTCCI4kCAQExDzANBglghkgBZQMEAgEFADB5Bgor
	# BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG
	# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCAREpDm6HkxIr57
	# 8Y/WT6uWm7fjVstZT6wLrKIUDp7WpqCCDZcwggYVMIID/aADAgECAhMzAAACBfxQ
	# gVRAZe+wAAAAAAIFMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD
	# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
	# b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p
	# bmcgUENBIDIwMTEwHhcNMjEwMTI4MjA1MDIyWhcNMjIwMTI3MjA1MDIyWjCBlDEL
	# MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
	# bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE+MDwGA1UEAxM1TWlj
	# cm9zb2Z0IFdpbmRvd3MgRGVmZW5kZXIgQWR2YW5jZWQgVGhyZWF0IFByb3RlY3Rp
	# b24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnzN6cC9F7QPxy8wqh
	# 5eFQnTNSt0TPHwPadl8S7eM/wydErhpJ5gZK78kbVQukIdryEqksULsPe7AyFCLV
	# kQRo3mOJ3+YLDZeVrfnv4Mkt2wjTVMtrNupsA094qxu41YBxhm55pgu5++Ui3dzY
	# OvRGHHTWPC8tOJxHUlE3seRL3qqvbIstmn8ZDYuj1tiSomcryC1zcnpU0q2MK/a2
	# IpysugtxjurLV8FJ/qRPulJU9UrqbW1bIUlJcS/MYA08FeMcIkNmVAyjtrJw7vTS
	# akU/MUTM6x3iFQ3lmRXTpj+Jgn4NY3qGVbgc5+4JzuM9tyFxwwFXJ5+PFZF4wvof
	# HRl7AgMBAAGjggFzMIIBbzAfBgNVHSUEGDAWBggrBgEFBQcDAwYKKwYBBAGCN0wv
	# ATAdBgNVHQ4EFgQUrcJFuzsm8YPzfqpbNi6hXOUVGsYwRQYDVR0RBD4wPKQ6MDgx
	# HjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEWMBQGA1UEBRMNNDUxODk0
	# KzQ2NDEyMTAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8E
	# TTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9N
	# aWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBR
	# BggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0
	# cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAw
	# DQYJKoZIhvcNAQELBQADggIBAFVuBClXQ4gA7LUrGgI9kwiXd3HPndMVVJqLjodr
	# 8tr36KzA9fi3eVBD7W9ebooPfcrwFxcuf3+JB36GGd8FK3M102Z8OY0Ybb8Ox2G1
	# Wtz5Cg/L4HOShHztzbOnSvmt/jLtS/LPS+6fFHkod0ylfxwuujdmSbu0QC7jqFbg
	# +qZ5tNgZcMcFV7WWSwGxv6DQewrZ/P0BwggDHJ/7QrZETuDVKrVQvqvW67VIdr9j
	# d17GByBDyOnQb6WOigUOqUXFtGCqD0MxL3PnPg2nMzRWMm3UcnPPwfZPKsH3D+wG
	# 08r23pUR0gd7lSm3PtQhz0bNtsxqne4y5SibgdESt9+fA1ZHI4GZFSl7k9G1EDrv
	# 5cBCJbiRKg7CBRKBBKtmsCjtiAaSeNtajJCtGhMbvLaGWIJa26OTDqEtCcY9bXnJ
	# SZ6S0m7CJneg0/x5d++cCugRSyaKYNKc9NL9NIGiF4z5ZAOEMgHYlEhlg0DNJXcP
	# eWG/z5xz0qydUEhkmX/rHRvvqxB62cGS/d+I1FmssN8kiOO3Mff+2+XNbKJj5vH9
	# EgRUJ7mGQfw+7FsU4qc/OBQfNUtiTTK32vpQcdpk5SgqKvNnFUYvEfHNCpSQPqCb
	# c9mNWsRhE34xjMpGAgcWLDto+xVDzton8PeIDxfRYPyzn1F77kcAGNFk/LBfB5lH
	# 8v+vMIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDEL
	# MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
	# bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWlj
	# cm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4
	# MjA1OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
	# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
	# IENvcnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBD
	# QSAyMDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3Y
	# bqqCEE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUB
	# FDFC04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnbo
	# MlImEi/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT
	# +OPeBw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuy
	# e4Yb2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEh
	# NSXDOW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2
	# z3yxkq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3
	# s/gA4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78Ic
	# V9uDjexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E
	# 11ecXL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5P
	# M4TasIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcV
	# AQQDAgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3
	# FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAf
	# BgNVHSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBL
	# hklodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNS
	# b29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggr
	# BgEFBQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNS
	# b29DZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsG
	# AQQBgjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29t
	# L3BraW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwA
	# ZQBnAGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0G
	# CSqGSIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDB
	# ZV8uLD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc
	# 8zxCi1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYq
	# wooQu6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu
	# 5a8n7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWI
	# UUVYODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXh
	# j38cbxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yH
	# PgZ3BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtI
	# EJmAH9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4Guzq
	# N5l5GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgR
	# MiF670EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQ
	# zTGCFVswghVXAgEBMIGVMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n
	# dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y
	# YXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTEC
	# EzMAAAIF/FCBVEBl77AAAAAAAgUwDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcN
	# AQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUw
	# LwYJKoZIhvcNAQkEMSIEIA0XJ9IOULb5ZRl6fjdzFyBKz4Lov573284oKzjqV/J3
	# MEIGCisGAQQBgjcCAQwxNDAyoBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRw
	# Oi8vd3d3Lm1pY3Jvc29mdC5jb20wDQYJKoZIhvcNAQEBBQAEggEAgprNLO3A6BNU
	# CeOtBBvWr6QoG1lzIh4RUu5zF+PUICX3c1BiAFA9/fI0HSz5pQO34jZqL812gFdg
	# 7K9gahdkzTM5YEY+Kw/cj3INF0V+Hmk3izA0XEauMdOHF8W2Fub63Zm1+V3O0RnY
	# TURnn/QNYa5CpeY28P516jz7qnA5jVSC3/snHb2kqUSXPv5AC9rS6ZkLxo3hGpg/
	# frytjVQyJK6IocGOZODI9pD392JxUaxX0F2M8xXS8hLFnUhIC99OEGTzHfthUIhG
	# sjYQ58WqAIXjOXq+AEg2G8sZr/3SNPIrygPWAxs/++6HsYrRxMB7PuV1LAPbipZs
	# rDY+qwDXeqGCEuUwghLhBgorBgEEAYI3AwMBMYIS0TCCEs0GCSqGSIb3DQEHAqCC
	# Er4wghK6AgEDMQ8wDQYJYIZIAWUDBAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAE
	# ggE8MIIBOAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCAVbyIwLoFd
	# 90CXAzchtum4L8NiSSDcynuS7MQyNFUXxQIGYUOpnlfVGBMyMDIxMTAxMTA1NDIy
	# Ny44MThaMASAAgH0oIHQpIHNMIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
	# aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
	# cnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25z
	# MSYwJAYDVQQLEx1UaGFsZXMgVFNTIEVTTjozQkJELUUzMzgtRTlBMTElMCMGA1UE
	# AxMcTWljcm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZaCCDjwwggTxMIID2aADAgEC
	# AhMzAAABT2QudfZ6A1qDAAAAAAFPMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYT
	# AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD
	# VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBU
	# aW1lLVN0YW1wIFBDQSAyMDEwMB4XDTIwMTExMjE4MjYwMloXDTIyMDIxMTE4MjYw
	# MlowgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
	# EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNV
	# BAsTHE1pY3Jvc29mdCBBbWVyaWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxl
	# cyBUU1MgRVNOOjNCQkQtRTMzOC1FOUExMSUwIwYDVQQDExxNaWNyb3NvZnQgVGlt
	# ZS1TdGFtcCBTZXJ2aWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
	# oxR3tWT2aCjsG+T9xO/7SB0mr4rYXzH/LCaHciW1CyB5a1J2sUngsTchSgd6S3Fj
	# nckA8iQk0W6kapgtG0ng9Q309TyL+vwOhw7GdzYO890JQ4PwxJV5X0Gkr6d9nX0/
	# VO+NjtH7yQu7AExHpwWs+34U10IpcI7h1X1OVqm0sR503IhVqZgGyXPQT7j/u6WF
	# zFKUt2sBiWZPXARX1XPQtawOXKk+AriBDEsOB1ELCJuBBWw0zAUj0f4aS0lYKCN7
	# qdU0zqe+qPYBrS/p0HFX1UzRNn37M6R8RAgPxbO168HGxBXtNNkR72tFgT24pGWm
	# Xh0BBw4thGfTJbI8rT9q/QIDAQABo4IBGzCCARcwHQYDVR0OBBYEFI6N7tcWBhB+
	# VZO/NcJk8TFf8qCgMB8GA1UdIwQYMBaAFNVjOlyKMZDzQ3t8RhvFM2hahW1VMFYG
	# A1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3Js
	# L3Byb2R1Y3RzL01pY1RpbVN0YVBDQV8yMDEwLTA3LTAxLmNybDBaBggrBgEFBQcB
	# AQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kv
	# Y2VydHMvTWljVGltU3RhUENBXzIwMTAtMDctMDEuY3J0MAwGA1UdEwEB/wQCMAAw
	# EwYDVR0lBAwwCgYIKwYBBQUHAwgwDQYJKoZIhvcNAQELBQADggEBADwx5KscXOQy
	# DnrK0Xs8m6KBX5eEMRpjQmukbtvr4C9uwusGQdEefJAZ4lpeQJoy6LyZSryXiST2
	# nmIVO8FR3l8McH/pEZEGLhhRdp0ZCD/HZdqG+gHeMm9MHg/aOl+YUm+kmkAsg/2I
	# 6EpQ+QIAOCgp7JtgLr2u8wZuRCIen4nuSzqjN655vzgJdlDpzW33xebIOr2hcuPD
	# wdRTCVGeIK909svJBF5rBPe/tmY4yVG3BNa/r7Pm9b+sWcHn9XXLQU1FpFtb/2v+
	# 1qjF7TSI6zh4wsLLB4cAH7pRe5rOBTtb/z2DzrrBxuKmyrzEYcQODJ6GA+4dYckn
	# Cncb1Kzd5bkwggZxMIIEWaADAgECAgphCYEqAAAAAAACMA0GCSqGSIb3DQEBCwUA
	# MIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
	# UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIwMAYDVQQD
	# EylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxMDAeFw0x
	# MDA3MDEyMTM2NTVaFw0yNTA3MDEyMTQ2NTVaMHwxCzAJBgNVBAYTAlVTMRMwEQYD
	# VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy
	# b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w
	# IFBDQSAyMDEwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqR0NvHcR
	# ijog7PwTl/X6f2mUa3RUENWlCgCChfvtfGhLLF/Fw+Vhwna3PmYrW/AVUycEMR9B
	# GxqVHc4JE458YTBZsTBED/FgiIRUQwzXTbg4CLNC3ZOs1nMwVyaCo0UN0Or1R4HN
	# vyRgMlhgRvJYR4YyhB50YWeRX4FUsc+TTJLBxKZd0WETbijGGvmGgLvfYfxGwScd
	# JGcSchohiq9LZIlQYrFd/XcfPfBXday9ikJNQFHRD5wGPmd/9WbAA5ZEfu/QS/1u
	# 5ZrKsajyeioKMfDaTgaRtogINeh4HLDpmc085y9Euqf03GS9pAHBIAmTeM38vMDJ
	# RF1eFpwBBU8iTQIDAQABo4IB5jCCAeIwEAYJKwYBBAGCNxUBBAMCAQAwHQYDVR0O
	# BBYEFNVjOlyKMZDzQ3t8RhvFM2hahW1VMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIA
	# QwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNX2
	# VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9jcmwu
	# bWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1dF8yMDEw
	# LTA2LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6Ly93
	# d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYt
	# MjMuY3J0MIGgBgNVHSABAf8EgZUwgZIwgY8GCSsGAQQBgjcuAzCBgTA9BggrBgEF
	# BQcCARYxaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL1BLSS9kb2NzL0NQUy9kZWZh
	# dWx0Lmh0bTBABggrBgEFBQcCAjA0HjIgHQBMAGUAZwBhAGwAXwBQAG8AbABpAGMA
	# eQBfAFMAdABhAHQAZQBtAGUAbgB0AC4gHTANBgkqhkiG9w0BAQsFAAOCAgEAB+aI
	# UQ3ixuCYP4FxAz2do6Ehb7Prpsz1Mb7PBeKp/vpXbRkws8LFZslq3/Xn8Hi9x6ie
	# JeP5vO1rVFcIK1GCRBL7uVOMzPRgEop2zEBAQZvcXBf/XPleFzWYJFZLdO9CEMiv
	# v3/Gf/I3fVo/HPKZeUqRUgCvOA8X9S95gWXZqbVr5MfO9sp6AG9LMEQkIjzP7QOl
	# lo9ZKby2/QThcJ8ySif9Va8v/rbljjO7Yl+a21dA6fHOmWaQjP9qYn/dxUoLkSbi
	# OewZSnFjnXshbcOco6I8+n99lmqQeKZt0uGc+R38ONiU9MalCpaGpL2eGq4EQoO4
	# tYCbIjggtSXlZOz39L9+Y1klD3ouOVd2onGqBooPiRa6YacRy5rYDkeagMXQzafQ
	# 732D8OE7cQnfXXSYIghh2rBQHm+98eEA3+cxB6STOvdlR3jo+KhIq/fecn5ha293
	# qYHLpwmsObvsxsvYgrRyzR30uIUBHoD7G4kqVDmyW9rIDVWZeodzOwjmmC3qjeAz
	# LhIp9cAvVCch98isTtoouLGp25ayp0Kiyc8ZQU3ghvkqmqMRZjDTu3QyS99je/WZ
	# ii8bxyGvWbWu3EQ8l1Bx16HSxVXjad5XwdHeMMD9zOZN+w2/XU/pnR4ZOC+8z1gF
	# Lu8NoFA12u8JJxzVs341Hgi62jbb01+P3nSISRKhggLOMIICNwIBATCB+KGB0KSB
	# zTCByjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
	# B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UE
	# CxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UECxMdVGhhbGVz
	# IFRTUyBFU046M0JCRC1FMzM4LUU5QTExJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1l
	# LVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAOgiDOKq0gc6nIzXh1J3Xil4
	# KqvooIGDMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
	# EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
	# bjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZI
	# hvcNAQEFBQACBQDlDcuDMCIYDzIwMjExMDExMDQyODUxWhgPMjAyMTEwMTIwNDI4
	# NTFaMHcwPQYKKwYBBAGEWQoEATEvMC0wCgIFAOUNy4MCAQAwCgIBAAICF3ICAf8w
	# BwIBAAICEXwwCgIFAOUPHQMCAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGE
	# WQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUFAAOBgQCh
	# oFimxUzGu64GmL5RD5AHiQpdAL94cNJqEb7ARLHE2xZaO20LNg4USdXuydHrcjd8
	# UEv9neh2VtfaLImKaF1CJFVl3nUJcX+KtRFsCEOEJ9tzvYshtwxvDarf3jk2u5L/
	# hzzf+FUcI0dI9iK3HjWeD9ZWetK3+mVEK8pS4frJJjGCAw0wggMJAgEBMIGTMHwx
	# CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
	# b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1p
	# Y3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABT2QudfZ6A1qDAAAAAAFP
	# MA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQw
	# LwYJKoZIhvcNAQkEMSIEIAsVoVDOCjCxT95Z/4ANUgMC6zfmoJumj1n9GIH28uL8
	# MIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgAGcmEPaCWKTAxnIhbRhyekPP
	# qvh5bTCNEMXGwQC1NwIwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
	# V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
	# IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0Eg
	# MjAxMAITMwAAAU9kLnX2egNagwAAAAABTzAiBCC3XiqulD2Xl1Gm/Ec4ztWeOqay
	# NcLBwGx8mpg+0NFk9TANBgkqhkiG9w0BAQsFAASCAQCTD9summ2IYCg8jVWg4/2L
	# uVPTklPk6PvSXGzrrsUaAv1qM1pHAH36H+0t6bmaMtOrOaGsbtlOtBUGUrv+zAE2
	# 1Ptl9zMuCbFmA8q4aiY77JEGuVcPwFZkvu21UmY9NYUxAfly1edQ5nmYY1t2ywJx
	# WG9L0ATREh4HzLyKBfjlDhfe2j0Cy+9by9+rsbbLCFSZYgPg4st0gB0D/Zi+gXQm
	# YHazoY/cdPEb5ETzePw1jbJo35mIewLayJywRVkseQjoGT+uQ6cwKLVBNSfL0xiW
	# ma/1PTpf0gzNmyPOLtHUa0zR4zQZym9V5vZ+u7PVYiOXtlOz0MST7E2NWx3BPlU4
	# SIG # End signature block
	-- https://tttang.com/archive/1798/
	-- Decompiled using usadec 2.2

	GetPathExclusions = function()
	-- function num : 0_2
	local l_3_0 = {}
	l_3_0["%commonprogramfiles%\\adobe"] = 2
	l_3_0["%commonprogramfiles%\\microsoft shared"] = 2
	l_3_0["%commonprogramfiles(x86)%\\adobe"] = 2
	l_3_0["%commonprogramfiles(x86)%\\microsoft shared"] = 2
	l_3_0["%programdata%\\app-v"] = 2
	l_3_0["%programfiles%\\acrobat"] = 2
	l_3_0["%programfiles%\\adobe"] = 2
	l_3_0["%programfiles%\\firefox developer edition"] = 2
	l_3_0["%programfiles%\\foxit software"] = 2
	l_3_0["%programfiles%\\google"] = 2
	l_3_0["%programfiles%\\internet explorer"] = 2
	l_3_0["%programfiles%\\microsoft application virtualization\\client\\subsystems\\appvdllsurrogate32.exe"] = 2
	l_3_0["%programfiles%\\microsoft application virtualization\\client\\subsystems\\appvdllsurrogate64.exe"] = 2
	l_3_0["%programfiles%\\microsoft office 15"] = 2
	l_3_0["%programfiles%\\microsoft office 2003"] = 2
	l_3_0["%programfiles%\\microsoft office 2010"] = 2
	l_3_0["%programfiles%\\microsoft office 2016"] = 2
	l_3_0["%programfiles%\\microsoft office"] = 2
	l_3_0["%programfiles%\\microsoft office2003"] = 2
	l_3_0["%programfiles%\\microsoft office2007"] = 2
	l_3_0["%programfiles%\\microsoft office\\2010"] = 2
	l_3_0["%programfiles%\\microsoft office\\live meeting 8"] = 2
	l_3_0["%programfiles%\\microsoft office\\office"] = 2
	l_3_0["%programfiles%\\microsoft office\\office10"] = 2
	l_3_0["%programfiles%\\microsoft office\\office11"] = 2
	l_3_0["%programfiles%\\microsoft office\\office12"] = 2
	l_3_0["%programfiles%\\microsoft office\\office13"] = 2
	l_3_0["%programfiles%\\microsoft office\\office14"] = 2
	l_3_0["%programfiles%\\microsoft office\\office15"] = 2
	l_3_0["%programfiles%\\microsoft office\\office16"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\2010"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\client\\appvdllsurrogate32.exe"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\client\\appvdllsurrogate64.exe"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\live meeting 8"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\office"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\office10"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\office11"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\office12"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\office13"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\office14"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\office15"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\office16"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\updates"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\vfs"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\visio"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\visio10"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\visio11"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\visio12"] = 2
	l_3_0["%programfiles%\\microsoft office\\root\\visio13"] = 2
	l_3_0["%programfiles%\\microsoft office\\updates"] = 2
	l_3_0["%programfiles%\\microsoft office\\vfs"] = 2
	l_3_0["%programfiles%\\microsoft office\\visio"] = 2
	l_3_0["%programfiles%\\microsoft office\\visio10"] = 2
	l_3_0["%programfiles%\\microsoft office\\visio11"] = 2
	l_3_0["%programfiles%\\microsoft office\\visio12"] = 2
	l_3_0["%programfiles%\\microsoft office\\visio13"] = 2
	l_3_0["%programfiles%\\microsoft security client"] = 2
	l_3_0["%programfiles%\\mozilla firefox"] = 2
	l_3_0["%programfiles%\\opera"] = 2
	l_3_0["%programfiles%\\reader"] = 2
	l_3_0["%programfiles%\\sogouinput"] = 2
	l_3_0["%programfiles%\\tencent"] = 2
	l_3_0["%programfiles%\\ucbrowser"] = 2
	l_3_0["%programfiles%\\winrar"] = 2
	l_3_0["%programfiles%\\winzip"] = 2
	l_3_0["%programfiles%\\Microsoft\\Edge\\Application"] = 2
	l_3_0["%programfiles%\\Microsoft\\Edge\\Application\\msedge.exe"] = 2
	l_3_0["%programfiles%\\Microsoft\\Edge Dev\\Application\\msedge.exe"] = 2
	l_3_0["%programfiles%\\Microsoft\\Edge Beta\\Application\\msedge.exe"] = 2
	l_3_0["%programfiles%\\Microsoft\\Edge\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programfiles%\\Microsoft\\Edge Dev\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programfiles%\\Microsoft\\Edge Beta\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programfiles%\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programfiles(x86)%\\acrobat"] = 2
	l_3_0["%programfiles(x86)%\\acrobat dc"] = 2
	l_3_0["%programfiles(x86)%\\adobe"] = 2
	l_3_0["%programfiles(x86)%\\firefox developer edition"] = 2
	l_3_0["%programfiles(x86)%\\foxit software"] = 2
	l_3_0["%programfiles(x86)%\\google"] = 2
	l_3_0["%programfiles(x86)%\\internet explorer"] = 2
	l_3_0["%programfiles(x86)%\\microsoft application virtualization\\client\\subsystems\\appvdllsurrogate32.exe"] = 2
	l_3_0["%programfiles(x86)%\\microsoft application virtualization\\client\\subsystems\\appvdllsurrogate64.exe"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office 15"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office 2003"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office 2010"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office 2016"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office2003"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office2007"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\2010"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\live meeting 8"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\office"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\office10"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\office11"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\office12"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\office13"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\office14"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\office15"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\office16"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\2010"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\client\\appvdllsurrogate32.exe"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\client\\appvdllsurrogate64.exe"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\live meeting 8"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\office"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\office10"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\office11"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\office12"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\office13"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\office14"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\office15"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\office16"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\updates"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\vfs"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\visio"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\visio10"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\visio11"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\visio12"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\root\\visio13"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\updates"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\vfs"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\visio"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\visio10"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\visio11"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\visio12"] = 2
	l_3_0["%programfiles(x86)%\\microsoft office\\visio13"] = 2
	l_3_0["%programfiles(x86)%\\microsoft security client"] = 2
	l_3_0["%programfiles(x86)%\\mozilla firefox"] = 2
	l_3_0["%programfiles(x86)%\\opera"] = 2
	l_3_0["%programfiles(x86)%\\reader"] = 2
	l_3_0["%programfiles(x86)%\\sogouinput"] = 2
	l_3_0["%programfiles(x86)%\\tencent"] = 2
	l_3_0["%programfiles(x86)%\\ucbrowser"] = 2
	l_3_0["%programfiles(x86)%\\winrar"] = 2
	l_3_0["%programfiles(x86)%\\winzip"] = 2
	l_3_0["%programfiles(x86)%\\Microsoft\\Edge\\Application"] = 2
	l_3_0["%programfiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe"] = 2
	l_3_0["%programfiles(x86)%\\Microsoft\\Edge Dev\\Application\\msedge.exe"] = 2
	l_3_0["%programfiles(x86)%\\Microsoft\\Edge Beta\\Application\\msedge.exe"] = 2
	l_3_0["%programfiles(x86)%\\Microsoft\\Edge\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programfiles(x86)%\\Microsoft\\Edge Dev\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programfiles(x86)%\\Microsoft\\Edge Beta\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programfiles(x86)%\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programW6432%\\Microsoft\\Edge\\Application\\msedge.exe"] = 2
	l_3_0["%programW6432%\\Microsoft\\Edge Dev\\Application\\msedge.exe"] = 2
	l_3_0["%programW6432%\\Microsoft\\Edge Beta\\Application\\msedge.exe"] = 2
	l_3_0["%programW6432%\\Microsoft\\Edge\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programW6432%\\Microsoft\\Edge Dev\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programW6432%\\Microsoft\\Edge Beta\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programW6432%\\Microsoft\\EdgeWebView\\Application\\*\\msedgewebview2.exe"] = 2
	l_3_0["%programfiles(x86)%\\BraveSoftware\\Brave-Browser\\Application\\brave.exe"] = 2
	l_3_0["%localappdata%\\microsoft\\edge\\application\\msedge.exe"] = 1
	l_3_0["%localappdata%\\microsoft\\edge sxs\\application\\msedge.exe"] = 1
	l_3_0["%localappdata%\\microsoft\\edge dev\\application\\msedge.exe"] = 1
	l_3_0["%localappdata%\\microsoft\\edge beta\\application\\msedge.exe"] = 1
	l_3_0["%localappdata%\\microsoft\\edgewebview\\application\\*\\msedgewebview2.exe"] = 1
	l_3_0["%localappdata%\\microsoft\\edge sxs\\application\\*\\msedgewebview2.exe"] = 1
	l_3_0["%localappdata%\\microsoft\\edge dev\\application\\*\\msedgewebview2.exe"] = 1
	l_3_0["%localappdata%\\microsoft\\edge beta\\application\\*\\msedgewebview2.exe"] = 1
	l_3_0["%localappdata%\\mozilla firefox\\*\\firefoxportable\\app\\firefox64\\firefox.exe"] = 1
	l_3_0["%localappdata%\\mozilla firefox\\firefox.exe"] = 1
	l_3_0["%localappdata%\\centbrowser\\application\\chrome.exe"] = 1
	l_3_0["%localappdata%\\chromium\\application\\chrome.exe"] = 1
	l_3_0["%localappdata%\\epic privacy browser\\application\\epic.exe"] = 1
	l_3_0["%localappdata%\\firefox developer edition\\firefox.exe"] = 1
	l_3_0["%localappdata%\\google chrome\\*\\googlechromeportable\\app\\chrome-bin\\chrome.exe"] = 1
	l_3_0["%localappdata%\\google\\chrome beta\\application\\chrome.exe"] = 1
	l_3_0["%localappdata%\\google\\chrome dev\\application\\chrome.exe"] = 1
	l_3_0["%localappdata%\\google\\chrome sxs\\application\\chrome.exe"] = 1
	l_3_0["%localappdata%\\google\\chrome\\application\\chrome.exe"] = 1
	l_3_0["%windir%\\explorer.exe"] = 2
	l_3_0["%windir%\\microsoft.net\\framework\\*\\dw20.exe"] = 2
	l_3_0["%windir%\\notepad.exe"] = 2
	l_3_0["%windir%\\splwow64.exe"] = 2
	l_3_0["%windir%\\ssdal.exe"] = 2
	l_3_0["%windir%\\system32\\atbroker.exe"] = 2
	l_3_0["%windir%\\system32\\bdeunlock.exe"] = 2
	l_3_0["%windir%\\system32\\buaappnt.exe"] = 2
	l_3_0["%windir%\\system32\\conhost.exe"] = 2
	l_3_0["%windir%\\system32\\ctfmon.exe"] = 2
	l_3_0["%windir%\\system32\\dwwin.exe"] = 2
	l_3_0["%windir%\\system32\\ie4uinit.exe"] = 2
	l_3_0["%windir%\\system32\\igfxem.exe"] = 2
	l_3_0["%windir%\\system32\\igfxhk.exe"] = 2
	l_3_0["%windir%\\system32\\igfxtray.exe"] = 2
	l_3_0["%windir%\\system32\\macromed\\flash\\flashplayerupdateservice.exe"] = 2
	l_3_0["%windir%\\system32\\microsoft.uev.synccontroller.exe"] = 2
	l_3_0["%windir%\\system32\\notepad.exe"] = 2
	l_3_0["%windir%\\system32\\ntprint.exe"] = 2
	l_3_0["%windir%\\system32\\pcaui.exe"] = 2
	l_3_0["%windir%\\system32\\searchprotocolhost.exe"] = 2
	l_3_0["%windir%\\system32\\slui.exe"] = 2
	l_3_0["%windir%\\system32\\spool\\drivers"] = 2
	l_3_0["%windir%\\system32\\verclsid.exe"] = 2
	l_3_0["%windir%\\system32\\werfault.exe"] = 2
	l_3_0["%windir%\\system32\\werfaultsecure.exe"] = 2
	l_3_0["%windir%\\system32\\wermgr.exe"] = 2
	l_3_0["%windir%\\system32\\wevtutil.exe"] = 2
	l_3_0["%windir%\\system32\\wfs.exe"] = 2
	l_3_0["%windir%\\system32\\xpsrchvw.exe"] = 2
	l_3_0["%windir%\\system32\\msiexec.exe"] = 2
	l_3_0["%windir%\\syswow64\\config\\systemprofile\\sogouinput\\*\\sgtool.exe"] = 2
	l_3_0["%windir%\\syswow64\\ctfmon.exe"] = 2
	l_3_0["%windir%\\syswow64\\dwwin.exe"] = 2
	l_3_0["%windir%\\syswow64\\ieunatt.exe"] = 2
	l_3_0["%windir%\\syswow64\\ime\\imejp\\imjpdct.exe"] = 2
	l_3_0["%windir%\\syswow64\\ime\\shared\\imecfmui.exe"] = 2
	l_3_0["%windir%\\syswow64\\ime\\shared\\imepadsv.exe"] = 2
	l_3_0["%windir%\\syswow64\\macromed\\flash\\flashplayerupdateservice.exe"] = 2
	l_3_0["%windir%\\syswow64\\mspaint.exe"] = 2
	l_3_0["%windir%\\syswow64\\notepad.exe"] = 2
	l_3_0["%windir%\\syswow64\\openwith.exe"] = 2
	l_3_0["%windir%\\syswow64\\prevhost.exe"] = 2
	l_3_0["%windir%\\syswow64\\verclsid.exe"] = 2
	l_3_0["%windir%\\syswow64\\werfault.exe"] = 2
	l_3_0["%windir%\\syswow64\\wermgr.exe"] = 2
	l_3_0["%windir%\\syswow64\\xpsrchvw.exe"] = 2
	l_3_0["%windir%\\syswow64\\msiexec.exe"] = 2
	l_3_0["%windir%\\syswow64\\launchwinapp.exe"] = 2
	l_3_0["%windir%\\systemapps\\*\\microsoftedgecp.exe"] = 2
	l_3_0["%windir%\\winsxs\\*\\iexplore.exe"] = 2
	l_3_0["%windir%\\winsxs\\*\\splwow64.exe"] = 2
	l_3_0["%windir%\\winsxs\\*\\werfault.exe"] = 2
	l_3_0["%windir%\\system32\fsiso.exe"] = 2
	l_3_0["%userprofile%\\appdata\\local\\google\\chrome"] = 1
	l_3_0["%userprofile%\\appdata\\local\\microsoft\\onedrive"] = 1
	l_3_0["%userprofile%\\appdata\\locallow\\copitrak"] = 1
	l_3_0["%userprofile%\\appdata\\local\\centbrowser\\application\\chrome.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge\\application\\msedge.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge sxs\\application\\msedge.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge dev\\application\\msedge.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge beta\\application\\msedge.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\microsoft\\edgewebview\\application\\*\\msedgewebview2.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge sxs\\application\\*\\msedgewebview2.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge dev\\application\\*\\msedgewebview2.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\microsoft\\edge beta\\application\\*\\msedgewebview2.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\mozilla firefox\\*\\firefoxportable\\app\\firefox64\\firefox.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\mozilla firefox\\firefox.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\packages\\*\\localcache\\local\\google\\chrome\\application\\chrome.exe"] = 1
	l_3_0["%userprofile%\\appdata\\local\\packages\\*\\localcache\\local\\mozilla firefox\\firefox.exe"] = 1
	return l_3_0
	end
	<?xml version="1.0" encoding="utf-8"?>
	<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.0.0</VersionEx>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<Rules />
	<!--EKUS-->
	<EKUs />
	<!--File Rules-->
	<FileRules />
	<!--Signers-->
	<Signers>
	<Signer ID="ID_SIGNER_DEFENDER_FOR_ENDPOINT" Name="Microsoft Code Signing PCA 2011">
	<CertRoot Type="TBS" Value="F6F717A43AD9ABDDC8CEFDDE1C505462535E7D1307E630F9544A2D14FE8BF26E" />
	<CertPublisher Value="Microsoft Windows Defender Advanced Threat Protection" />
	</Signer>
	</Signers>
	<!--Driver Signing Scenarios-->
	<SigningScenarios>
	<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 10-27-2021">
	<ProductSigners />
	</SigningScenario>
	<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 10-27-2021">
	<ProductSigners>
	<AllowedSigners>
	<AllowedSigner SignerId="ID_SIGNER_DEFENDER_FOR_ENDPOINT" />
	</AllowedSigners>
	</ProductSigners>
	</SigningScenario>
	</SigningScenarios>
	<UpdatePolicySigners />
	<CiSigners>
	<CiSigner SignerId="ID_SIGNER_DEFENDER_FOR_ENDPOINT" />
	</CiSigners>
	<HvciOptions>0</HvciOptions>
	<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
	</SiPolicy>
	& {
	$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8

	$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileAccess]::Read)

	$calculatedHash = Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1' -Algorithm SHA256

	if (!($calculatedHash.Hash -eq 'd871ab44a81b93cdf3c7e235c246ea8b4bf65d9141d7797270c15dd6bbdb2803')) {
	exit 323; # ERROR_DATA_CHECKSUM_ERROR
	}

	. 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\7910.6064030.0.6552433-3a7d9fb541a03fc183f740777b7bb1aa20a20efd\046a3caf-d9ec-4da6-a32a-fb148992596a.ps1'
	}