hxxps://vencord[.]dev/download

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	regedit.exe

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3"	regedit.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1"	regedit.exe

Downloads MZ/PE file

Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

Disable Windows Driver Blocklist via Registry.

defense_evasion

Modify Registry

persistence credential_access

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0"	regedit.exe

Boot or Logon Autostart Execution: LSASS Driver 2 TTPs 1 IoCs

Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.

LSASS Driver

T1547.008

LSASS Memory

T1003.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL = "0"	regedit.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
1164	VencordInstaller.exe
5040	VencordInstaller.exe
4216	VencordInstaller.exe
1364	DiscordSetup.exe
3444	Update.exe
1432	Discord.exe
1212	Discord.exe
2984	Update.exe
4764	Discord.exe
4116	Discord.exe
4452	Update.exe
4628	Update.exe
2628	DefenderRemover.exe
1884	PowerRun.exe
4700	PowerRun.exe
2424	PowerRun.exe
4852	PowerRun.exe
1568	PowerRun.exe
4604	PowerRun.exe
3640	PowerRun.exe
2080	PowerRun.exe
1552	PowerRun.exe
892	PowerRun.exe
3440	PowerRun.exe
2748	dismhost.exe
1568	PowerRun.exe
1652	PowerRun.exe
412	PowerRun.exe
5048	PowerRun.exe
5160	PowerRun.exe
5168	PowerRun.exe
5300	PowerRun.exe
5784	PowerRun.exe
5804	PowerRun.exe
5912	PowerRun.exe
6128	PowerRun.exe
1988	PowerRun.exe
1888	PowerRun.exe
5236	PowerRun.exe
5224	PowerRun.exe
5592	PowerRun.exe
5576	PowerRun.exe
3304	PowerRun.exe
5724	PowerRun.exe
5980	PowerRun.exe
5920	PowerRun.exe
6020	PowerRun.exe
5916	PowerRun.exe
3840	PowerRun.exe
5132	PowerRun.exe
6132	PowerRun.exe
1888	PowerRun.exe
5276	PowerRun.exe
5860	PowerRun.exe
5224	PowerRun.exe
5736	PowerRun.exe
3752	PowerRun.exe
6096	PowerRun.exe
4032	PowerRun.exe
5264	PowerRun.exe
2652	PowerRun.exe
3216	PowerRun.exe
5504	PowerRun.exe
5600	PowerRun.exe

Loads dropped DLL 13 IoCs

pid	Process
1432	Discord.exe
1212	Discord.exe
4764	Discord.exe
4116	Discord.exe
4764	Discord.exe
4764	Discord.exe
4764	Discord.exe
4764	Discord.exe
2748	dismhost.exe
2748	dismhost.exe
2748	dismhost.exe
2748	dismhost.exe
2748	dismhost.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

defense_evasion persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	regedit.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
10	discord.com
65	discord.com
66	discord.com

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
724	powershell.exe
1988	powershell.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\VencordInstaller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DiscordSetup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DefenderRemover.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DefenderRemover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2920	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\LowLevelHooksTimeout = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\SmartScreenEnabled	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ForegroundLockTimeout = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance\Enabled = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\AppHost\PreventOverride = "0"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MenuShowDelay = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Security Health	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Discord\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-95457810-830748662-4054918673-1000\{710D8E35-9F6A-4055-940A-55C29F7A9975}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Discord\shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9155\\Discord.exe\" --url -- \"%1\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Discord	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open\command	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Discord\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9155\\Discord.exe\",-1"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\ms-cxh	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Discord\URL Protocol	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Discord\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Application	regedit.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

pid	Process
2964	reg.exe
4144	reg.exe
2984	reg.exe
768	reg.exe
1284	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	VencordInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VencordInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VencordInstaller.exe

NTFS ADS 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 566630.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 124239.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DiscordSetup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 831417.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DefenderRemover.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\download.htm:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 393596.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VencordInstaller.exe:Zone.Identifier	msedge.exe

Runs .reg file with regedit 42 IoCs

pid	Process
5828	regedit.exe
5144	regedit.exe
5252	regedit.exe
5568	regedit.exe
5556	regedit.exe
2952	regedit.exe
5748	regedit.exe
5748	regedit.exe
5892	regedit.exe
5540	regedit.exe
5192	regedit.exe
5848	regedit.exe
5484	regedit.exe
5488	regedit.exe
5756	regedit.exe
6112	regedit.exe
2652	regedit.exe
5760	regedit.exe
5304	regedit.exe
4720	regedit.exe
2040	regedit.exe
5748	regedit.exe
5948	regedit.exe
5188	regedit.exe
552	regedit.exe
5508	regedit.exe
5856	regedit.exe
6104	regedit.exe
3216	regedit.exe
5168	regedit.exe
724	regedit.exe
5160	regedit.exe
2300	regedit.exe
5740	regedit.exe
892	regedit.exe
5468	regedit.exe
5552	regedit.exe
3116	regedit.exe
5200	regedit.exe
5676	regedit.exe
5296	regedit.exe
5192	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3812	msedge.exe
3812	msedge.exe
4904	msedge.exe
4904	msedge.exe
2856	msedge.exe
2856	msedge.exe
3204	identity_helper.exe
3204	identity_helper.exe
3308	msedge.exe
3308	msedge.exe
2056	msedge.exe
2056	msedge.exe
4672	msedge.exe
4672	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2480	msedge.exe
2964	msedge.exe
2964	msedge.exe
4132	msedge.exe
4132	msedge.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
724	powershell.exe
724	powershell.exe
1884	PowerRun.exe
1884	PowerRun.exe
724	powershell.exe
1884	PowerRun.exe
1884	PowerRun.exe
4700	PowerRun.exe
4700	PowerRun.exe
2424	PowerRun.exe
4700	PowerRun.exe
2424	PowerRun.exe
4700	PowerRun.exe
2424	PowerRun.exe
2424	PowerRun.exe
1568	PowerRun.exe
1568	PowerRun.exe
1568	PowerRun.exe
1568	PowerRun.exe
4604	PowerRun.exe
4604	PowerRun.exe
4604	PowerRun.exe
4604	PowerRun.exe
2080	PowerRun.exe
2080	PowerRun.exe
1552	PowerRun.exe
1552	PowerRun.exe
2080	PowerRun.exe
2080	PowerRun.exe
1552	PowerRun.exe
1552	PowerRun.exe
3440	PowerRun.exe
3440	PowerRun.exe
3440	PowerRun.exe
3440	PowerRun.exe
1568	PowerRun.exe
1568	PowerRun.exe
1568	PowerRun.exe
1568	PowerRun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4904	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1460	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1460	AUDIODG.EXE
Token: SeShutdownPrivilege	1432	Discord.exe
Token: SeCreatePagefilePrivilege	1432	Discord.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	724	powershell.exe
Token: SeDebugPrivilege	1884	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	1884	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	1884	PowerRun.exe
Token: 0	1884	PowerRun.exe
Token: SeDebugPrivilege	4700	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	4700	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	4700	PowerRun.exe
Token: SeDebugPrivilege	2424	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	2424	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	2424	PowerRun.exe
Token: 0	2424	PowerRun.exe
Token: SeDebugPrivilege	1568	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	1568	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	1568	PowerRun.exe
Token: SeDebugPrivilege	4604	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	4604	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	4604	PowerRun.exe
Token: 0	4604	PowerRun.exe
Token: SeDebugPrivilege	2080	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	2080	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	2080	PowerRun.exe
Token: SeDebugPrivilege	1552	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	1552	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	1552	PowerRun.exe
Token: 0	1552	PowerRun.exe
Token: SeDebugPrivilege	3440	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	3440	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	3440	PowerRun.exe
Token: SeDebugPrivilege	1568	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	1568	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	1568	PowerRun.exe
Token: 0	1568	PowerRun.exe
Token: SeDebugPrivilege	412	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	412	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	412	PowerRun.exe
Token: SeDebugPrivilege	5048	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	5048	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	5048	PowerRun.exe
Token: 0	5048	PowerRun.exe
Token: SeBackupPrivilege	724	powershell.exe
Token: SeRestorePrivilege	724	powershell.exe
Token: SeDebugPrivilege	5168	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	5168	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	5168	PowerRun.exe
Token: SeDebugPrivilege	5300	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	5300	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	5300	PowerRun.exe
Token: 0	5300	PowerRun.exe
Token: SeDebugPrivilege	5804	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	5804	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	5804	PowerRun.exe
Token: SeDebugPrivilege	5912	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	5912	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	5912	PowerRun.exe
Token: 0	5912	PowerRun.exe
Token: SeDebugPrivilege	6128	PowerRun.exe
Token: SeAssignPrimaryTokenPrivilege	6128	PowerRun.exe
Token: SeIncreaseQuotaPrivilege	6128	PowerRun.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1164	VencordInstaller.exe
5040	VencordInstaller.exe
4216	VencordInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 2412	4904	msedge.exe	78
PID 4904 wrote to memory of 2412	4904	msedge.exe	78
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 4484	4904	msedge.exe	79
PID 4904 wrote to memory of 3812	4904	msedge.exe	80
PID 4904 wrote to memory of 3812	4904	msedge.exe	80
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81
PID 4904 wrote to memory of 4332	4904	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vencord.dev/download
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd26b3cb8,0x7fffd26b3cc8,0x7fffd26b3cd8
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3328 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2056
- C:\Users\Admin\Downloads\VencordInstaller.exe
  "C:\Users\Admin\Downloads\VencordInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:1164
- C:\Users\Admin\Downloads\VencordInstaller.exe
  "C:\Users\Admin\Downloads\VencordInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:892
- C:\Users\Admin\Downloads\VencordInstaller.exe
  "C:\Users\Admin\Downloads\VencordInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1996 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5584 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3304 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2964
- C:\Users\Admin\Downloads\DiscordSetup.exe
  "C:\Users\Admin\Downloads\DiscordSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1364
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3444
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9155\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9155\Discord.exe" --squirrel-install 1.0.9155
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1432
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9155\Discord.exe
        
        C:\Users\Admin\AppData\Local\Discord\app-1.0.9155\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9155 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.2.0 --initial-client-data=0x528,0x52c,0x530,0x520,0x534,0x7ff6edb5f218,0x7ff6edb5f224,0x7ff6edb5f230
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1212
    - - C:\Users\Admin\AppData\Local\Discord\Update.exe
        
        C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2984
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9155\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9155\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,8761735049475405697,2099010107577379757,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1920 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4764
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9155\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9155\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2480,i,8761735049475405697,2099010107577379757,262144 --enable-features=kWebSQLAccess --disable-features=HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1920 /prefetch:3
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4116
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:768
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:1284
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:2964
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9155\Discord.exe\",-1" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:4144
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9155\Discord.exe\" --url -- \"%1\"" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7916 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7236 /prefetch:8
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7824 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4132
- C:\Users\Admin\Downloads\DefenderRemover.exe
  "C:\Users\Admin\Downloads\DefenderRemover.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c .\Script_Run.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1504
  - - C:\Windows\SysWOW64\choice.exe
      choice /C:yas /N
      4⤵
      System Location Discovery: System Language Discovery
      PID:2040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""RemoveSecHealthApp.ps1""' -Verb RunAs}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1988
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "RemoveSecHealthApp.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:724
      - C:\Users\Admin\AppData\Local\Temp\3C5900EB-1E21-4393-B66A-5451FAB8171D\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\3C5900EB-1E21-4393-B66A-5451FAB8171D\dismhost.exe {F1B76054-BA1A-403C-9398-F7CEA4669992}
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableAntivirusProtection.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableAntivirusProtection.reg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableAntivirusProtection.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:4852
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableAntivirusProtection.reg"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Runs .reg file with regedit
        
        PID:892
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3640
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
        7⤵
        Windows security bypass
        Modifies data under HKEY_USERS
        Runs .reg file with regedit
        
        PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableDefenderPolicies.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4604
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableDefenderPolicies.reg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableDefenderPolicies.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:892
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableDefenderPolicies.reg"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Runs .reg file with regedit
        
        PID:552
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1652
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
        7⤵
        Modifies data under HKEY_USERS
        Runs .reg file with regedit
        
        PID:5144
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1568
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
        6⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5756
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveDefenderTasks.reg"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5048
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveDefenderTasks.reg"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5168
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveDefenderTasks.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5784
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveDefenderTasks.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:6112
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5300
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5804
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1988
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5252
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveServices.reg"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5912
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveServices.reg"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:6128
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveServices.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5236
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveServices.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5568
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveShellAssociation.reg"
      4⤵
      Executes dropped EXE
      PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveShellAssociation.reg"
        5⤵
        Executes dropped EXE
        
        PID:5224
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveShellAssociation.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5576
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveShellAssociation.reg"
        7⤵
        Modifies firewall policy service
        Modifies registry class
        Runs .reg file with regedit
        
        PID:5892
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveSignatureUpdates.reg"
      4⤵
      Executes dropped EXE
      PID:5592
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveSignatureUpdates.reg"
        5⤵
        Executes dropped EXE
        
        PID:3304
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveSignatureUpdates.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5980
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveSignatureUpdates.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5168
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveStartupEntries.reg"
      4⤵
      Executes dropped EXE
      PID:5724
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveStartupEntries.reg"
        5⤵
        Executes dropped EXE
        
        PID:5920
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveStartupEntries.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5916
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveStartupEntries.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
      4⤵
      Executes dropped EXE
      PID:6020
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
        5⤵
        Executes dropped EXE
        
        PID:3840
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1888
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
        7⤵
        Modifies registry class
        Runs .reg file with regedit
        
        PID:5540
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
      4⤵
      Executes dropped EXE
      PID:5132
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
        5⤵
        Executes dropped EXE
        
        PID:6132
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5276
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5192
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableAntivirusProtection.reg"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5468
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5508
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\DisableDefenderPolicies.reg"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5552
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5556
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5676
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveDefenderTasks.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:724
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5760
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveServices.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5748
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveShellAssociation.reg"
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry class
      Runs .reg file with regedit
      PID:5160
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveSignatureUpdates.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5296
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveStartupEntries.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5304
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5856
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5848
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
      4⤵
      Executes dropped EXE
      PID:5860
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
        5⤵
        Executes dropped EXE
        
        PID:5224
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3752
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
      4⤵
      Executes dropped EXE
      PID:5736
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
        5⤵
        Executes dropped EXE
        
        PID:6096
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5264
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
        7⤵
        Boot or Logon Autostart Execution: LSASS Driver
        Runs .reg file with regedit
        
        PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
      4⤵
      Executes dropped EXE
      PID:4032
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
        5⤵
        Executes dropped EXE
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:5504
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
        7⤵
        Modifies data under HKEY_USERS
        Runs .reg file with regedit
        
        PID:5748
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
      4⤵
      Executes dropped EXE
      PID:3216
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
        5⤵
        Executes dropped EXE
        
        PID:5600
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:5160
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
        7⤵
        Modify Registry: Disable Windows Driver Blocklist
        Runs .reg file with regedit
        
        PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
      4⤵
      PID:5556
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
        5⤵
        
        PID:5300
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:1384
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
        7⤵
        Modifies data under HKEY_USERS
        Runs .reg file with regedit
        
        PID:6104
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
      4⤵
      PID:5828
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
        5⤵
        
        PID:1236
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:6120
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5484
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
      4⤵
      PID:4072
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
        5⤵
        
        PID:6140
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
        6⤵
        
        PID:5148
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5748
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
      4⤵
      PID:4032
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
        5⤵
        
        PID:5496
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:5804
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5828
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableUAC.reg"
      4⤵
      PID:5540
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableUAC.reg"
        5⤵
        
        PID:5676
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableUAC.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:552
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableUAC.reg"
        7⤵
        UAC bypass
        Hijack Execution Flow: Executable Installer File Permissions Weakness
        Runs .reg file with regedit
        
        PID:5948
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableVBS.reg"
      4⤵
      PID:6048
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableVBS.reg"
        5⤵
        
        PID:3684
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableVBS.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:5188
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\DisableVBS.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5488
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
      4⤵
      PID:5956
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
        5⤵
        
        PID:5668
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
        6⤵
        
        PID:2952
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
      4⤵
      PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
        5⤵
        
        PID:3840
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
        6⤵
        
        PID:2848
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5740
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
      4⤵
      PID:5684
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
        5⤵
        
        PID:5216
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
        6⤵
        
        PID:2324
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:3116
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
      4⤵
      PID:5844
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
        5⤵
        
        PID:5804
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
        6⤵
        
        PID:5948
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5188
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
      4⤵
      PID:776
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
        5⤵
        
        PID:4276
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
        6⤵
        
        PID:5272
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
      4⤵
      PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
        5⤵
        
        PID:5260
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
        6⤵
        
        PID:5668
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:5192
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
      4⤵
      PID:5480
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
        5⤵
        
        PID:6132
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
        6⤵
        
        PID:3840
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
        7⤵
        
        PID:5216
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
      4⤵
      PID:5604
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
        5⤵
        
        PID:5920
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
        6⤵
        
        PID:4132
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
        7⤵
        
        PID:3528
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
      4⤵
      PID:3440
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
        5⤵
        
        PID:5352
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
        6⤵
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
        7⤵
        
        PID:5952
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
      4⤵
      PID:5532
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
        5⤵
        
        PID:5628
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
        6⤵
        
        PID:5640
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
        7⤵
        
        PID:6000
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
      4⤵
      PID:5528
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
        5⤵
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
        6⤵
        
        PID:5168
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
        7⤵
        
        PID:6084
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
      4⤵
      PID:5576
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
        5⤵
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
        6⤵
        
        PID:1900
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
        7⤵
        
        PID:5184
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
      4⤵
      PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
        5⤵
        
        PID:6116
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
        6⤵
        
        PID:5452
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
        7⤵
        
        PID:5304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5748
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
      4⤵
      PID:5128
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
        5⤵
        
        PID:4208
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
        6⤵
        
        PID:6108
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
        7⤵
        
        PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
      4⤵
      PID:5744
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
        5⤵
        
        PID:5688
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
        6⤵
        
        PID:5640
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
        7⤵
        
        PID:5444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5300
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
      4⤵
      PID:2648
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
        5⤵
        
        PID:1472
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
        6⤵
        
        PID:5732
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
        7⤵
        
        PID:5680
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
      4⤵
      PID:4432
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
        5⤵
        
        PID:3996
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
        6⤵
        
        PID:1988
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
        7⤵
        
        PID:5852
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
      4⤵
      PID:5236
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
        5⤵
        
        PID:6044
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
        6⤵
        
        PID:5604
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
        7⤵
        
        PID:5924
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
      4⤵
      PID:5968
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
        5⤵
        
        PID:5172
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
        6⤵
        
        PID:4208
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscproxystub.dll""
        7⤵
        
        PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
      4⤵
      PID:6116
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
        5⤵
        
        PID:5608
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
        6⤵
        
        PID:5428
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscisvif.dll""
        7⤵
        
        PID:2312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
      4⤵
      PID:552
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
        5⤵
        
        PID:5300
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
        6⤵
        
        PID:5200
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
        7⤵
        
        PID:5940
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
      4⤵
      PID:5132
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
        5⤵
        
        PID:724
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
        6⤵
        
        PID:4620
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.dll""
        7⤵
        
        PID:5472
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
      4⤵
      PID:5540
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
        5⤵
        
        PID:940
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
        6⤵
        
        PID:5344
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
        7⤵
        
        PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
      4⤵
      PID:5372
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
        5⤵
        
        PID:5956
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
        6⤵
        
        PID:5276
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.exe""
        7⤵
        
        PID:6068
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
      4⤵
      PID:6096
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
        5⤵
        
        PID:5212
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
        6⤵
        
        PID:5508
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
        7⤵
        
        PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
      4⤵
      PID:5848
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
        5⤵
        
        PID:6092
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
        6⤵
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\DWWIN.EXE""
        7⤵
        
        PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
      4⤵
      PID:5192
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
        5⤵
        
        PID:5948
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
        6⤵
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
        7⤵
        
        PID:5448
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
      4⤵
      PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
        5⤵
        
        PID:5636
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
        6⤵
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreenps.dll""
        7⤵
        
        PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
      4⤵
      PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
        5⤵
        
        PID:5228
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
        6⤵
        
        PID:5348
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
        7⤵
        
        PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
      4⤵
      PID:484
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
        5⤵
        
        PID:5848
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
        6⤵
        
        PID:5856
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
        7⤵
        
        PID:5412
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
      4⤵
      PID:5824
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
        5⤵
        
        PID:5776
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
        6⤵
        
        PID:6116
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
        7⤵
        
        PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
      4⤵
      PID:5432
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
        5⤵
        
        PID:5128
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
        6⤵
        
        PID:5248
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
        7⤵
        
        PID:392
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
      4⤵
      PID:5464
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
        5⤵
        
        PID:5588
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
        6⤵
        
        PID:5724
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscapi.dll""
        7⤵
        
        PID:5824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:6020
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
      4⤵
      PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
        5⤵
        
        PID:5912
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
        6⤵
        
        PID:5124
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscadminui.exe""
        7⤵
        
        PID:3216
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
      4⤵
      PID:732
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
        5⤵
        
        PID:1244
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
        6⤵
        
        PID:5596
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
        7⤵
        
        PID:6116
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
      4⤵
      PID:4620
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
        5⤵
        
        PID:5696
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
        6⤵
        
        PID:5608
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
        7⤵
        
        PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
      4⤵
      PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
        5⤵
        
        PID:2424
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
        6⤵
        
        PID:5164
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
        7⤵
        
        PID:5216
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
      4⤵
      PID:5872
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
        5⤵
        
        PID:5196
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
        6⤵
        
        PID:5520
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
        7⤵
        
        PID:5420
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
      4⤵
      PID:5472
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
        5⤵
        
        PID:6100
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
        6⤵
        
        PID:5676
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
        7⤵
        
        PID:4132
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
      4⤵
      PID:5440
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
        5⤵
        
        PID:5272
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
        6⤵
        
        PID:5300
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
        7⤵
        
        PID:5636
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
      4⤵
      PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
        5⤵
        
        PID:5580
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
        6⤵
        
        PID:2380
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
        7⤵
        
        PID:3500
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
      4⤵
      PID:5904
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
        5⤵
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
        6⤵
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
        7⤵
        
        PID:5944
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
      4⤵
      PID:1424
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
        5⤵
        
        PID:5824
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
        6⤵
        
        PID:5512
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
        7⤵
        
        PID:5592
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
      4⤵
      PID:724
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
        5⤵
        
        PID:5388
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
        6⤵
        
        PID:4276
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
        7⤵
        
        PID:5804
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
      4⤵
      PID:5132
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
        5⤵
        
        PID:4036
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
        6⤵
        
        PID:5652
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
        7⤵
        
        PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
      4⤵
      PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
        5⤵
        
        PID:5648
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
        6⤵
        
        PID:2544
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
        7⤵
        
        PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
      4⤵
      PID:5352
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
        5⤵
        
        PID:2984
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
        6⤵
        
        PID:5436
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
        7⤵
        
        PID:5456
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
      4⤵
      PID:5216
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
        5⤵
        
        PID:2588
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
        6⤵
        
        PID:5832
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
        7⤵
        
        PID:5804
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
      4⤵
      PID:5244
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
        5⤵
        
        PID:6128
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
        6⤵
        
        PID:4852
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
        7⤵
        
        PID:5548
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
      4⤵
      PID:5140
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
        5⤵
        
        PID:5324
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
        6⤵
        
        PID:5400
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
        7⤵
        
        PID:5604
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
      4⤵
      PID:5192
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
        5⤵
        
        PID:5580
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
        6⤵
        
        PID:5428
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender" /s /q
        7⤵
        
        PID:5600
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
      4⤵
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
        5⤵
        
        PID:5208
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
        6⤵
        
        PID:5696
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
        7⤵
        
        PID:5980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:5736
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
      4⤵
      PID:5296
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
        5⤵
        
        PID:5636
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
        6⤵
        
        PID:5960
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
        7⤵
        
        PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
      4⤵
      PID:5456
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
        5⤵
        
        PID:4276
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
        6⤵
        
        PID:4436
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Sgrm" /s /q
        7⤵
        
        PID:5500
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
      4⤵
      PID:5816
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
        5⤵
        
        PID:5396
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
        6⤵
        
        PID:5048
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
        7⤵
        
        PID:5428
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
      4⤵
      PID:5260
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        5⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        6⤵
        
        PID:5404
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        7⤵
        
        PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
      4⤵
      PID:5984
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        5⤵
        
        PID:5840
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        6⤵
        
        PID:5152
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        7⤵
        
        PID:5876
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
      4⤵
      PID:5452
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        5⤵
        
        PID:4120
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        6⤵
        
        PID:5640
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        7⤵
        
        PID:1244
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
      4⤵
      PID:6000
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
        5⤵
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
        6⤵
        
        PID:5684
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
        7⤵
        
        PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
      4⤵
      PID:5772
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
        5⤵
        
        PID:5700
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
        6⤵
        
        PID:1900
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
        7⤵
        
        PID:5900
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
      4⤵
      PID:5996
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        5⤵
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        6⤵
        
        PID:2400
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        7⤵
        
        PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
      4⤵
      PID:5836
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
        5⤵
        
        PID:5280
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
        6⤵
        
        PID:5756
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
        7⤵
        
        PID:5640
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
      4⤵
      PID:5644
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
        5⤵
        
        PID:904
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
        6⤵
        
        PID:5292
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
        7⤵
        
        PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
      4⤵
      PID:5788
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
        5⤵
        
        PID:5772
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
        6⤵
        
        PID:5796
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\bcastdvr" /s /q
        7⤵
        
        PID:5140
  - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
      4⤵
      PID:5244
    - - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
        5⤵
        
        PID:5236
      - C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSDDCA.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
        6⤵
        
        PID:5664
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
        7⤵
        
        PID:5548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 10
      4⤵
      Delays execution with timeout.exe
      PID:2920
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r /f /t 0
      4⤵
      PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7408 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7716 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,14132094821918880435,6999135297065009270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:5176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3256

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1628

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1380

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004BC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:5064

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4452

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4628

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa392b855 /state1:0x41c64e6d
1⤵
PID:5392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

LSASS Driver

T1547.008

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

LSASS Driver

T1547.008

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry