Analysis

  • max time kernel
    69s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/11/2024, 16:21

Errors

Reason
Machine shutdown

General

  • Target

    DefenderRemover (2).exe

  • Size

    823KB

  • MD5

    879e3d30cc1392370ab0eec1601aa1b6

  • SHA1

    c85e5eb120d860b0a67e3f091d5e7c29a7643bfd

  • SHA256

    704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca

  • SHA512

    71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44

  • SSDEEP

    12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 64 IoCs
  • Modifies firewall policy service 3 TTPs 4 IoCs
  • Modifies security service 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 5 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
  • Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

    Disable Windows Driver Blocklist via Registry.

  • Boot or Logon Autostart Execution: LSASS Driver 2 TTPs 1 IoCs

    Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs

    Possible Turn off User Account Control's privilege elevation for standard users.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 32 IoCs
  • Runs .reg file with regedit 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe
    "C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c .\Script_Run.bat
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\choice.exe
        choice /C:yas /N
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2916
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""RemoveSecHealthApp.ps1""' -Verb RunAs}"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1904
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "RemoveSecHealthApp.ps1
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1556
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2308
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1752
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:584
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Runs .reg file with regedit
              PID:1688
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2712
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1316
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2192
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
              6⤵
              • Windows security bypass
              • Runs .reg file with regedit
              PID:2316
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2172
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2180
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:572
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Runs .reg file with regedit
              PID:2644
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2052
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2432
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1568
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
              6⤵
              • Modifies data under HKEY_USERS
              • Runs .reg file with regedit
              PID:1852
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:872
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2876
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:1304
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
              6⤵
              • Modifies registry class
              • Runs .reg file with regedit
              PID:1552
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2476
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2160
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"
            5⤵
            • Executes dropped EXE
            PID:1740
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"
              6⤵
              • Runs .reg file with regedit
              PID:2012
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:904
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1632
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2652
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
              6⤵
              • Windows security bypass
              • Runs .reg file with regedit
              PID:2044
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2032
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2828
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"
            5⤵
            • Executes dropped EXE
            PID:3024
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"
              6⤵
              • Modifies security service
              • Runs .reg file with regedit
              PID:2356
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2648
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1408
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:1100
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"
              6⤵
              • Modifies firewall policy service
              • Runs .reg file with regedit
              PID:848
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1872
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2144
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:1580
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"
              6⤵
              • Runs .reg file with regedit
              PID:2316
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1484
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2400
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2944
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"
              6⤵
              • Runs .reg file with regedit
              PID:2104
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2624
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:772
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2036
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
              6⤵
              • Modifies registry class
              • Runs .reg file with regedit
              PID:2736
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1104
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:1664
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
            5⤵
            • Executes dropped EXE
            PID:1672
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
              6⤵
              • Runs .reg file with regedit
              PID:2412
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:596
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"
        3⤵
        • Windows security bypass
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2772
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2476
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2364
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2620
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:1424
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:1796
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2516
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"
        3⤵
        • Modifies firewall policy service
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:1868
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:1556
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:1864
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:2744
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"
        3⤵
        • System Location Discovery: System Language Discovery
        • Runs .reg file with regedit
        PID:1748
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2432
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:2260
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2608
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"
              6⤵
              • Runs .reg file with regedit
              PID:2280
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2236
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
          4⤵
          • Executes dropped EXE
          PID:884
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:3000
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"
              6⤵
              • Boot or Logon Autostart Execution: LSASS Driver
              • Runs .reg file with regedit
              PID:1804
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2972
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
          4⤵
          • Executes dropped EXE
          PID:2272
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
            5⤵
            • Executes dropped EXE
            PID:1612
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"
              6⤵
              • Modifies data under HKEY_USERS
              • Runs .reg file with regedit
              PID:2976
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1576
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
          4⤵
          • Executes dropped EXE
          PID:2624
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
            5⤵
            • Executes dropped EXE
            PID:2032
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"
              6⤵
              • Modify Registry: Disable Windows Driver Blocklist
              • Runs .reg file with regedit
              PID:2520
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
        3⤵
        • Executes dropped EXE
        PID:1088
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
          4⤵
          • Executes dropped EXE
          PID:768
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:844
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"
              6⤵
              • Modifies data under HKEY_USERS
              • Runs .reg file with regedit
              PID:2960
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
        3⤵
        • Executes dropped EXE
        PID:1104
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
          4⤵
          • Executes dropped EXE
          PID:696
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2144
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"
              6⤵
              • Runs .reg file with regedit
              PID:1516
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
        3⤵
        • Executes dropped EXE
        PID:2000
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
          4⤵
          • Executes dropped EXE
          PID:2320
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
            5⤵
            • Executes dropped EXE
            PID:2692
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"
              6⤵
              • Runs .reg file with regedit
              PID:1084
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
        3⤵
        • Executes dropped EXE
        PID:1452
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
          4⤵
          • Executes dropped EXE
          PID:2224
          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
            5⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            PID:2136
            • C:\Windows\regedit.exe
              "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"
              6⤵
              • Runs .reg file with regedit
              PID:2412
      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
        PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"
        3⤵
        • Executes dropped EXE
        PID:2116
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"
          4⤵
            PID:1376
            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"
              5⤵
              • Modifies data under HKEY_USERS
              PID:3068
              • C:\Windows\regedit.exe
                "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"
                6⤵
                • UAC bypass
                • Hijack Execution Flow: Executable Installer File Permissions Weakness
                • Runs .reg file with regedit
                PID:1676
        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
          PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"
          3⤵
            PID:1520
            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"
              4⤵
                PID:876
                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"
                  5⤵
                  • Modifies data under HKEY_USERS
                  PID:596
                  • C:\Windows\regedit.exe
                    "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"
                    6⤵
                    • Runs .reg file with regedit
                    PID:1872
            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
              PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
              3⤵
                PID:1204
                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
                  4⤵
                    PID:2088
                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
                      5⤵
                      • Modifies data under HKEY_USERS
                      PID:988
                      • C:\Windows\regedit.exe
                        "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"
                        6⤵
                        • Runs .reg file with regedit
                        PID:1124
                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                  PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
                  3⤵
                    PID:2540
                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
                      4⤵
                        PID:2164
                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
                          5⤵
                          • Modifies data under HKEY_USERS
                          PID:2992
                          • C:\Windows\regedit.exe
                            "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"
                            6⤵
                            • Runs .reg file with regedit
                            PID:2824
                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
                      3⤵
                        PID:1516
                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
                          4⤵
                            PID:2800
                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
                              5⤵
                              • Modifies data under HKEY_USERS
                              PID:3004
                              • C:\Windows\regedit.exe
                                "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"
                                6⤵
                                • Runs .reg file with regedit
                                PID:1592
                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                          PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
                          3⤵
                            PID:1624
                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
                              4⤵
                                PID:2832
                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
                                  5⤵
                                    PID:2468
                                    • C:\Windows\regedit.exe
                                      "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"
                                      6⤵
                                      • Runs .reg file with regedit
                                      PID:2732
                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
                                3⤵
                                  PID:2852
                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                    "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
                                    4⤵
                                      PID:2304
                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                        "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
                                        5⤵
                                          PID:1684
                                          • C:\Windows\regedit.exe
                                            "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"
                                            6⤵
                                            • Modifies registry class
                                            • Runs .reg file with regedit
                                            PID:1084
                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                      PowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
                                      3⤵
                                        PID:2464
                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
                                          4⤵
                                            PID:2316
                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
                                              5⤵
                                              • Modifies data under HKEY_USERS
                                              PID:404
                                              • C:\Windows\regedit.exe
                                                "C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"
                                                6⤵
                                                • Modifies firewall policy service
                                                • Runs .reg file with regedit
                                                PID:2760
                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                          PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
                                          3⤵
                                            PID:1744
                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
                                              4⤵
                                                PID:2920
                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
                                                  5⤵
                                                    PID:2932
                                                    • C:\Windows\system32\cmd.exe
                                                      "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""
                                                      6⤵
                                                        PID:2056
                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                  PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
                                                  3⤵
                                                    PID:2984
                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
                                                      4⤵
                                                        PID:2272
                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
                                                          5⤵
                                                          • Modifies data under HKEY_USERS
                                                          PID:2828
                                                          • C:\Windows\system32\cmd.exe
                                                            "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""
                                                            6⤵
                                                              PID:2088
                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                        PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
                                                        3⤵
                                                          PID:2764
                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
                                                            4⤵
                                                              PID:2924
                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
                                                                5⤵
                                                                • Modifies data under HKEY_USERS
                                                                PID:2572
                                                                • C:\Windows\system32\cmd.exe
                                                                  "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""
                                                                  6⤵
                                                                    PID:2264
                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                              PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
                                                              3⤵
                                                                PID:2120
                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
                                                                  4⤵
                                                                    PID:2060
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
                                                                      5⤵
                                                                        PID:2564
                                                                        • C:\Windows\system32\cmd.exe
                                                                          "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthService.exe""
                                                                          6⤵
                                                                            PID:2872
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                      PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
                                                                      3⤵
                                                                        PID:2580
                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
                                                                          4⤵
                                                                            PID:1976
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
                                                                              5⤵
                                                                              • Modifies data under HKEY_USERS
                                                                              PID:1516
                                                                              • C:\Windows\system32\cmd.exe
                                                                                "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""
                                                                                6⤵
                                                                                  PID:2052
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                            PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
                                                                            3⤵
                                                                              PID:1272
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
                                                                                4⤵
                                                                                  PID:1316
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
                                                                                    5⤵
                                                                                      PID:2976
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""
                                                                                        6⤵
                                                                                          PID:2844
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                    PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
                                                                                    3⤵
                                                                                      PID:2152
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
                                                                                        4⤵
                                                                                          PID:872
                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
                                                                                            5⤵
                                                                                            • Modifies data under HKEY_USERS
                                                                                            PID:1852
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""
                                                                                              6⤵
                                                                                                PID:2496
                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                          PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
                                                                                          3⤵
                                                                                            PID:1632
                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
                                                                                              4⤵
                                                                                                PID:2252
                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
                                                                                                  5⤵
                                                                                                  • Modifies data under HKEY_USERS
                                                                                                  PID:1344
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""
                                                                                                    6⤵
                                                                                                      PID:2896
                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
                                                                                                3⤵
                                                                                                  PID:1020
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
                                                                                                    4⤵
                                                                                                      PID:1872
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
                                                                                                        5⤵
                                                                                                          PID:1036
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""
                                                                                                            6⤵
                                                                                                              PID:676
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                        PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                        3⤵
                                                                                                          PID:1880
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                            4⤵
                                                                                                              PID:1900
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                5⤵
                                                                                                                  PID:2668
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                    6⤵
                                                                                                                      PID:1376
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                PowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
                                                                                                                3⤵
                                                                                                                  PID:1700
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
                                                                                                                    4⤵
                                                                                                                      PID:2240
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
                                                                                                                        5⤵
                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                        PID:2224
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""
                                                                                                                          6⤵
                                                                                                                            PID:2056
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                      PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                      3⤵
                                                                                                                        PID:2624
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                          4⤵
                                                                                                                            PID:2500
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                              5⤵
                                                                                                                                PID:1104
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""
                                                                                                                                  6⤵
                                                                                                                                    PID:1352
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                              PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
                                                                                                                              3⤵
                                                                                                                                PID:2712
                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
                                                                                                                                  4⤵
                                                                                                                                    PID:2492
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""
                                                                                                                                      5⤵
                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                      PID:2212
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscproxystub.dll""
                                                                                                                                        6⤵
                                                                                                                                          PID:1752
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                    PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
                                                                                                                                    3⤵
                                                                                                                                      PID:1784
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
                                                                                                                                        4⤵
                                                                                                                                          PID:1000
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""
                                                                                                                                            5⤵
                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                            PID:2848
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscisvif.dll""
                                                                                                                                              6⤵
                                                                                                                                                PID:1552
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                          PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
                                                                                                                                          3⤵
                                                                                                                                            PID:2864
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
                                                                                                                                              4⤵
                                                                                                                                                PID:1048
                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
                                                                                                                                                  5⤵
                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                  PID:2660
                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""
                                                                                                                                                    6⤵
                                                                                                                                                      PID:1700
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
                                                                                                                                                3⤵
                                                                                                                                                  PID:2640
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
                                                                                                                                                    4⤵
                                                                                                                                                      PID:2176
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""
                                                                                                                                                        5⤵
                                                                                                                                                          PID:2872
                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.dll""
                                                                                                                                                            6⤵
                                                                                                                                                              PID:2648
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                        PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
                                                                                                                                                        3⤵
                                                                                                                                                          PID:2364
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
                                                                                                                                                            4⤵
                                                                                                                                                              PID:2592
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
                                                                                                                                                                5⤵
                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                PID:2248
                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:1500
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                              PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
                                                                                                                                                              3⤵
                                                                                                                                                                PID:2644
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
                                                                                                                                                                  4⤵
                                                                                                                                                                    PID:768
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""
                                                                                                                                                                      5⤵
                                                                                                                                                                        PID:2792
                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                          "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.exe""
                                                                                                                                                                          6⤵
                                                                                                                                                                            PID:2868
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                      PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:2164
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:2320
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
                                                                                                                                                                              5⤵
                                                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                                                              PID:1532
                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""
                                                                                                                                                                                6⤵
                                                                                                                                                                                  PID:1996
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                            PowerRun cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
                                                                                                                                                                            3⤵
                                                                                                                                                                              PID:1528
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:1268
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""
                                                                                                                                                                                    5⤵
                                                                                                                                                                                      PID:2376
                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\DWWIN.EXE""
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:848
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                    PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
                                                                                                                                                                                    3⤵
                                                                                                                                                                                      PID:2432
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:2924
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
                                                                                                                                                                                            5⤵
                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                            PID:1948
                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""
                                                                                                                                                                                              6⤵
                                                                                                                                                                                                PID:3032
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                          PowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
                                                                                                                                                                                          3⤵
                                                                                                                                                                                            PID:2784
                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:2220
                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""
                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                                                                                  PID:1976
                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                    "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreenps.dll""
                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                      PID:1392
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                  PID:1320
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:2768
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                          PID:2364
                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                              PID:1624
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                        PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                          PID:696
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                              PID:2128
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                PID:2972
                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""
                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                    PID:784
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                              PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:880
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:2372
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                      PID:2688
                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""
                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                          PID:772
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                    PowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                      PID:948
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                          PID:2996
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                                                                                                                            PID:1380
                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""
                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                PID:1452
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                          PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                            PID:2436
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                PID:1636
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""
                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                    PID:2892
                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscapi.dll""
                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                        PID:2272
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                  PowerRun cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                    PID:2596
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                        PID:1312
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""
                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                          PID:492
                                                                                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscadminui.exe""
                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                              PID:1736
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                        PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:2204
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                              PID:2732
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                PID:552
                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                  "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                    PID:2904
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                              PowerRun cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:1660
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                    PID:1444
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                      PID:1804
                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""
                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                          PID:2840
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                    PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:1088
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                          PID:2096
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                              PID:2308
                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""
                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                  PID:2936
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                            PowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                              PID:2220
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                  PID:444
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                      PID:1908
                                                                                                                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                        "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""
                                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                                          PID:2180
                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                    PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                      PID:2372
                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                          PID:2464
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                              PID:2112
                                                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\msseccore.sys""
                                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                                  PID:2724
                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                            PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                              PID:1700
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                  PID:1020
                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                    PID:2852
                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""
                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                        PID:2128
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                    PID:2260
                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                        PID:2712
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                            PID:2096
                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""
                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                PID:1984
                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                            PID:2988
                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                PID:2496
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                    PID:1088
                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q
                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                        PID:2316
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                    PID:2676
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                        PID:2184
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                            PID:2584
                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                PID:1676
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                            PID:1156
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                PID:1188
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                    PID:1792
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                        PID:3036
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                    PID:2960
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                        PID:1900
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                            PID:2040
                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                PID:1204
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                            PID:1952
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                PID:2012
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                    PID:1408
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q
                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                        PID:2008
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                    PID:1980
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                        PID:1320
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                            PID:2292
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q
                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                PID:676
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:2552
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                PID:1656
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                    PID:2812
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q
                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                        PID:956
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                    PID:1748
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                        PID:2024
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2712
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q
                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                PID:2420
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                            PID:1452
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                PID:1268
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:1668
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:2540
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:2600
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:2268
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:1624
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:2676
                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:1272
                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:2588
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:2424
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\SecurityHealth" /s /q
                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:2272
                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:1352
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:852
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:1312
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q
                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:2012
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:1896
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:1424
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:2632
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Sgrm" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:2404
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:3044
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:1880
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:2520
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2544
                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:2724
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:2240
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2576
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3020
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2924
                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1896
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2600
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2772
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1692
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2552
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2008
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1952
                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2952
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2024
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2372
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1156
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2920
                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1032
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2288
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2152
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1000
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2528
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:784
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1352
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2300
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2384
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2508
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2504
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2164
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1900
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PowerRun cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1800
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2588
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2656
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\bcastdvr" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2756
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PowerRun cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2980
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2680
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2312
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2060
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          timeout 10
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2596
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\shutdown.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          shutdown /r /f /t 0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\makecab.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241105162241.log C:\Windows\Logs\CBS\CbsPersist_20241105162241.cab
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2064
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "194223660453074852-526454910-106110664419880930472794987571902071312274225688"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1484
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "708259886-584406424-129302424-1780450336-462256511-960555870340997988782528271"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1576
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "-5642803151429806403-3547610521022714023921698885-1479706827-1101874266939449979"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2476
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "1411542842-16744639511034349091858210301-22643756415321081601715263801870295164"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1376
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  \??\C:\Windows\system32\conhost.exe "-1012233847-314622622114799820-1814215941054314816-413591086807587091516618140"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    \??\C:\Windows\system32\conhost.exe "1585183951-1351622258-170208819319837239701613685686-21404418071652166745-1438334162"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2412
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      \??\C:\Windows\system32\conhost.exe "66668048911085512351867348045-115626097315197658121413841540-393038747-1838518168"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        \??\C:\Windows\system32\conhost.exe "-994438425130759331116691293671786760435-14586724227651154781655446695-1278724749"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          \??\C:\Windows\system32\conhost.exe "9151360531910444911-2634892701987257915-89504012210106233391944291150964268701"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2764
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            \??\C:\Windows\system32\conhost.exe "-70868699911250104141378527283-961858413111870610-68263274691228917-449064307"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1736
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              \??\C:\Windows\system32\conhost.exe "-117842091115242740721757520273-527437495-141413450-14693757801383664598802988770"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2152
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                \??\C:\Windows\system32\conhost.exe "355254960683047442-42918919114915667611199798-280480174-137899975-444766769"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "LogonUI.exe" /flags:0x0
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2356
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "LogonUI.exe" /flags:0x1
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2384

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\1w4c8l4p.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            28KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            db2eb3078f924bc0049ae6e98653f2b0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            fc058c55c2b670dea826418aebc602ad737f6285

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            f37b5230deb0e25cd3721e8b6653036b26dde8c7d567e4639458192daacef9f7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            dca8ec245c856def9ff56536537b91456c967966939e94b602c085282ebbe5c95e12bb9f48772d3dbd43087ce3317debdc87bf635f3972b048ea4ec811d1b50a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\2i3f0m8z.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            28KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9e7bb9c31083cc3a0f561d12311c9d83

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9102b88339566d5f0490c25180632043c8bb1809

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            873KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            fc1fb033d57f72089fb4762245a8b18d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            7ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\RemoveSecHealthApp.ps1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            e578450ec12ca326ee55a47f121defa3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5c9ac60207ce7bf80ca0cd075ec196deba41f2cc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            b29d37c2d89b1d20ae79863e55a8bd41ee430a6115d695435cf3f5976dc35d32

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1d524d422883604f8841d6e88e3f1c138e55426c72c9ed0ba2a7cbd15c1bc01327c1e1f7087b28a3d7a47244b2b92b7bb054f40b3e0a63fc9f3d6fbf13e7ab5b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1ed85b1fd58eaf5b12f230e9f861efa5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            e34470a63ae079199a420e04494ccd723ebccfc5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            bb5e1cd5973932797a7c3c1706255c7314fd0843558ce270e296c735c1bb256f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3c2a030b63d42713045e9cc9edc3c5602c82fd17e2f4cb74b8a64e894e8aaa2cb773b86b03754ce6f60ea72c6be0eee559d980237378c1aa54c4147b4e91f594

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            577d9bbc801d8c6df2d0f0b1aff298f4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4c42779c0061075629692ad18f15adc369d8ca79

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            99fdaaaf838c00099e5beadd4725be22cdc4687f2aded7670fa12bc95f888409

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3bf58a3e6314807362807e562008427a8f4149f926ec24874e81fd6574e8d26f9bfe4f633ff95d0f2b1036152b0b1a7bf1f916d238b3048ec475db2f5f64393e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            dc3b2b1aad7850d42d5154f0e11a3121

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            f8a9fe5e2a7b1b76ced9cd4f7495b2144adc9fbe

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            c12fa69a11f6b935d127295336b053a3a7bf3277b81bf9092e978b1420fa3bc3

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            f73bd0111dbe06640016765181d4e91b726fd3c53e0ba74049b263a430a32dd347e5004151650bc832d85d93e5e893793376a8013c1d8492f5c0256a3b6176fa

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ec521e7934667f3b0c3000b88c020b47

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            a1cab54cbe572995cd075a6723c0fff038551711

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4aa6abeefaa66645923525a48911311060164fbfcfe8ffded6c6fac6d8b8fc04

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            c036043681bb2fe346e0a989e6981d62f40c89cfb036f6d65766319c6fb1c295ae25fe1befed7fd827b79c79927bb4dbe9fd0918bb768183147704889822e05f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            bec3d75cd3a619595427f9a122adfd25

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1003c1c4833e1c9d9b43ff7c0a2dc2e85d07275e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            de5d76c4c1be4b15ff011c46e4ff3101f5ffd3ac7ee8bab00753feaae208f75c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            56827aaf3b106c18a4563e14e07d8372d7e96fa3103f63ab9e1a98e4e9fc77c3f37f7d7591bf7102fa2261ef812578498d73f3468c48c22782933635e8272a49

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            574B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3efc2ed4909f33432d597d950d9cf9eb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            38603fe0665fbfa8c2a2c45fba11800433e6a8f4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            8143feeb32a4edbd649ce033a551f878360603aa248faf82d01c1f292cf49a4c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            743bfa2eebdc9b1754fc70fd5004a8984e17a3469dd0a31a20ec1abbd1e87efc490f0f419bb33dd2750545276fdf6505bea1ae88dce81f437b0eab68e62584ee

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4193b815bedd1a921e38b6724ad2df63

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            d371e4643149d0bd2cab2e8090fadab78398728e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            f5e7910242b58b72c7a24ac1b5455adaac5ac3af013f42e041d5e75dabfe6c4f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            cdfa900ef8825bf4de1353cad13280d3f61e2ad4efb33ccff3ae39ef7dfb27db36d451e764353c5cb972fde63d2deb8e927abc4dc7f06b828e534657e42253d8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            605B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            6a7ac93420d7960a4d7f2bbe805e9ff7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            e228c0525def730eafb57044886b0c673900aa1c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            83f076d81891a2079197344dd5971fc419a56d7c4263b1f17ed31c73aa026dcb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ee535f4eac8024185110515fe98dc6385cce6f2cb07291cfa244e8b0c2dbbfd265dc7d9e61029612c789f3cc96c10fa57410e4813ecaf214dacd0ecd9b8958ac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Script_Run.bat

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            9KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            f5f2b8421012d9ce3dec75b23d6d3dac

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            62bb1f88eb6207caa946eb101d8e5c5a2c56df7f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ada4a79590a11e83cc9c99266fdebe23e5cbfe15aee08cc260668a9956fa21d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            d6ad16a7b69637a49464e1556631f853b85bb12548613c29247c9cf832c1cd0b77d0f2e3ef60cb84e378a3f1cb29870e110b9dbf1b8d4426ea665b14d8ef592d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\autBCF9.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            11KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            4a83df1d945c2f5801ed59650d7460eb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            31827890e1df99268c0f80dcb26774225e4c3a5d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            2d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\autBD57.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            10KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            09ca17eb552722bd7004097f59b07518

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            36cf9da188460542e58acb97fa0ef0bfd9a4e172

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\autBD58.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            5KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            96c0e61f3298cb745b021f67e7dd0d48

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            a61adbe460c68a3087ff1ba75620dbb86af28e40

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            3e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            7KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            d35d0dc0152caf5ed54ce32708486ea7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            ce38c6979611e5c2440dc0024422e1007a7ccf51

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            fefeec2a8b73523f3cc5cc7bd92191fae6528abd1a0b06b88e2084e4d4db4b69

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            eb25092cda6994466c862b265ae890ddb0e53409d972f788584d8412336646952eddcaf633b6c75385d43a622d9093801a6f6a31c649570a8aa3c801eb259a23