Analysis
-
max time kernel
69s -
max time network
83s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
DefenderRemover (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DefenderRemover (2).exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
DefenderRemover (2).exe
-
Size
823KB
-
MD5
879e3d30cc1392370ab0eec1601aa1b6
-
SHA1
c85e5eb120d860b0a67e3f091d5e7c29a7643bfd
-
SHA256
704ebc20fe0c7678a2b73d97ba6ad2945ece3a7d35ba0e0a394b629570af00ca
-
SHA512
71a5987a9f2fde213992be76865c0d57a4113027adf53aa515eaaa42c8f02e895297795a3c02f60ff837dcd045fa072814567ea1b65257c8006a0aa5f3e7bd44
-
SSDEEP
12288:g1OgLdaiqSqzU7rOv/O6/NH90u9KIyburq6fAdAYmyX:g1OYdaaIO6/LXEYr8dAByX
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIntrusionPreventionSystem = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableInformationProtectionControl = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\IOAVMaxSize = "1298" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\RealtimeScanDirection = "2" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideRealtimeScanDirection = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring = "0" regedit.exe -
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System regedit.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System regedit.exe -
Modifies security service 2 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0 regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security regedit.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" regedit.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" regedit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions regedit.exe -
Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs
Disable Windows Driver Blocklist via Registry.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0" regedit.exe -
Boot or Logon Autostart Execution: LSASS Driver 2 TTPs 1 IoCs
Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL = "0" regedit.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 64 IoCs
pid Process 2308 PowerRun.exe 2712 PowerRun.exe 1752 PowerRun.exe 1316 PowerRun.exe 2172 PowerRun.exe 584 PowerRun.exe 2192 PowerRun.exe 2180 PowerRun.exe 2052 PowerRun.exe 572 PowerRun.exe 2432 PowerRun.exe 1568 PowerRun.exe 872 PowerRun.exe 2876 PowerRun.exe 2476 PowerRun.exe 2160 PowerRun.exe 904 PowerRun.exe 1304 PowerRun.exe 1740 PowerRun.exe 1632 PowerRun.exe 2032 PowerRun.exe 2828 PowerRun.exe 2648 PowerRun.exe 2652 PowerRun.exe 3024 PowerRun.exe 1408 PowerRun.exe 1872 PowerRun.exe 1100 PowerRun.exe 2144 PowerRun.exe 1484 PowerRun.exe 1580 PowerRun.exe 2400 PowerRun.exe 2624 PowerRun.exe 2944 PowerRun.exe 772 PowerRun.exe 1104 PowerRun.exe 2036 PowerRun.exe 1664 PowerRun.exe 1672 PowerRun.exe 2432 PowerRun.exe 2260 PowerRun.exe 2236 PowerRun.exe 884 PowerRun.exe 2972 PowerRun.exe 2272 PowerRun.exe 1576 PowerRun.exe 2624 PowerRun.exe 1088 PowerRun.exe 768 PowerRun.exe 2608 PowerRun.exe 844 PowerRun.exe 1104 PowerRun.exe 1612 PowerRun.exe 3000 PowerRun.exe 696 PowerRun.exe 2000 PowerRun.exe 2144 PowerRun.exe 2032 PowerRun.exe 2320 PowerRun.exe 1452 PowerRun.exe 2692 PowerRun.exe 2224 PowerRun.exe 2116 PowerRun.exe 2136 PowerRun.exe -
Loads dropped DLL 64 IoCs
pid Process 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 856 Process not Found 2860 cmd.exe 856 Process not Found 856 Process not Found 2860 cmd.exe 856 Process not Found 856 Process not Found 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found 2860 cmd.exe 856 Process not Found -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" regedit.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
pid Process 1556 powershell.exe 1904 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DefenderRemover (2).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2596 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft regedit.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft regedit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Security Health\State regedit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe regedit.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Edge\SmartScreenEnabled\ = "0" regedit.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop regedit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Security Health regedit.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge regedit.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MenuShowDelay = "1" regedit.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion regedit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ PowerRun.exe -
Modifies registry class 32 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance\InitPropertyBag regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\Version regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\shdocvw regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\TypeLib regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\Elevation regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\DefaultIcon regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Implemented Categories regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\InProcServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2D75874-6750-4931-94C1-C99D3BC9D0C7}\InprocServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0}\InprocServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\Instance regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32 regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\Hosts\urlmon regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E48B2549-D510-4A76-8A5F-FC126A6215F0} regedit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}\ShellFolder regedit.exe -
Runs .reg file with regedit 42 IoCs
pid Process 1804 regedit.exe 2012 regedit.exe 2736 regedit.exe 2772 regedit.exe 1796 regedit.exe 1748 regedit.exe 1676 regedit.exe 1688 regedit.exe 1852 regedit.exe 2356 regedit.exe 2476 regedit.exe 2520 regedit.exe 2316 regedit.exe 2044 regedit.exe 848 regedit.exe 1868 regedit.exe 1084 regedit.exe 2760 regedit.exe 596 regedit.exe 2744 regedit.exe 2412 regedit.exe 1084 regedit.exe 2824 regedit.exe 2644 regedit.exe 1552 regedit.exe 2412 regedit.exe 1124 regedit.exe 1556 regedit.exe 1864 regedit.exe 1516 regedit.exe 2104 regedit.exe 2364 regedit.exe 2620 regedit.exe 1424 regedit.exe 2516 regedit.exe 1872 regedit.exe 2976 regedit.exe 2280 regedit.exe 1592 regedit.exe 2316 regedit.exe 2960 regedit.exe 2732 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1904 powershell.exe 1904 powershell.exe 1904 powershell.exe 1556 powershell.exe 2308 PowerRun.exe 2308 PowerRun.exe 2712 PowerRun.exe 1752 PowerRun.exe 2712 PowerRun.exe 1752 PowerRun.exe 1316 PowerRun.exe 1316 PowerRun.exe 2172 PowerRun.exe 2172 PowerRun.exe 2180 PowerRun.exe 2180 PowerRun.exe 2052 PowerRun.exe 2052 PowerRun.exe 2432 PowerRun.exe 2432 PowerRun.exe 872 PowerRun.exe 872 PowerRun.exe 2476 PowerRun.exe 2476 PowerRun.exe 2876 PowerRun.exe 2876 PowerRun.exe 2160 PowerRun.exe 2160 PowerRun.exe 904 PowerRun.exe 904 PowerRun.exe 2032 PowerRun.exe 2032 PowerRun.exe 1632 PowerRun.exe 1632 PowerRun.exe 2828 PowerRun.exe 2828 PowerRun.exe 2648 PowerRun.exe 2648 PowerRun.exe 1408 PowerRun.exe 1408 PowerRun.exe 1872 PowerRun.exe 1872 PowerRun.exe 2144 PowerRun.exe 2144 PowerRun.exe 1484 PowerRun.exe 1484 PowerRun.exe 2400 PowerRun.exe 2400 PowerRun.exe 2624 PowerRun.exe 2624 PowerRun.exe 772 PowerRun.exe 772 PowerRun.exe 1104 PowerRun.exe 1104 PowerRun.exe 1664 PowerRun.exe 1664 PowerRun.exe 2432 PowerRun.exe 2432 PowerRun.exe 2236 PowerRun.exe 2236 PowerRun.exe 2972 PowerRun.exe 2972 PowerRun.exe 2260 PowerRun.exe 1576 PowerRun.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 2308 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2308 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2308 PowerRun.exe Token: 0 2308 PowerRun.exe Token: SeDebugPrivilege 1752 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 1752 PowerRun.exe Token: SeIncreaseQuotaPrivilege 1752 PowerRun.exe Token: SeDebugPrivilege 2712 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2712 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2712 PowerRun.exe Token: 0 2712 PowerRun.exe Token: SeDebugPrivilege 1316 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 1316 PowerRun.exe Token: SeIncreaseQuotaPrivilege 1316 PowerRun.exe Token: SeDebugPrivilege 2172 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2172 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2172 PowerRun.exe Token: 0 2172 PowerRun.exe Token: SeDebugPrivilege 2180 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2180 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2180 PowerRun.exe Token: SeDebugPrivilege 2052 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2052 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2052 PowerRun.exe Token: 0 2052 PowerRun.exe Token: SeDebugPrivilege 2432 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2432 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2432 PowerRun.exe Token: SeDebugPrivilege 872 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 872 PowerRun.exe Token: SeIncreaseQuotaPrivilege 872 PowerRun.exe Token: 0 872 PowerRun.exe Token: SeDebugPrivilege 2476 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2476 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2476 PowerRun.exe Token: 0 2476 PowerRun.exe Token: SeDebugPrivilege 2876 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2876 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2876 PowerRun.exe Token: SeDebugPrivilege 2160 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2160 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2160 PowerRun.exe Token: SeDebugPrivilege 904 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 904 PowerRun.exe Token: SeIncreaseQuotaPrivilege 904 PowerRun.exe Token: 0 904 PowerRun.exe Token: SeDebugPrivilege 2032 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2032 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2032 PowerRun.exe Token: 0 2032 PowerRun.exe Token: SeDebugPrivilege 1632 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 1632 PowerRun.exe Token: SeIncreaseQuotaPrivilege 1632 PowerRun.exe Token: SeDebugPrivilege 2828 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2828 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2828 PowerRun.exe Token: SeDebugPrivilege 2648 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 2648 PowerRun.exe Token: SeIncreaseQuotaPrivilege 2648 PowerRun.exe Token: 0 2648 PowerRun.exe Token: SeDebugPrivilege 1408 PowerRun.exe Token: SeAssignPrimaryTokenPrivilege 1408 PowerRun.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2860 1680 DefenderRemover (2).exe 31 PID 1680 wrote to memory of 2860 1680 DefenderRemover (2).exe 31 PID 1680 wrote to memory of 2860 1680 DefenderRemover (2).exe 31 PID 1680 wrote to memory of 2860 1680 DefenderRemover (2).exe 31 PID 1680 wrote to memory of 2860 1680 DefenderRemover (2).exe 31 PID 1680 wrote to memory of 2860 1680 DefenderRemover (2).exe 31 PID 1680 wrote to memory of 2860 1680 DefenderRemover (2).exe 31 PID 2860 wrote to memory of 2916 2860 cmd.exe 33 PID 2860 wrote to memory of 2916 2860 cmd.exe 33 PID 2860 wrote to memory of 2916 2860 cmd.exe 33 PID 2860 wrote to memory of 2916 2860 cmd.exe 33 PID 2860 wrote to memory of 2916 2860 cmd.exe 33 PID 2860 wrote to memory of 2916 2860 cmd.exe 33 PID 2860 wrote to memory of 2916 2860 cmd.exe 33 PID 2860 wrote to memory of 1904 2860 cmd.exe 34 PID 2860 wrote to memory of 1904 2860 cmd.exe 34 PID 2860 wrote to memory of 1904 2860 cmd.exe 34 PID 2860 wrote to memory of 1904 2860 cmd.exe 34 PID 2860 wrote to memory of 1904 2860 cmd.exe 34 PID 2860 wrote to memory of 1904 2860 cmd.exe 34 PID 2860 wrote to memory of 1904 2860 cmd.exe 34 PID 1904 wrote to memory of 1556 1904 powershell.exe 35 PID 1904 wrote to memory of 1556 1904 powershell.exe 35 PID 1904 wrote to memory of 1556 1904 powershell.exe 35 PID 1904 wrote to memory of 1556 1904 powershell.exe 35 PID 1904 wrote to memory of 1556 1904 powershell.exe 35 PID 1904 wrote to memory of 1556 1904 powershell.exe 35 PID 1904 wrote to memory of 1556 1904 powershell.exe 35 PID 2860 wrote to memory of 2308 2860 cmd.exe 37 PID 2860 wrote to memory of 2308 2860 cmd.exe 37 PID 2860 wrote to memory of 2308 2860 cmd.exe 37 PID 2860 wrote to memory of 2308 2860 cmd.exe 37 PID 2860 wrote to memory of 2712 2860 cmd.exe 39 PID 2860 wrote to memory of 2712 2860 cmd.exe 39 PID 2860 wrote to memory of 2712 2860 cmd.exe 39 PID 2860 wrote to memory of 2712 2860 cmd.exe 39 PID 2860 wrote to memory of 2172 2860 cmd.exe 43 PID 2860 wrote to memory of 2172 2860 cmd.exe 43 PID 2860 wrote to memory of 2172 2860 cmd.exe 43 PID 2860 wrote to memory of 2172 2860 cmd.exe 43 PID 584 wrote to memory of 1688 584 PowerRun.exe 46 PID 584 wrote to memory of 1688 584 PowerRun.exe 46 PID 584 wrote to memory of 1688 584 PowerRun.exe 46 PID 2860 wrote to memory of 2052 2860 cmd.exe 195 PID 2860 wrote to memory of 2052 2860 cmd.exe 195 PID 2860 wrote to memory of 2052 2860 cmd.exe 195 PID 2860 wrote to memory of 2052 2860 cmd.exe 195 PID 2192 wrote to memory of 2316 2192 PowerRun.exe 165 PID 2192 wrote to memory of 2316 2192 PowerRun.exe 165 PID 2192 wrote to memory of 2316 2192 PowerRun.exe 165 PID 572 wrote to memory of 2644 572 PowerRun.exe 245 PID 572 wrote to memory of 2644 572 PowerRun.exe 245 PID 572 wrote to memory of 2644 572 PowerRun.exe 245 PID 2860 wrote to memory of 872 2860 cmd.exe 198 PID 2860 wrote to memory of 872 2860 cmd.exe 198 PID 2860 wrote to memory of 872 2860 cmd.exe 198 PID 2860 wrote to memory of 872 2860 cmd.exe 198 PID 2860 wrote to memory of 2476 2860 cmd.exe 268 PID 2860 wrote to memory of 2476 2860 cmd.exe 268 PID 2860 wrote to memory of 2476 2860 cmd.exe 268 PID 2860 wrote to memory of 2476 2860 cmd.exe 268 PID 1568 wrote to memory of 1852 1568 PowerRun.exe 202 PID 1568 wrote to memory of 1852 1568 PowerRun.exe 202 PID 1568 wrote to memory of 1852 1568 PowerRun.exe 202
Processes
-
C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"C:\Users\Admin\AppData\Local\Temp\DefenderRemover (2).exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.execmd /c .\Script_Run.bat2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\choice.exechoice /C:yas /N3⤵
- System Location Discovery: System Language Discovery
PID:2916
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""RemoveSecHealthApp.ps1""' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "RemoveSecHealthApp.ps14⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"6⤵
- Modifies Windows Defender Real-time Protection settings
- Runs .reg file with regedit
PID:1688
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"6⤵
- Windows security bypass
- Runs .reg file with regedit
PID:2316
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"6⤵
- Modifies Windows Defender Real-time Protection settings
- Runs .reg file with regedit
PID:2644
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"6⤵
- Modifies data under HKEY_USERS
- Runs .reg file with regedit
PID:1852
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1304 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"6⤵
- Modifies registry class
- Runs .reg file with regedit
PID:1552
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"5⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"6⤵
- Runs .reg file with regedit
PID:2012
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2652 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"6⤵
- Windows security bypass
- Runs .reg file with regedit
PID:2044
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"5⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"6⤵
- Modifies security service
- Runs .reg file with regedit
PID:2356
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1100 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"6⤵
- Modifies firewall policy service
- Runs .reg file with regedit
PID:848
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1580 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"6⤵
- Runs .reg file with regedit
PID:2316
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2944 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"6⤵
- Runs .reg file with regedit
PID:2104
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:772 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2036 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"6⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2736
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"5⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"6⤵
- Runs .reg file with regedit
PID:2412
-
-
-
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableAntivirusProtection.reg"3⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:596
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg"3⤵
- Windows security bypass
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2772
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderPolicies.reg"3⤵
- Modifies Windows Defender Real-time Protection settings
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2476
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\NomoreDelayandTimeouts.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2364
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemovalofWindowsDefenderAntivirus.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2620
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveDefenderTasks.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1424
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoverofDefenderContextMenu.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1796
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveServices.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2516
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveShellAssociation.reg"3⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1868
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveSignatureUpdates.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1556
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveStartupEntries.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1864
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\RemoveWindowsWebThreat.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2744
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\WindowsSettingsPageVisibility.reg"3⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1748
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2608 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableDevDriveProtection.reg"6⤵
- Runs .reg file with regedit
PID:2280
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"4⤵
- Executes dropped EXE
PID:884 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3000 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableLSAProtection.reg"6⤵
- Boot or Logon Autostart Execution: LSASS Driver
- Runs .reg file with regedit
PID:1804
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"4⤵
- Executes dropped EXE
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"5⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMaintenanceTaskreportinginSecurityHealthUI.reg"6⤵
- Modifies data under HKEY_USERS
- Runs .reg file with regedit
PID:2976
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"4⤵
- Executes dropped EXE
PID:2624 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"5⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableMicrosoftVulnerabileDriverBlocklist.reg"6⤵
- Modify Registry: Disable Windows Driver Blocklist
- Runs .reg file with regedit
PID:2520
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"3⤵
- Executes dropped EXE
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"4⤵
- Executes dropped EXE
PID:768 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:844 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSmartScreen.reg"6⤵
- Modifies data under HKEY_USERS
- Runs .reg file with regedit
PID:2960
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"3⤵
- Executes dropped EXE
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"4⤵
- Executes dropped EXE
PID:696 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2144 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSpyNetTelemetry.reg"6⤵
- Runs .reg file with regedit
PID:1516
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"3⤵
- Executes dropped EXE
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"4⤵
- Executes dropped EXE
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"5⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableSystemMitigations.reg"6⤵
- Runs .reg file with regedit
PID:1084
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"3⤵
- Executes dropped EXE
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"4⤵
- Executes dropped EXE
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2136 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableTamperProtection.reg"6⤵
- Runs .reg file with regedit
PID:2412
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"3⤵
- Executes dropped EXE
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"4⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"5⤵
- Modifies data under HKEY_USERS
PID:3068 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableUAC.reg"6⤵
- UAC bypass
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Runs .reg file with regedit
PID:1676
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"3⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"4⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"5⤵
- Modifies data under HKEY_USERS
PID:596 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\DisableVBS.reg"6⤵
- Runs .reg file with regedit
PID:1872
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"3⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"4⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"5⤵
- Modifies data under HKEY_USERS
PID:988 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\ExploitGuard_d.reg"6⤵
- Runs .reg file with regedit
PID:1124
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"3⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"4⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"5⤵
- Modifies data under HKEY_USERS
PID:2992 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\MitigationofFaultTorelantHeap.reg"6⤵
- Runs .reg file with regedit
PID:2824
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"3⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"4⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"5⤵
- Modifies data under HKEY_USERS
PID:3004 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemovalofAnti-PhishingServices.reg"6⤵
- Runs .reg file with regedit
PID:1592
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"3⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"4⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"5⤵PID:2468
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\Remove and Disable Microsoft Pluton.reg"6⤵
- Runs .reg file with regedit
PID:2732
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"3⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"4⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"5⤵PID:1684
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveSecurityandMaintenance.reg"6⤵
- Modifies registry class
- Runs .reg file with regedit
PID:1084
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun.exe regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"3⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"4⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ regedit.exe /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"5⤵
- Modifies data under HKEY_USERS
PID:404 -
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_SecurityComp\RemoveWindowsDefenderFirewallRules.reg"6⤵
- Modifies firewall policy service
- Runs .reg file with regedit
PID:2760
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""3⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""4⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""5⤵PID:2932
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance_Error.png""6⤵PID:2056
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""3⤵PID:2984
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""4⤵PID:2272
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""5⤵
- Modifies data under HKEY_USERS
PID:2828 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityAndMaintenance.png""6⤵PID:2088
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""3⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""4⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""5⤵
- Modifies data under HKEY_USERS
PID:2572 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSystray.exe""6⤵PID:2264
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""3⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""4⤵PID:2060
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthService.exe""5⤵PID:2564
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthService.exe""6⤵PID:2872
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""3⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""4⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""5⤵
- Modifies data under HKEY_USERS
PID:1516 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthHost.exe""6⤵PID:2052
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""3⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""4⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""5⤵PID:2976
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\SgrmAgent.sys""6⤵PID:2844
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""3⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""4⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""5⤵
- Modifies data under HKEY_USERS
PID:1852 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdDevFlt.sys""6⤵PID:2496
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""3⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""4⤵PID:2252
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""5⤵
- Modifies data under HKEY_USERS
PID:1344 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdBoot.sys""6⤵PID:2896
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""3⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""4⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""5⤵PID:1036
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdFilter.sys""6⤵PID:676
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""3⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""4⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""5⤵PID:2668
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""6⤵PID:1376
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""3⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""4⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""5⤵
- Modifies data under HKEY_USERS
PID:2224 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\drivers\WdNisDrv.sys""6⤵PID:2056
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""3⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""4⤵PID:2500
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscsvc.dll""5⤵PID:1104
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscsvc.dll""6⤵PID:1352
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""3⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""4⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscproxystub.dll""5⤵
- Modifies data under HKEY_USERS
PID:2212 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscproxystub.dll""6⤵PID:1752
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""3⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""4⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscisvif.dll""5⤵
- Modifies data under HKEY_USERS
PID:2848 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscisvif.dll""6⤵PID:1552
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""3⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""4⤵PID:1048
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""5⤵
- Modifies data under HKEY_USERS
PID:2660 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthProxyStub.dll""6⤵PID:1700
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""3⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""4⤵PID:2176
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.dll""5⤵PID:2872
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.dll""6⤵PID:2648
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""3⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""4⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""5⤵
- Modifies data under HKEY_USERS
PID:2248 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.dll""6⤵PID:1500
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""3⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""4⤵PID:768
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreen.exe""5⤵PID:2792
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreen.exe""6⤵PID:2868
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""3⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""4⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""5⤵
- Modifies data under HKEY_USERS
PID:1532 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreen.exe""6⤵PID:1996
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""3⤵PID:1528
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""4⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\DWWIN.EXE""5⤵PID:2376
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\DWWIN.EXE""6⤵PID:848
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""3⤵PID:2432
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""4⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""5⤵
- Modifies data under HKEY_USERS
PID:1948 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\smartscreenps.dll""6⤵PID:3032
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""3⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""4⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\smartscreenps.dll""5⤵
- Modifies data under HKEY_USERS
PID:1976 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\smartscreenps.dll""6⤵PID:1392
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""3⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""4⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""5⤵PID:2364
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthCore.dll""6⤵PID:1624
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""3⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""4⤵PID:2128
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""5⤵
- Modifies data under HKEY_USERS
PID:2972 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthSsoUdk.dll""6⤵PID:784
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""3⤵PID:880
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""4⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""5⤵
- Modifies data under HKEY_USERS
PID:2688 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthUdk.dll""6⤵PID:772
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""3⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""4⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""5⤵
- Modifies data under HKEY_USERS
PID:1380 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\SecurityHealthAgent.dll""6⤵PID:1452
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""3⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""4⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscapi.dll""5⤵PID:2892
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscapi.dll""6⤵PID:2272
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""3⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""4⤵PID:1312
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\wscadminui.exe""5⤵
- Modifies data under HKEY_USERS
PID:492 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\wscadminui.exe""6⤵PID:1736
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""3⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""4⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""5⤵
- Modifies data under HKEY_USERS
PID:552 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\GameBarPresenceWriter.exe""6⤵PID:2904
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""3⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""4⤵PID:1444
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""5⤵
- Modifies data under HKEY_USERS
PID:1804 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\System32\GameBarPresenceWriter.exe""6⤵PID:2840
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""3⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""4⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""5⤵PID:2308
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\DeviceCensus.exe""6⤵PID:2936
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""3⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""4⤵PID:444
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""5⤵PID:1908
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\SysWOW64\CompatTelRunner.exe""6⤵PID:2180
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""3⤵PID:2372
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""4⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\msseccore.sys""5⤵PID:2112
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\msseccore.sys""6⤵PID:2724
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""3⤵PID:1700
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""4⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""5⤵
- Modifies data under HKEY_USERS
PID:2852 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFltWfp.sys""6⤵PID:2128
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""3⤵PID:2260
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""4⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""5⤵PID:2096
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del /f ""C:\Windows\system32\drivers\MsSecFlt.sys""6⤵PID:1984
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q3⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q4⤵PID:2496
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q5⤵PID:1088
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy" /s /q6⤵PID:2316
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q3⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q4⤵PID:2184
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q5⤵PID:2584
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender" /s /q6⤵PID:1676
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q3⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q4⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q5⤵PID:1792
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection" /s /q6⤵PID:3036
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q3⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q4⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q5⤵PID:2040
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender Advanced Threat Protection" /s /q6⤵PID:1204
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q3⤵PID:1952
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q4⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q5⤵PID:1408
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender Advanced Threat Protection" /s /q6⤵PID:2008
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q3⤵PID:1980
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q4⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q5⤵PID:2292
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Windows Security Health" /s /q6⤵PID:676
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q3⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q4⤵PID:1656
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q5⤵PID:2812
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\ProgramData\Microsoft\Storage Health" /s /q6⤵PID:956
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q3⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q4⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q5⤵PID:2712
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\WINDOWS\System32\drivers\wd" /s /q6⤵PID:2420
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q3⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q4⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q5⤵PID:1668
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files (x86)\Windows Defender" /s /q6⤵PID:2540
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q3⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q4⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Program Files\Windows Defender" /s /q5⤵PID:1624
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Program Files\Windows Defender" /s /q6⤵PID:2676
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q3⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q4⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\SecurityHealth" /s /q5⤵PID:2424
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\SecurityHealth" /s /q6⤵PID:2272
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q3⤵PID:1352
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q4⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q5⤵PID:1312
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WebThreatDefSvc" /s /q6⤵PID:2012
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q3⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q4⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Sgrm" /s /q5⤵PID:2632
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Sgrm" /s /q6⤵PID:2404
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q3⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q4⤵PID:1880
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q5⤵PID:2520
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\WindowsDefenderApplicationGuard.wim" /s /q6⤵PID:2544
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q3⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q4⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q5⤵PID:2576
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q6⤵PID:3020
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q3⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q4⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q5⤵PID:2600
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DefenderPerformance" /s /q6⤵PID:2772
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q3⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q4⤵PID:2552
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q5⤵PID:2008
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender" /s /q6⤵PID:1952
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q3⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q4⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q5⤵PID:2372
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks_Migrated\Microsoft\Windows\Windows Defender" /s /q6⤵PID:1156
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q3⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q4⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q5⤵PID:2288
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender" /s /q6⤵PID:2152
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q3⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q4⤵PID:2528
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q5⤵PID:784
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender" /s /q6⤵PID:1352
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q3⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q4⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q5⤵PID:2508
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\System32\HealthAttestationClient" /s /q6⤵PID:2504
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q3⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q4⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q5⤵PID:2044
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\GameBarPresenceWriter" /s /q6⤵PID:1900
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q3⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q4⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\bcastdvr" /s /q5⤵PID:2656
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\bcastdvr" /s /q6⤵PID:2756
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exePowerRun cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q3⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q4⤵PID:2680
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe"C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\PowerRun.exe" /TI/ cmd.exe /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q5⤵PID:2312
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir "C:\Windows\Containers\serviced\WindowsDefenderApplicationGuard.wim" /s /q6⤵PID:2060
-
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- Delays execution with timeout.exe
PID:2596
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /f /t 03⤵PID:1772
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241105162241.log C:\Windows\Logs\CBS\CbsPersist_20241105162241.cab1⤵PID:2064
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "194223660453074852-526454910-106110664419880930472794987571902071312274225688"1⤵PID:1484
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "708259886-584406424-129302424-1780450336-462256511-960555870340997988782528271"1⤵PID:1576
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-5642803151429806403-3547610521022714023921698885-1479706827-1101874266939449979"1⤵PID:2476
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1411542842-16744639511034349091858210301-22643756415321081601715263801870295164"1⤵PID:1376
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1012233847-314622622114799820-1814215941054314816-413591086807587091516618140"1⤵PID:696
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1585183951-1351622258-170208819319837239701613685686-21404418071652166745-1438334162"1⤵PID:2412
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "66668048911085512351867348045-115626097315197658121413841540-393038747-1838518168"1⤵PID:880
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-994438425130759331116691293671786760435-14586724227651154781655446695-1278724749"1⤵PID:2180
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "9151360531910444911-2634892701987257915-89504012210106233391944291150964268701"1⤵PID:2764
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-70868699911250104141378527283-961858413111870610-68263274691228917-449064307"1⤵PID:1736
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-117842091115242740721757520273-527437495-141413450-14693757801383664598802988770"1⤵PID:2152
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "355254960683047442-42918919114915667611199798-280480174-137899975-444766769"1⤵PID:2784
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2356
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2384
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1LSASS Driver
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1LSASS Driver
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1File Deletion
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5db2eb3078f924bc0049ae6e98653f2b0
SHA1fc058c55c2b670dea826418aebc602ad737f6285
SHA256f37b5230deb0e25cd3721e8b6653036b26dde8c7d567e4639458192daacef9f7
SHA512dca8ec245c856def9ff56536537b91456c967966939e94b602c085282ebbe5c95e12bb9f48772d3dbd43087ce3317debdc87bf635f3972b048ea4ec811d1b50a
-
Filesize
28KB
MD59e7bb9c31083cc3a0f561d12311c9d83
SHA19102b88339566d5f0490c25180632043c8bb1809
SHA2562658178fd2cb498195032c531bf3bb037954e0614aaec4c4ac2637f08d949bc1
SHA5121fb30279a1f951a98f609eb749deb6c77082c28a30e1fdd4f3224ddac8ddfad134e8f3c44f82c32501da8a93a978e6cf8dfe591039a0e6af0d4d2a1dc5445699
-
Filesize
873KB
MD5fc1fb033d57f72089fb4762245a8b18d
SHA17ec0f7ca5f0e0d20e5372bf69865d0a809e6cc8e
SHA256a6fa768c4964c328c748558627c20c2ba455e589a1b87cfa3911d197da1688d2
SHA512cff3833e592a5fe1f1fcb656c42e77fdd177c902f84cf396365cfa04edc9ec046de3473a943779d3815bc36bf48182101703b20b08ae580c2b3ba20508d231d0
-
Filesize
1KB
MD5e578450ec12ca326ee55a47f121defa3
SHA15c9ac60207ce7bf80ca0cd075ec196deba41f2cc
SHA256b29d37c2d89b1d20ae79863e55a8bd41ee430a6115d695435cf3f5976dc35d32
SHA5121d524d422883604f8841d6e88e3f1c138e55426c72c9ed0ba2a7cbd15c1bc01327c1e1f7087b28a3d7a47244b2b92b7bb054f40b3e0a63fc9f3d6fbf13e7ab5b
-
Filesize
1KB
MD51ed85b1fd58eaf5b12f230e9f861efa5
SHA1e34470a63ae079199a420e04494ccd723ebccfc5
SHA256bb5e1cd5973932797a7c3c1706255c7314fd0843558ce270e296c735c1bb256f
SHA5123c2a030b63d42713045e9cc9edc3c5602c82fd17e2f4cb74b8a64e894e8aaa2cb773b86b03754ce6f60ea72c6be0eee559d980237378c1aa54c4147b4e91f594
-
Filesize
8KB
MD5577d9bbc801d8c6df2d0f0b1aff298f4
SHA14c42779c0061075629692ad18f15adc369d8ca79
SHA25699fdaaaf838c00099e5beadd4725be22cdc4687f2aded7670fa12bc95f888409
SHA5123bf58a3e6314807362807e562008427a8f4149f926ec24874e81fd6574e8d26f9bfe4f633ff95d0f2b1036152b0b1a7bf1f916d238b3048ec475db2f5f64393e
-
C:\Users\Admin\AppData\Local\Temp\7zSD7D8.tmp\Remove_defender\DisableDefenderandSecurityCenterNotifications.reg
Filesize1KB
MD5dc3b2b1aad7850d42d5154f0e11a3121
SHA1f8a9fe5e2a7b1b76ced9cd4f7495b2144adc9fbe
SHA256c12fa69a11f6b935d127295336b053a3a7bf3277b81bf9092e978b1420fa3bc3
SHA512f73bd0111dbe06640016765181d4e91b726fd3c53e0ba74049b263a430a32dd347e5004151650bc832d85d93e5e893793376a8013c1d8492f5c0256a3b6176fa
-
Filesize
1KB
MD5ec521e7934667f3b0c3000b88c020b47
SHA1a1cab54cbe572995cd075a6723c0fff038551711
SHA2564aa6abeefaa66645923525a48911311060164fbfcfe8ffded6c6fac6d8b8fc04
SHA512c036043681bb2fe346e0a989e6981d62f40c89cfb036f6d65766319c6fb1c295ae25fe1befed7fd827b79c79927bb4dbe9fd0918bb768183147704889822e05f
-
Filesize
4KB
MD5bec3d75cd3a619595427f9a122adfd25
SHA11003c1c4833e1c9d9b43ff7c0a2dc2e85d07275e
SHA256de5d76c4c1be4b15ff011c46e4ff3101f5ffd3ac7ee8bab00753feaae208f75c
SHA51256827aaf3b106c18a4563e14e07d8372d7e96fa3103f63ab9e1a98e4e9fc77c3f37f7d7591bf7102fa2261ef812578498d73f3468c48c22782933635e8272a49
-
Filesize
574B
MD53efc2ed4909f33432d597d950d9cf9eb
SHA138603fe0665fbfa8c2a2c45fba11800433e6a8f4
SHA2568143feeb32a4edbd649ce033a551f878360603aa248faf82d01c1f292cf49a4c
SHA512743bfa2eebdc9b1754fc70fd5004a8984e17a3469dd0a31a20ec1abbd1e87efc490f0f419bb33dd2750545276fdf6505bea1ae88dce81f437b0eab68e62584ee
-
Filesize
1KB
MD54193b815bedd1a921e38b6724ad2df63
SHA1d371e4643149d0bd2cab2e8090fadab78398728e
SHA256f5e7910242b58b72c7a24ac1b5455adaac5ac3af013f42e041d5e75dabfe6c4f
SHA512cdfa900ef8825bf4de1353cad13280d3f61e2ad4efb33ccff3ae39ef7dfb27db36d451e764353c5cb972fde63d2deb8e927abc4dc7f06b828e534657e42253d8
-
Filesize
605B
MD56a7ac93420d7960a4d7f2bbe805e9ff7
SHA1e228c0525def730eafb57044886b0c673900aa1c
SHA25683f076d81891a2079197344dd5971fc419a56d7c4263b1f17ed31c73aa026dcb
SHA512ee535f4eac8024185110515fe98dc6385cce6f2cb07291cfa244e8b0c2dbbfd265dc7d9e61029612c789f3cc96c10fa57410e4813ecaf214dacd0ecd9b8958ac
-
Filesize
9KB
MD5f5f2b8421012d9ce3dec75b23d6d3dac
SHA162bb1f88eb6207caa946eb101d8e5c5a2c56df7f
SHA256ada4a79590a11e83cc9c99266fdebe23e5cbfe15aee08cc260668a9956fa21d2
SHA512d6ad16a7b69637a49464e1556631f853b85bb12548613c29247c9cf832c1cd0b77d0f2e3ef60cb84e378a3f1cb29870e110b9dbf1b8d4426ea665b14d8ef592d
-
Filesize
11KB
MD54a83df1d945c2f5801ed59650d7460eb
SHA131827890e1df99268c0f80dcb26774225e4c3a5d
SHA2562d993be76dfcf35f89b656b4dbc553e078d824974b482e56c6f76eaea87731c8
SHA512eacb88683e3c999a1cdc9d9e4a4030723164e358d7cd85f7cfc02b99f33be991c89af5602349b48b5388520968a43a2a45b4b6d2f468f2b888088cf95bd591d2
-
Filesize
10KB
MD509ca17eb552722bd7004097f59b07518
SHA136cf9da188460542e58acb97fa0ef0bfd9a4e172
SHA256365c32c3c09228158ab5aaabfcf93cdfcd858be0b2a00031d82ab03070f61a5b
SHA5123dc6ed86df50f87b12635032fb30840e94bea699ac193a16099a2ce1a9bd5e39147f115fb938c177991dc0dcfd5abab075632a1d0b46e6009a86eea3a27156bf
-
Filesize
5KB
MD596c0e61f3298cb745b021f67e7dd0d48
SHA1a61adbe460c68a3087ff1ba75620dbb86af28e40
SHA2563e56c22a81ab1168036a289c7ffe2889dd678c422568dff9ef91d6a0f9005333
SHA512dbbfdd4ad2c80ff9df0b21dfd011420baba54a7114d0e0ff5371dda9c9389d90422a4311881ac2bdb5ba7c4334d210b61c6c0fc691ae503e32930109d9251f3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d35d0dc0152caf5ed54ce32708486ea7
SHA1ce38c6979611e5c2440dc0024422e1007a7ccf51
SHA256fefeec2a8b73523f3cc5cc7bd92191fae6528abd1a0b06b88e2084e4d4db4b69
SHA512eb25092cda6994466c862b265ae890ddb0e53409d972f788584d8412336646952eddcaf633b6c75385d43a622d9093801a6f6a31c649570a8aa3c801eb259a23